Filter
Top Products
22-13
Cisco ASDM User Guide
OL-16647-01
Chapter 22 Configuring Service Policy Rules
Managing the Order of Service Policy Rules
In the Service field, enter a port number or name, or click ... to choose one already defined in ASDM.
Step 8 Click Next.
The Add Management Service Policy Rule - Rule Actions dialog box appears.
Step 9 To configure RADIUS accounting inspection, choose an inspect map from the RADIUS Accounting
Map drop-down list, or click Configure to add a map.
See the “RADIUS Accounting Field Descriptions” section on page 22-14 for more information.
Step 10 To configure maximum connections, enter one or more of the following values in the Maximum
Connections area:
• TCP & UDP Connections—Specifies the maximum number of simultaneous TCP and UDP
connections for all clients in the traffic class, up to 65,536. The default is 0 for both protocols, which
means the maximum possible connections are allowed.
• Embryonic Connections—Specifies the maximum number of embryonic connections per host up
to 65,536. An embryonic connection is a connection request that has not finished the necessary
handshake between source and destination. This limit enables the TCP Intercept feature. The default
is 0, which means the maximum embryonic connections. TCP Intercept protects inside systems from
a DoS attack perpetrated by flooding an interface with TCP SYN packets. When the embryonic limit
has been surpassed, the TCP intercept feature intercepts TCP SYN packets from clients to servers
on a higher security level. SYN cookies are used during the validation process and help to minimize
the amount of valid traffic being dropped. Thus, connection attempts from unreachable hosts will
never reach the server.
Step 11 Click Finish.
Managing the Order of Service Policy Rules
The order of service policy rules on an interface or in the global policy affects how actions are applied
to traffic. See the following guidelines for how a packet matches rules in a service policy:
• A packet can match only one rule in a service policy for each feature type.
• When the packet matches a rule that includes actions for a feature type, the security appliance does
not attempt to match it to any subsequent rules including that feature type.
• If the packet matches a subsequent rule for a different feature type, however, then the security
appliance also applies the actions for the subsequent rule.
For example, if a packet matches a rule for connection limits, and also matches a rule for application
inspection, then both rule actions are applied.
If a packet matches a rule for application inspection, but also matches another rule that includes
application inspection, then the second rule actions are not applied.
If your rule includes an access list with multiple ACEs, then the order of ACEs also affects the packet
flow. The FWSM tests the packet against each ACE in the order in which the entries are listed. After a
match is found, no more ACEs are checked. For example, if you create an ACE at the beginning of an
access list that explicitly permits all traffic, no further statements are ever checked.
To change the order of rules or ACEs within a rule, perform the following steps:
Step 1 From the Configuration > Firewall > Service Policy Rules pane, choose the rule or ACE that you want
to move up or down.