ASA MPF基础知识

Modular Policy Framework supports the following features: api

? QoS input policingapp

? TCP normalization, TCP and UDP connection limits and timeouts, and TCP sequence number randomizationdom

? CSCide

? Application inspection this

? IPSorm

? QoS output policingblog

? QoS standard priority queueip

? QoS traffic shaping, hierarchical priority queueci

An interface policy overrides the global policy for a particular feature. get

Tip For applications that use multiple, non-contiguous ports, use the match access-list command and define an ACE to match each port.

For management traffic to the security appliance, you might want to perform actions specific to this kind of traffic. You can specify a management class map that can match an access list or TCP or UDP ports. The types of actions available for a management class map in the policy map are specialized for management traffic. Namely, this type of class map lets you inspect RADIUS accounting traffic and set connection limits

Note When you use a global policy, all features are unidirectional; features that are normally bidirectional when applied to a single interface only apply to the ingress of each interface when applied globally. Because the policy is applied to all interfaces, the policy will be applied in both directions so bidirectionality in this case is redundant.

Note RADIUS accounting is not listed because it is the only inspection allowed on management traffic. WAAS is not listed because it can be configured along with other inspections for the same traffic.