Cisco Systems OL-16647-01 Network Router User Manual


  Open as PDF
of 1230
 
24-67
Cisco ASDM User Guide
OL-16647-01
Chapter 24 Configuring Application Layer Protocol Inspection
Inspect Map Field Descriptions
Message length check: enabled
Message length maximum: 512
Mismatch rate logging: enabled
TSIG resource record: enforced
Default Level—Sets the security level back to the default level of Low.
Details—Shows the Protocol Conformance, Filtering, Mismatch Rate, and Inspection tabs to
configure additional settings.
Modes
The following table shows the modes in which this feature is available:
Add/Edit DNS Policy Map (Details)
The Add/Edit DNS Policy Map pane lets you configure the security level and additional settings for DNS
application inspection maps
Fields
Name—When adding a DNS map, enter the name of the DNS map. When editing a DNS map, the
name of the previously configured DNS map is shown.
Description—Enter the description of the DNS map, up to 200 characters in length.
Security Level—Shows the security level to configure.
Protocol Conformance—Tab that lets you configure the protocol conformance settings for DNS.
Enable DNS guard function—Performs a DNS query and response mismatch check using the
identification field in the DNS header. One response per query is allowed to go through the
security appliance.
Enable NAT re-write function—Enables IP address translation in the A record of the DNS
response.
Enable protocol enforcement—Enables DNS message format check, including domain name,
label length, compression, and looped pointer check.
Randomize the DNS identifier for DNS query— Randomizes the DNS identifier in the DNS
query message.
Enforce TSIG resource record to be present in DNS message—Requires that a TSIG resource
record be present in DNS transactions. Actions taken when TSIG is enforced:
Drop packet—Drops the packet (logging can be either enabled or disabled).
Log—Enables logging.
Filtering—Tab that lets you configure the filtering settings for DNS.
Global Settings—Applies settings globally.
Firewall Mode Security Context
Routed Transparent Single
Multiple
Context System
• • • •
 previous next