Filter
Top Products
1-7
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 1 Configuring a Service Policy Using the Modular Policy Framework
Guidelines and Limitations
• TCP normalization
• TCP state bypass
• User statistics for Identity Firewall
Class Map Guidelines
The maximum number of class mapsof all types is 255 in single mode or per context in multiple mode.
Class maps include the following types:
• Layer 3/4 class maps (for through traffic and management traffic).
• Inspection class maps
• Regular expression class maps
• match commands used directly underneath an inspection policy map
This limit also includes default class maps of all types, limiting user-configured class mapsto
approximately 235. See the “Default Class Maps” section on page 1-9.
Policy Map Guidelines
See the following guidelines for using policy maps:
• You can only assign one policy map per interface. (However you can create up to 64 policy maps in
the configuration.)
• You can apply the same policy map to multiple interfaces.
• You can identify up to 63 Layer 3/4 class maps in a Layer 3/4 policy map.
• For each class map, you can assign multiple actions from one or more feature types, if supported.
See the “Incompatibility of Certain Feature Actions” section on page 1-5.
Service Policy Guidelines
• Interface service policies take precedence over the global service policy for a given feature. For
example, if you have a global policy with FTP inspection, and an interface policy with TCP
normalization, then both FTP inspection and TCP normalization are applied to the interface.
However, if you have a global policy with FTP inspection, and an interface policy with FTP
inspection, then only the interface policy FTP inspection is applied to that interface.
• You can only apply one global policy. For example, you cannot create a global policy that includes
feature set 1, and a separate global policy that includes feature set 2. All features must be included
in a single policy.
• When you make service policy changes to the configuration, all new connections use the new service
policy. Existing connections continue to use the policy that was configured at the time of the
connection establishment. show command output will not include data about the old connections.
For example, if you remove a QoS service policy from an interface, then re-add a modified version,
then the show service-policy command only displays QoS counters associated with new
connections that match the new service policy; existing connections on the old policy no longer
show in the command output.
To ensure that all connections use the new policy, you need to disconnect the current connections so
they can reconnect using the new policy. See the clear conn or clear local-host commands.