1.5.0 255.255.255.0
! Define Network Object Group webserver
hostname(config-network)# object-group network webserver
hostname(config-network)# description Web Servers
hostname(config-network)# network-object host 209.165.201.1
hostname(config-network)# network-object host 209.165.201.2
As shown in Example 6-24, you should reference these network object groups in the access list, thereby
consolidating the deny statements into one single line.
Example 6-24. Using Object Groups in the Access List
Code View:
hostname(config)# access-list 101 deny tcp object-group denyhosts object-group
webserver eq www
hostname(config)# access-list 101 permit ip any any
Use the show object-group [protocol | network | service | icmp-type | id grp_id] command to display a
list of the currently configured object groups.
Modular Policy Framework (MPF)
Firewall software offers an adaptable and scalable modular policy framework to configure Security Appliance
features in a manner similar to Cisco IOS Software QoS CLI (also known as Modular QoS CLI??”MQC). For traffic
flows traversing the firewall, flow-based policies can be established for any administratively defined criteria and
then applied to a set of security services, such as firewall policies, inspection engine policies, Quality of Service
(QoS) policies, and VPN policies, each specified traffic flow providing more granular and flexible inspection
control.
Pages:
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316