14-48
User
Guide

for

the

Cisco

Application

Networking

Manager

5.2
OL-26572-01
Chapter
14






Configuring

Traffic

Policies
Configuring
Rules

and

Actions

for

Policy

Maps
Step
12
Do
the
following:


Click
Deploy
Now

to

deploy
this

configuration

on

t

he
ACE
and

save

your

entries

t

o

the
running-configuration
and

startup-configuration

files.


Click
Cancel
to
exit

this

procedure

without
saving
your

entries

and

to

return

to

the
Action
table.


Click
Next
t

o
deploy
your

entries

and

to
configure
another
Action.
Related
Topics


Configuring
Traffic
Policies,

page
14-1


Configuring
Virtual

Context
Class
Maps,

page
14-6


Configuring
Virtual

Context
Policy
Maps,

page
14-32
Setting
Policy

Map

Rules

and

Actions

for

Layer

7

FTP

Command

Inspection
You
can

add

rules

and

actions

for

Layer

7

FTP

command

inspection

policy

maps.
File
Transfer

Protocol

(FTP)

inspection

inspects

FTP

sessions

for

address

translation

in

a

message,
dynamic
opening

of

por

ts,

and

stateful

tracking

of


request

and

response

messages.

Each

specified

FTP
command
must

be

acknowledged

before

the

ACE

allows

a

new

command.

Command

filtering

allows

you
to
restrict

specific

commands

by

the

ACE.

When

the

ACE

denies

a

command,

it

closes

the

connection.
The
FTP

command

inspection

process,

as

performed

by

the

ACE:


Prepares
a
dynamic

secondary

data

connection.

The

channels

are

allocated
in

response

to

a

file
upload,
a

file

download,

or

a

directory

listing

event

and

must

be

prenegotiated.

The

port

is

negotiated
through
the

PORT

or

PASV

commands.


Tracks
the

FTP

command-response

sequence.

The
ACE

performs

the

command

checks

listed

below.
If
you

specify

the

FTP

Strict

field

in

a

Layer

3

and

Layer

4

policy

map,

the

ACE

tracks

each

FTP
command
and

response

sequence

for

the

anomalous

activity

outlined

below.

The

FTP

Strict
parameter
is

used

in

conjunction

with

a

Layer

7

FTP

policy

map

(nested

within

the

Layer

3

and
Layer
4

policy

map)

to

deny

certain

FTP

commands

or

to

mask

the

server

reply

for

SYST

command.
Note
The
use

of

the

FTP

Strict

parameter

may

affect

FTP

clients

that

do

not

comply
with
the

RFC
standards.


Truncated

command—Checks

the

number

of

commas

in

the

PORT

and

PASV

reply

command
against
a

fixed

value

of

five.

If

the

value

is

not

five,

the

ACE

assumes

that

the

PORT

command
is
truncated

and

issues

a

warning

message

and

closes

the

TCP

c

onnection.


Incorrect

command—Checks

the

FTP

command

to

verify

if

it

ends

with

<CR><LF>

characters,
as
required

by

RFC

959.

If

the

FTP

command

does

not

end

with

those

characters,

the

ACE
closes
t

he

connection.


Size

of

RETR

and

STOR

commands—Checked

the

size

of

the

RETR

and

STOR

commands
against
a

fixed

constant

of

256.

If

the

size

is

greater,

the

ACE

logs

an

error

message

and

closes
the
connection.


Command

spoofing—Verifies

that

the

PORT

command

is

always

sent

from

the

client.

If

a

POR
T
command
is

sent

from

the

server,

the

ACE

denies

the

TCP

connection.