Filter
Top Products
22-6
Cisco ASDM User Guide
OL-16647-01
Chapter 22 Configuring Service Policy Rules
Adding a Service Policy Rule for Through Traffic
For example, if HTTP traffic matches a policy on the inside interface to inspect HTTP traffic, and you
have a separate policy on the outside interface for HTTP inspection, then that traffic is not also inspected
on the egress of the outside interface. Similarly, the return traffic for that connection will not be
inspected by the ingress policy of the outside interface, nor by the egress policy of the inside interface.
For traffic that is not treated as a flow, for example ICMP when you do not enable stateful ICMP
inspection, returning traffic can match a different policy map on the returning interface. For example, if
you configure IPS inspection on the inside and outside interfaces, but the inside policy uses virtual
sensor 1 while the outside policy uses virtual sensor 2, then a non-stateful Ping will match virtual sensor
1 outbound, but will match virtual sensor 2 inbound.
Adding a Service Policy Rule for Through Traffic
To add a service policy rule for through traffic, perform the following steps:
Step 1 From the Configuration > Firewall > Service Policy Rules pane, click Add.
The Add Service Policy Rule Wizard - Service Policy dialog box appears.
Note When you click the Add button, and not the small arrow on the right of the Add button, you add
a through traffic rule by default. If you click the arrow on the Add button, you can choose
between a through traffic rule and a management traffic rule.
Step 2 In the Create a Service Policy and Apply To area, click one of the following options:
• Interface. This option applies the service policy to a single interface. Interface service policies take
precedence over the global service policy for a given feature. For example, if you have a global
policy with FTP inspection, and an interface policy with TCP connection limits, then both FTP
inspection and TCP connection limits are applied to the interface. However, if you have a global
policy with FTP inspection, and an interface policy with FTP inspection, then only the interface
policy FTP inspection is applied to that interface.
a. Choose an interface from the drop-down list.
If you choose an interface that already has a policy, then the wizard lets you add a new service
policy rule to the interface.
b. If it is a new service policy, enter a name in the Policy Name field.
c. (Optional) Enter a description in the Description field.
• Global - applies to all interfaces. This option applies the service policy globally to all interfaces.
By default, a global policy exists that includes a service policy rule for default application
inspection. See the “Default Global Policy” section on page 22-2 for more information. You can add
a rule to the global policy using the wizard.
Step 3 Click Next.
The Add Service Policy Rule Wizard - Traffic Classification Criteria dialog box appears.
Step 4 Click one of the following options to specify the traffic to which to apply the policy actions:
• Create a new traffic class. Enter a traffic class name in the Create a new traffic class field, and enter
an optional description.
Identify the traffic using one of several criteria: