14-51
User
Guide

for

the

Cisco

Application

Networking

Manager

5.2
OL-26572-01
Chapter
14






Configuring

Traffic

Policies
Configuring
Rules

and

Actions

for

Policy

Maps


Mask
Reply—The

ACE

is

to

mask

the

reply

to

the

FTP

syst

command

by

filtering

sensitive
information
fr

om

t

he

command

output.

The

action

applies

t

o

the

FTP

syst

command

only.
Step
9
Do
one

of

the

following:


Click
Deploy
Now

to

deploy
this

configuration

on

t

he
ACE
and

save

your

entries

t

o

the
running-configuration
and

startup-configuration

files.


Click
Cancel
to
exit

this

procedure

without
saving
your

entries

and

to

return

to

the
Action
table.


Click
Next
to

deploy

your

entries

and

to
configure
another
action
for
this

rule.
Related
Topics


Configuring
Traffic
Policies,

page
14-1


Configuring
Virtual

Context
Class
Maps,

page
14-6


Configuring
Virtual

Context
Policy
Maps,

page
14-32
Setting
Policy

Map

Rules

and

Actions

for

Layer

7

HTTP

Deep

Packet

Inspection
You
can

add

rules

and

actions

for

Layer

7

HTTP

deep

packet

inspection

pol

icy

maps.
The
ACE

performs

a

stateful

deep

packet

inspection

of

the

HTTP

protocol.

Deep

packet

inspection

is

a
special
case

of

application

inspection

where

the

ACE

examines

the

application

payload

of

a

packet

or

a
traffic
stream

and

makes

decisions

based

on

the

content

of

the

data.

During

HTTP

deep

inspection,

the
main
focus

of

the

application

inspection

process

is

on

HTTP

attributes

such

as

HTTP

header,

URL,

and
to
a

limited

extent,

the

payload.

User-defined

regular

expressions

can

also

be

used

to

detect

“signatures”
in
the

payload.
You
define

policies

to

permit

or

deny

the

traffic,

or

to

send

a

TCP

reset

message

to

the

client

or

server
to
close

the

connection.
The
security

features

covered

by

HTTP

application

inspection

include:


RFC
compliance

monitoring
and
RFC

method
filtering


Content,
URL,

and

HTTP

header
length
checks


Transfer-encoding
methods


Content
type
verification
and

filtering


Port
80

misuse
Procedure
Step
1
Choose
Config
>

Devices

>

context

>

Expert

>

Policy

Maps.
The
Pol

icy

Maps

table

appears.
Step
2
In
the

Policy

Maps

table,
choose
the

Layer

7

deep

packet

inspection

policy

map

that

you

want

to

set

rules
and
actions

for.
The
Rule

table

appears.
Step
3
In
the

Rule

table,

click
Add
to

add
a
new

rule,

or
choose
an
existing
rule

and
click
Edit
to

modify

it.
The
Rule

configuration

window

appears.
Step
4
In
the
Type

field

of

the

Rule

configuration

window,

configure

rules

using

the

information
in
Ta
b

l

e
14-21
.