24-67
Cisco ASDM User Guide
OL-16647-01
Chapter 24 Configuring Application Layer Protocol Inspection
Inspect Map Field Descriptions
Message length check: enabled
Message length maximum: 512
Mismatch rate logging: enabled
TSIG resource record: enforced
–
Default Level—Sets the security level back to the default level of Low.
• Details—Shows the Protocol Conformance, Filtering, Mismatch Rate, and Inspection tabs to
configure additional settings.
Modes
The following table shows the modes in which this feature is available:
Add/Edit DNS Policy Map (Details)
The Add/Edit DNS Policy Map pane lets you configure the security level and additional settings for DNS
application inspection maps
Fields
• Name—When adding a DNS map, enter the name of the DNS map. When editing a DNS map, the
name of the previously configured DNS map is shown.
• Description—Enter the description of the DNS map, up to 200 characters in length.
• Security Level—Shows the security level to configure.
• Protocol Conformance—Tab that lets you configure the protocol conformance settings for DNS.
–
Enable DNS guard function—Performs a DNS query and response mismatch check using the
identification field in the DNS header. One response per query is allowed to go through the
security appliance.
–
Enable NAT re-write function—Enables IP address translation in the A record of the DNS
response.
–
Enable protocol enforcement—Enables DNS message format check, including domain name,
label length, compression, and looped pointer check.
–
Randomize the DNS identifier for DNS query— Randomizes the DNS identifier in the DNS
query message.
–
Enforce TSIG resource record to be present in DNS message—Requires that a TSIG resource
record be present in DNS transactions. Actions taken when TSIG is enforced:
Drop packet—Drops the packet (logging can be either enabled or disabled).
Log—Enables logging.
• Filtering—Tab that lets you configure the filtering settings for DNS.
–
Global Settings—Applies settings globally.
Firewall Mode Security Context
Routed Transparent Single
Multiple
Context System
• • • •—