Solved: Default FWSM inspection policy

bourse · ‎01-11-2011

On FWSM (running version 4.1 in my case) the default global policy uses the following class map:

class-map inspection_default
match default-inspection-traffic

Does anyone know what "default-inspection-traffic" includes? Is it all traffic? If so, do I really want all my traffic to go through the inspection engine? I would imagine this would have a performance impact on traffic that is not part of the protocols being inspected.

Any insight would be greatly appreciated.

David W.

Panos Kampanakis · ‎01-11-2011

Please mark this as answered if it is, for the benefit of others.

Regards,

PK

View solution in original post

Panos Kampanakis · ‎01-11-2011

The "default_inspection_traffic" is all traffic that is predefined for various protocols. For example for tcp port 21, if you have "inspect ftp" under the class-map ftp inspection will kick in. Though, port 22 will not be inspected for ftp. Do not worry about performance as far as default behavior is concerned, people rarely see issues. But it would be a good idea to only inspect protocols you need to inspect under the default_inspection_traffic.

I hope it helps.

PK

ialonso · ‎12-16-2011

The CLI help in the FWSM actually displays what's included in the "default-inspection-traffic" match definition:

FWSM/context1(config)# class-map inspection_default

FWSM/context1(config-cmap)# match ?

mpf-class-map mode commands/options:

access-list Match an Access List

any Match any packet

default-inspection-traffic Match default inspection traffic:

ctiqbe----tcp--2748 dns-------udp--53

ftp-------tcp--21 gtp-------udp--2123,3386

h323-h225-tcp--1720 h323-ras--udp--1718-1719

http------tcp--80 icmp------icmp

ils-------tcp--389 mgcp------udp--2427,2727

netbios---udp--137-138 rpc-------udp--111

rsh-------tcp--514 rtsp------tcp--554

sip-------tcp--5060 sip-------udp--5060

skinny----tcp--2000 smtp------tcp--25

sqlnet----tcp--1521 tftp------udp--69

xdmcp-----udp--177

port Match TCP/UDP port(s)

PAUL GILBERT ARIAS · ‎01-11-2011

On the ASA you can use the command " clear config fixup" in order to get the default inspection policies. I assume it will work the same in the FWSM.

Panos Kampanakis · ‎01-11-2011

You would need to go under the policy-map to remove the inspections you don't need.

PK

bourse · ‎01-11-2011

I'm less concerned about removing fixups I don't need than having unnecesary traffic going through the inspection engine. In the document here https://supportforums.cisco.com/docs/DOC-12668 it indicates that "As a general rule, avoid enabling application inspection on any traffic unnecessarily as it will significantly impact the throughput of these flows".

So this leads me to my original question as to how to make sure we don't forward unnecessary traffic to the inspection engine. If "default-inspection-traffic" maps to specific ports (ex: 80, 21, etc...) then I'm good. But if it maps to "any" then I'm not.

What would be the impact on removing all the fixups? Would it break anything?

Panos Kampanakis · ‎01-11-2011

For example, TCP port 80 will only meet "inspect http".

I think that answers the question.

PK

bourse · ‎01-11-2011

Thank you.

Panos Kampanakis · ‎01-11-2011

Please mark this as answered if it is, for the benefit of others.

Regards,

PK

Moin Khan · ‎03-20-2012

How does traffic inspection works ?

Traffic with Inspection On is sent to the Control Point for Deep Paket Inspection and tarffic not being inspected takes Fastpath.

If I remove SQLNET from default inspection , Do I need correct ACL to permit SQLNET for Fastpath? or it's not required

Please advise