1-4
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 1 Configuring a Service Policy
Information About Service Policies
For example, if a packet matches a rule for connection limits, and also matches a rule for an application
inspection, then both actions are applied.
If a packet matches a rulefor HTTP inspection, but also matches another rule that includes HTTP
inspection, then the second rule actions are not applied.
If a packet matches a rulefor HTTP inspection, but also matches another rule that includes FTP
inspection, then the second rule actions are not applied because HTTP and FTP inspections cannpt be
combined.
If a packet matches a rule for HTTP inspection, but also matches another rule that includes IPv6
inspection, then both actions are applied because the IPv6 inspection can be combined with any other
type of inspection.
Order in Which Multiple Feature Actions are Applied
The order in which different types of actions in a service policy are performed is independent of the order
in which the actions appear in the table.
Note NetFlow Secure Event Logging filtering and User statistics for Identity Firewall are order-independent.
Actions are performed in the following order:
1. QoS input policing
2. TCP normalization, TCP and UDP connection limits and timeouts, TCP sequence number
randomization, and TCP state bypass.
Note When a the ASA performs a proxy service (such as AAA or CSC) or it modifies the TCP payload
(such as FTP inspection), the TCP normalizer acts in dual mode, where it is applied before and
after the proxy or payload modifying service.
3. ASA CSC
4. Application inspections that can be combined with other inspections:
a. IPv6
b. IP options
c. WAAS
5. Application inspections that cannot be combined with other inspections. See the “Incompatibility of
Certain Feature Actions” section on page 1-5 for more information.
6. ASA IPS
7. ASA CX
8. QoS output policing
9. QoS standard priority queue
10. QoS traffic shaping, hierarchical priority queue