Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
873
Views
10
Helpful
3
Replies

CSM 3.3 and custom commands question

Go to solution
patoberli
VIP Alumni
VIP Alumni

‎02-03-2011 06:57 AM - edited ‎03-11-2019 12:44 PM

Hi

I try to tune our FWSM a little bit for performance like it's described in https://supportforums.cisco.com/docs/DOC-12668

Our FWSM is on 3.2(18) and the CSM is 3.3.1 SP2.

I need to add the following:

admin context:

Sysopt np completion-unit

sysopt connection tcpmss 1460

policy-map global_policy

  class TCP

   set connection random-sequence-number disable

All other context:

sysopt connection tcpmss 1460

policy-map global_policy

  class TCP

   set connection random-sequence-number disable

I know how I can add the sysopt commands (with the flex config), but how do I add the policy-map besides the normal inspect policy map?

This is actually something I anyway don't really understand (the different 'policy maps')...

Any help would be appreciated.

pato

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mirober2
Cisco Employee
Cisco Employee
In response to patoberli

‎02-05-2011 06:46 AM

Hi Pato,

You can add this all through the main CSM policies. No need for a flex config.

Just simply add a rule to the Platform > Service Policy Rules > IPS, QoS and Connection Rules screen. The wizard there will walk you through setting up the policy (you'll just want to uncheck the "Randomize TCP Sequence Number" box on Step 3).

If you select "Global - Applies To All Interfaces" on Step 1, the new class will automatically be added to your global CSM_POLICY_MAP_global_4 policy.

Here is the CSM user guide for this setup as well:

http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.3.1/user/guide/pxchap.html#wp913128

Hope that helps.

-Mike

View solution in original post

3 Replies 3

Go to solution
patoberli
VIP Alumni
VIP Alumni

‎02-04-2011 07:37 AM

Some addition, this is how it currently looks on the context:

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map CSM_POLICY_MAP_global_4
class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect smtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy CSM_POLICY_MAP_global_4 global

Do I need to create a new policy or do I need to add it to the current (would the inspects stop working if I would create a new one?)?

This here is what I haven't figured out yet:

class-map TCP

  match port tcp range 1 65535

policy-map global_policy

  class TCP

   set connection random-sequence-number disable

service-policy global_policy global

0 Helpful

Go to solution
mirober2
Cisco Employee
Cisco Employee
In response to patoberli

‎02-05-2011 06:46 AM

Hi Pato,

You can add this all through the main CSM policies. No need for a flex config.

Just simply add a rule to the Platform > Service Policy Rules > IPS, QoS and Connection Rules screen. The wizard there will walk you through setting up the policy (you'll just want to uncheck the "Randomize TCP Sequence Number" box on Step 3).

If you select "Global - Applies To All Interfaces" on Step 1, the new class will automatically be added to your global CSM_POLICY_MAP_global_4 policy.

Here is the CSM user guide for this setup as well:

http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.3.1/user/guide/pxchap.html#wp913128

Hope that helps.

-Mike

Go to solution
patoberli
VIP Alumni
VIP Alumni
In response to mirober2

‎02-07-2011 12:00 AM

Hi Mike

Thanks with that I could configure it!

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card