The adaptive security appliance (ASA) diverts packets to the Content Security and Control Security Services Module (CSC SSM) after firewall policies are applied but before the packets exit the egress interface. For example, packets that are blocked by an access list are not forwarded to the CSC SSM.
Configure service policies in order to specify which traffic the adaptive security appliance should divert to the CSC SSM. The CSC SSM can scan HTTP, POP3, FTP, and SMTP traffic sent to the well-known ports for those protocols.
In order to simplify the initial configuration process, this procedure creates a global service policy that diverts all traffic for the supported protocols to the CSC SSM, both inbound and outbound. Because if you scan all traffic that comes through the adaptive security appliance, this can reduce the performance of the adaptive security appliance and the CSC SSM, you want to revise this security policy later. For example, it is not usually necessary to scan all traffic that comes from your inside network because it comes from a trusted source. If you refine the service policies so that the CSC SSM scans only traffic from untrusted sources, you can achieve your security goals and maximize performance of the adaptive security appliance and the CSC SSM.
In order to create a global service policy that identifies traffic to be scanned, complete these steps:
In the main ASDM window, choose the Configuration tab.
Choose Security Policies, and then click the Service Policy Rules radio button.
The Add Service Policy Rule appears.
In the Service Policy page, click the Global - applies to all interfaces radio button.
Choose Next. The Traffic Classification Criteria page appears.
In the Traffic Classification Criteria page, click the User class-default as the traffic class radio button.
Choose Next. The Add Service Policy Rule Wizard - Rule Actions page appears.
In the Service Policy Rule Wizard, choose the CSC Scan tab.
On the CSC Scan tab page, check the Enable CSC scan for this traffic flow check box.
In the If CSC card fails, then area, choose whether the adaptive security appliance should permit or deny selected traffic if the CSC SSM is unavailable.
The new service policy appears in the Service Policy Rules pane.
In order to configure additional CSC SSM features in ASDM, which includes content filtering, click the Configuration or Monitoring tab, then choose the Trend Micro Content Security tab.
We have Cisco ASA in "active-active" clusters , if there is a change of roles from master to slave (or vice versa) on any member of the cluster, there is a chance that the NAT pool ownership may not get transferred in the process. As a result, the new mas...
Every Cisco multi-context firewall allows non-admin staff to access the admin context of the firewalls.The firewall contexts (both admin and non-admin) support AAA authorisation to prevent people doing things they shouldn’t but the system space does not s...
In this episode of Unhackable, Mike Storm (@mistorm) with his co-host and producer, Sean discuss the Unhackable Principle: Authentication. This is where they talk about passwords, multi-factor authentication, and what it takes to keep you safe when you ...
Currently I have scheduled ISE backup (both configuration and operational) to run daily. The operational backups are about 10 x as big as the configuration backup, and I am wondering if there is a need to backup this up so frequently. My under...
I have a pair of Cisco 6500 running in VSS. There are many SVIs configured and they can all talk with each other without any restriction. I have a need to restrict 1 VLAN from being able to talk with other VLANs and vice versa, while still allow some basi...