Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
24 Cards in this Set
- Front
- Back
traffic flow
|
traffic flows between the same zone, if no policies traffic will not flow between other zones
|
|
zones
|
group of interfaces that have similar functions or features
|
|
return traffic
|
is allowed by default as long as the traffic is allowed out
|
|
applied
|
with a policy map and then inspect commands\
|
|
ACLS
|
applied to interfaces that are members of zones are processed before the policy is applied on the zone pair
|
|
Zones and Transparent firewalls
|
interfaces are placed in bridging mode
|
|
zone firewall policies
|
define a match criteria(class map) assocate the action(policy map) attach the policy(service policy)
|
|
zone policy actions
|
inspect, drop, pass, police
|
|
class map configuration
|
more specific to least specific this is so that traffic properly classified
|
|
class map config example
|
class-map type inspect match-any my-test-cmap, match protocol http, match protocol tcp
|
|
police command
|
limits the number of concurrent connections, requires the IOS stateful firewall
|
|
police command limitations
|
cannot be used in a self zone, can only be applied to layer 3 and 4 policies
|
|
layer 7
|
can be used for DPI
|
|
layer 7
|
use the class-map type inspect command
for http: class-map type inspect http |
|
layer 7 supported protocols
|
• America Online (AOL) Instant Messenger (IM) protocol
• eDonkey P2P protocol • FastTrack traffic P2P protocol • Gnutella Version 2 traffic P2P protocol • HTTP—The protocol used by web browsers and web servers to transfer files, such as text and graphic files. • IMAP—Method of accessing e-mail or bulletin board messages kept on a mail server that can be shared. • Kazaa Version 2 P2P protocol • MSN Messenger IM protocol • POP3—Protocol that client e-mail applications use to retrieve mail from a mail server. • SMTP • SUNRPC • Yahoo IM protocol |
|
class-default class map
|
system defined class map that is present in all policies. Matches the packets that are not matched by anything else. default action is drop
|
|
hierarchical policy maps
|
nest policy maps within each other and apply with service-policy
max of 2 levels for inspect service-policy |
|
steps to configure 1
|
Define the class-map:
1. enable 2. configure terminal 3. class-map type inspect [match any | match all] class-map-name 4. match access-group {access-group | name access-group-name} 5. match protocol protocol_name [signature] 6. match class-map class-map-name 7. exit must do one of 4, 5, 6 |
|
steps to configure 2
|
Create a policy map for a layer 3 or 4
1. enable 2. configure terminal 3. policy-map type inspect policy-map-name 4. class type inspect class-name 5. inspect [parameter-map-name] 6. police rate bps burst size 7. drop [log] 8. pass 9. service-policy type inspect policy-map-name 10. urlfilter parameter-map-name 11. exit |
|
steps to configure 3
|
Configure a parameter map, you can configured either an inspect, URL filter, or protocol specific parameter map.
|
|
steps to configure 4
|
inspect parameter map:
3. parameter-map type inspect parameter-map-name 4. alert {on | off} 5. audit-trail {on | off} 6. dns-timeout seconds 7. icmp idle-timeout seconds 8. max-incomplete {low number-of-connections | high number-of-connections} 9. one-minute {low number-of-connections | high number-of-connections} 10. sessions maximum sessions 11. tcp finwait-time seconds 12. tcp idle-time seconds 13. tcp max-incomplete host threshold [block-time minutes] 14. tcp synwait-time seconds 15. udp idle-time seconds 16. exit |
|
steps to configure 5
|
URL Filter Parameter Map:
3. parameter-map type urlfilter parameter-map-name 4. alert {on | off} 5. allow-mode {on | off} 6. audit-trail {on | off} 7. cache number 8. exclusive-domain {deny | permit} domain-name 9. max-request number-of-requests 10. max-resp-pak number-of-requests 11. server vendor {n2h2 | websense} {ip-address | hostname [port port-number]} [outside] [log] [retrans retransmission-count] [timeout seconds] 12. source-interface interface-name 13. exit |
|
steps to configure 6
|
protocol specific parameter map:
3. parameter-map type protocol-info parameter-map-name 4. server {name string | ip {ip-address | range ip-address-start ip-address-end} |
|
steps to configure 7
|
Http firewall policy - optional:
3. class-map type inspect http [match-any | match-all] class-map-name 4. match response body java-applet 5. match req-resp protocol violation 6. match req-resp body length {lt bytes | gt bytes} 7. match req-resp header content-type {violation | mismatch | unknown} 8. match {request | response | req-resp} header [header-name] count gt number 9. match {request | response | req-resp} header [header-name] length gt bytes 10. match request {uri | arg} length gt bytes 11. match request method {connect | copy | delete | edit | get | getattribute | getattributenames | getproperties | head | index | lock | mkdir | move | options | post | put | revadd | revlabel | revlog | revnum | save | setattribute | startrev | stoprev | trace | unedit | unlock} 12. match request port-misuse {im | p2p | tunneling | any} 13. match req-resp header transfer-encoding {chunked | compress | deflate | gzip | identity | all} 14. match {request | response | req-resp} header [header-name] regex parameter-map-name 15. match request {uri | arg} regex parameter-map-name 16. match {request | response | req-resp} body regex parameter-map-name 17. match response status-line regex parameter-map-name |