topic Default FWSM inspection policy in Network Security https://community.cisco.com/t5/network-security/default-fwsm-inspection-policy/m-p/1594548#M594545 <HTML><HEAD></HEAD><BODY><P>The CLI help in the FWSM actually displays what's included in the "default-inspection-traffic" match definition:</P><P></P><P>FWSM/context1(config)# class-map inspection_default</P><P>FWSM/context1(config-cmap)# match ?</P><P></P><P>mpf-class-map mode commands/options:</P><P>&nbsp; access-list&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Match an Access List</P><P>&nbsp; any&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Match any packet</P><P>&nbsp; default-inspection-traffic&nbsp; Match default inspection traffic: </P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ctiqbe----tcp--2748&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dns-------udp--53&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ftp-------tcp--21&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; gtp-------udp--2123,3386</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; h323-h225-tcp--1720&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; h323-ras--udp--1718-1719</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; http------tcp--80&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; icmp------icmp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ils-------tcp--389&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mgcp------udp--2427,2727</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; netbios---udp--137-138&nbsp;&nbsp; rpc-------udp--111&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; rsh-------tcp--514&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; rtsp------tcp--554&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sip-------tcp--5060&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sip-------udp--5060&nbsp;&nbsp;&nbsp;&nbsp; </P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; skinny----tcp--2000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; smtp------tcp--25&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sqlnet----tcp--1521&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tftp------udp--69&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; xdmcp-----udp--177&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P></P><P>&nbsp; port&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Match TCP/UDP port(s)</P></BODY></HTML> Fri, 16 Dec 2011 22:55:16 GMT ialonso 2011-12-16T22:55:16Z Default FWSM inspection policy https://community.cisco.com/t5/network-security/default-fwsm-inspection-policy/m-p/1594540#M594498 <P>On FWSM (running version 4.1 in my case) the default global policy uses the following class map:</P><P></P><P>class-map inspection_default<BR /> match default-inspection-traffic</P><P></P><P>Does anyone know what "default-inspection-traffic" includes? Is it all traffic? If so, do I really want all my traffic to go through the inspection engine? I would imagine this would have a performance impact on traffic that is not part of the protocols being inspected.</P><P></P><P>Any insight would be greatly appreciated.</P><P></P><P>David W.</P> Mon, 11 Mar 2019 19:33:47 GMT https://community.cisco.com/t5/network-security/default-fwsm-inspection-policy/m-p/1594540#M594498 bourse 2019-03-11T19:33:47Z Re: Default FWSM inspection policy https://community.cisco.com/t5/network-security/default-fwsm-inspection-policy/m-p/1594541#M594501 <HTML><HEAD></HEAD><BODY><P>The "default_inspection_traffic" is all traffic that is predefined for various protocols. For example for tcp port 21, if you have "inspect ftp" under the class-map ftp inspection will kick in. Though, port 22 will not be inspected for ftp. Do not worry about performance as far as default behavior is concerned, people rarely see issues. But it would be a good idea to only inspect protocols you need to inspect under the default_inspection_traffic.</P><P></P><P>I hope it helps.</P><P></P><P>PK</P></BODY></HTML> Tue, 11 Jan 2011 17:42:41 GMT https://community.cisco.com/t5/network-security/default-fwsm-inspection-policy/m-p/1594541#M594501 Panos Kampanakis 2011-01-11T17:42:41Z Re: Default FWSM inspection policy https://community.cisco.com/t5/network-security/default-fwsm-inspection-policy/m-p/1594542#M594508 <HTML><HEAD></HEAD><BODY><P>On the ASA you can use the command " clear config fixup" in order to get the default inspection policies. I assume it will work the same in the FWSM.</P></BODY></HTML> Tue, 11 Jan 2011 17:51:30 GMT https://community.cisco.com/t5/network-security/default-fwsm-inspection-policy/m-p/1594542#M594508 PAUL GILBERT ARIAS 2011-01-11T17:51:30Z Re: Default FWSM inspection policy https://community.cisco.com/t5/network-security/default-fwsm-inspection-policy/m-p/1594543#M594515 <HTML><HEAD></HEAD><BODY><P>You would need to go under the policy-map to remove the inspections you don't need.</P><P></P><P>PK</P></BODY></HTML> Tue, 11 Jan 2011 18:13:15 GMT https://community.cisco.com/t5/network-security/default-fwsm-inspection-policy/m-p/1594543#M594515 Panos Kampanakis 2011-01-11T18:13:15Z Re: Default FWSM inspection policy https://community.cisco.com/t5/network-security/default-fwsm-inspection-policy/m-p/1594544#M594525 <HTML><HEAD></HEAD><BODY><P><SPAN>I'm less concerned about removing fixups I don't need than having unnecesary traffic going through the inspection engine. In the document here </SPAN><A class="jive-link-wiki-small" href="https://community.cisco.com/docs/DOC-12668">https://supportforums.cisco.com/docs/DOC-12668</A><SPAN> it indicates that "</SPAN><STRONG>As a general rule, avoid enabling application inspection on any traffic unnecessarily as it will significantly impact the throughput of these flows".