01-11-2011 08:46 AM - edited 03-11-2019 12:33 PM
On FWSM (running version 4.1 in my case) the default global policy uses the following class map:
class-map inspection_default
match default-inspection-traffic
Does anyone know what "default-inspection-traffic" includes? Is it all traffic? If so, do I really want all my traffic to go through the inspection engine? I would imagine this would have a performance impact on traffic that is not part of the protocols being inspected.
Any insight would be greatly appreciated.
David W.
Solved! Go to Solution.
01-11-2011 11:32 AM
Please mark this as answered if it is, for the benefit of others.
Regards,
PK
01-11-2011 09:42 AM
The "default_inspection_traffic" is all traffic that is predefined for various protocols. For example for tcp port 21, if you have "inspect ftp" under the class-map ftp inspection will kick in. Though, port 22 will not be inspected for ftp. Do not worry about performance as far as default behavior is concerned, people rarely see issues. But it would be a good idea to only inspect protocols you need to inspect under the default_inspection_traffic.
I hope it helps.
PK
12-16-2011 02:55 PM
The CLI help in the FWSM actually displays what's included in the "default-inspection-traffic" match definition:
FWSM/context1(config)# class-map inspection_default
FWSM/context1(config-cmap)# match ?
mpf-class-map mode commands/options:
access-list Match an Access List
any Match any packet
default-inspection-traffic Match default inspection traffic:
ctiqbe----tcp--2748 dns-------udp--53
ftp-------tcp--21 gtp-------udp--2123,3386
h323-h225-tcp--1720 h323-ras--udp--1718-1719
http------tcp--80 icmp------icmp
ils-------tcp--389 mgcp------udp--2427,2727
netbios---udp--137-138 rpc-------udp--111
rsh-------tcp--514 rtsp------tcp--554
sip-------tcp--5060 sip-------udp--5060
skinny----tcp--2000 smtp------tcp--25
sqlnet----tcp--1521 tftp------udp--69
xdmcp-----udp--177
port Match TCP/UDP port(s)
01-11-2011 09:51 AM
On the ASA you can use the command " clear config fixup" in order to get the default inspection policies. I assume it will work the same in the FWSM.
01-11-2011 10:13 AM
You would need to go under the policy-map to remove the inspections you don't need.
PK
01-11-2011 10:37 AM
I'm less concerned about removing fixups I don't need than having unnecesary traffic going through the inspection engine. In the document here https://supportforums.cisco.com/docs/DOC-12668 it indicates that "As a general rule, avoid enabling application inspection on any traffic unnecessarily as it will significantly impact the throughput of these flows".
So this leads me to my original question as to how to make sure we don't forward unnecessary traffic to the inspection engine. If "default-inspection-traffic" maps to specific ports (ex: 80, 21, etc...) then I'm good. But if it maps to "any" then I'm not.
What would be the impact on removing all the fixups? Would it break anything?
01-11-2011 11:19 AM
For example, TCP port 80 will only meet "inspect http".
I think that answers the question.
PK
01-11-2011 11:23 AM
Thank you.
01-11-2011 11:32 AM
Please mark this as answered if it is, for the benefit of others.
Regards,
PK
03-20-2012 07:12 AM
How does traffic inspection works ?
Traffic with Inspection On is sent to the Control Point for Deep Paket Inspection and tarffic not being inspected takes Fastpath.
If I remove SQLNET from default inspection , Do I need correct ACL to permit SQLNET for Fastpath? or it's not required
Please advise
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide