14-46

User

Guide

for

the

Cisco

Application

Networking

Manager

5.2

OL-26572-01

Chapter

14

Configuring

Traffic

Policies

Configuring

Rules

and

Actions

for

Policy

Maps

Ta

b

l

e

14-19

Layer

3/Layer

4

Network

Traffic

Policy

Map

Application

Inspection

Options

Option

Description

DNS

Domain

Name

System

(DNS)

query

inspection

is

to

be

implemented.

DNS

requires

application

inspection

so

that

DNS

queries

will

not

be

subject

to

the

generic

UDP

handling

based

on

activity

timeouts.

Instead,

the

UDP

connections

associated

with

DNS

queries

and

responses

are

torn

down

as

soon

as

a

reply

to

a

DNS

query

has

been

received.

The

ACE

performs

the

reassembly

of

DNS

packets

to

verify

that

the

packet

length

is

less

than

the

configured

maximum

length.

In

the

DNS

Max.

Length

field,

enter

the

maximum

length

of

a

DNS

reply

in

bytes.

Default

for

all

modules

and

ACE

4710

devices

is

512.

Valid

range

for

ACE

1.0

modules

is

64

to

65535,

and

for

all

other

supported

modules

and

ACE

4710

devices,

64

to

65535.

FTP

FTP

inspection

is

to

be

implemented.

The

ACE

inspects

FTP

packets,

translates

the

address

and

port

embedded

in

the

payload,

and

opens

up

se

condary

channel

for

data.

a.

In

the

Parameter

Map

field,

specify

a

previously

created

parameter

map

used

to

define

parameters

for

FTP

inspection.

b.

In

the

FTP

St

rict

field,

specify

whether

or

not

the

ACE

is

to

check

for

protocol

RFC

compliance

and

prevent

Web

br

owsers

from

sending

embedded

commands

in

FTP

requests:

–

N/A—This

attribute

is

not

s

et.

–

Fal

se—The

ACE

is

not

to

check

for

RFC

compliance

or

prevent

Web

browsers

from

sending

embedded

commands

in

FTP

re

quests.

–

Tr

u

e

—The

ACE

is

to

check

for

RFC

compliance

and

prevent

Web

browsers

from

sending

embedded

commands

in

FTP

re

quests.

c.

If

you

chose

True,

in

the

FTP

Inspect

Policy

field,

choose

the

Layer

7

FTP

co

mmand

inspection

policy

to

be

implemented

for

this

rule.

HTTP

Enhanced

Hypertext

Transfer

Protocol

(HTTP)

inspection

is

to

be

performed

on

HTTP

traffic.

The

inspection

checks

are

based

on

configured

parameters

in

an

existing

Layer

7

policy

map

and

internal

RFC

compliance

checks

performed

by

the

ACE.

By

default,

the

ACE

allows

all

request

methods.

Do

the

following:

a.

In

the

HTTP

Inspect

Policy

field,

choose

the

HTTP

inspection

policy

map

to

be

implemented

for

this

rule.

If

you

do

no

t

specify

a

La

yer

7

pol

icy

map,

the

ACE

performs

a

general

set

of

Layer

3

and

Layer

4

protocol

fixup

actions

and

internal

RFC

compliance

checks.

b.

In

the

URL

Logging

field,

specify

whether

or

not

Layer

3

and

Layer

4

traffic

is

to

be

monitored:

–

N/A—This

attribute

is

not

s

et.

–

Fal

se—Layer

3

and

Layer

4

traffic

is

not

to

be

monitored.

–

Tr

u

e

—Layer

3

and

Layer

4

traffic

is

to

be

monitored.

When

enabled,

this

function

logs

every

URL

request

that

is

sent

in

the

specified

class

of

traffic,

including

the

source

or

destination

IP

address

and

the

URL

that

is

accessed.