</STRONG></P><P></P><P>So this leads me to my original question as to how to make sure we don't forward unnecessary traffic to the inspection engine. If "default-inspection-traffic" maps to specific ports (ex: 80, 21, etc...) then I'm good. But if it maps to "any" then I'm not.</P><P></P><P>What would be the impact on removing all the fixups? Would it break anything?</P></BODY></HTML> Tue, 11 Jan 2011 18:37:19 GMT https://community.cisco.com/t5/network-security/default-fwsm-inspection-policy/m-p/1594544#M594525 bourse 2011-01-11T18:37:19Z Re: Default FWSM inspection policy https://community.cisco.com/t5/network-security/default-fwsm-inspection-policy/m-p/1594545#M594533 <HTML><HEAD></HEAD><BODY><P>For example, TCP port 80 will only meet "inspect http". </P><P></P><P>I think that answers the question.</P><P></P><P>PK</P></BODY></HTML> Tue, 11 Jan 2011 19:19:38 GMT https://community.cisco.com/t5/network-security/default-fwsm-inspection-policy/m-p/1594545#M594533 Panos Kampanakis 2011-01-11T19:19:38Z Re: Default FWSM inspection policy https://community.cisco.com/t5/network-security/default-fwsm-inspection-policy/m-p/1594546#M594539 <HTML><HEAD></HEAD><BODY><P>Thank you.</P></BODY></HTML> Tue, 11 Jan 2011 19:23:34 GMT https://community.cisco.com/t5/network-security/default-fwsm-inspection-policy/m-p/1594546#M594539 bourse 2011-01-11T19:23:34Z Re: Default FWSM inspection policy https://community.cisco.com/t5/network-security/default-fwsm-inspection-policy/m-p/1594547#M594541 <HTML><HEAD></HEAD><BODY><P>Please mark this as answered if it is, for the benefit of others.</P><P>Regards,</P><P>PK</P></BODY></HTML> Tue, 11 Jan 2011 19:32:30 GMT https://community.cisco.com/t5/network-security/default-fwsm-inspection-policy/m-p/1594547#M594541 Panos Kampanakis 2011-01-11T19:32:30Z Default FWSM inspection policy https://community.cisco.com/t5/network-security/default-fwsm-inspection-policy/m-p/1594548#M594545 <HTML><HEAD></HEAD><BODY><P>The CLI help in the FWSM actually displays what's included in the "default-inspection-traffic" match definition:</P><P></P><P>FWSM/context1(config)# class-map inspection_default</P><P>FWSM/context1(config-cmap)# match ?</P><P></P><P>mpf-class-map mode commands/options:</P><P>&nbsp; access-list&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Match an Access List</P><P>&nbsp; any&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Match any packet</P><P>&nbsp; default-inspection-traffic&nbsp; Match default inspection traffic: </P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ctiqbe----tcp--2748&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dns-------udp--53&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ftp-------tcp--21&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; gtp-------udp--2123,3386</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; h323-h225-tcp--1720&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; h323-ras--udp--1718-1719</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; http------tcp--80&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; icmp------icmp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ils-------tcp--389&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mgcp------udp--2427,2727</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; netbios---udp--137-138&nbsp;&nbsp; rpc-------udp--111&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; rsh-------tcp--514&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; rtsp------tcp--554&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sip-------tcp--5060&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sip-------udp--5060&nbsp;&nbsp;&nbsp;&nbsp; </P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; skinny----tcp--2000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; smtp------tcp--25&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sqlnet----tcp--1521&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tftp------udp--69&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; xdmcp-----udp--177&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P></P><P>&nbsp; port&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Match TCP/UDP port(s)</P></BODY></HTML> Fri, 16 Dec 2011 22:55:16 GMT https://community.cisco.com/t5/network-security/default-fwsm-inspection-policy/m-p/1594548#M594545 ialonso 2011-12-16T22:55:16Z Re: Default FWSM inspection policy https://community.cisco.com/t5/network-security/default-fwsm-inspection-policy/m-p/1594549#M594548 <HTML><HEAD></HEAD><BODY><P>How does traffic inspection works ?</P><P>Traffic with Inspection On is sent to the Control Point for Deep Paket Inspection and tarffic not being inspected takes Fastpath.</P><P></P><P>If I remove SQLNET from default inspection , Do I need correct ACL to permit SQLNET for Fastpath? or it's not required</P><P></P><P>Please advise</P></BODY></HTML> Tue, 20 Mar 2012 14:12:22 GMT https://community.cisco.com/t5/network-security/default-fwsm-inspection-policy/m-p/1594549#M594548 Moin Khan 2012-03-20T14:12:22Z