Which of the following MPF elements can be used to configure Application layer protocol inspection? (Select the best answer.)
- a class map
- a policy map
- a service policy
- a global policy
- an extended access list
- a standard access list
A policy map can be used to configure Application layer protocol inspection. Modular Policy Framework (MPF) is a Cisco Adaptive Security Appliance (ASA) feature that provides a flexible method of enabling security policies on an interface. This framework consists of three basic components: class maps, policy maps, and service policies. A class map identifies a specific flow of traffic, a policy map determines the action that will be performed on the traffic, and a service policy ties this action to a specific interface. Application inspection is one of the actions that can be applied to traffic with a policy map. Services that embed IP addresses in the packet or utilize dynamically assigned ports for secondary channels require deep packet inspection, which is provided by Application layer protocol inspection. Some traffic, such as File Transfer Protocol (FTP) traffic, might be dropped if inspection for that protocol is not enabled. Application inspection can be configured within the global service policy and within an interface service policy. Service policies can be applied to an individual interface or globally to all interfaces? if traffic matches both an interface policy and a global policy, only the interface policy will be applied to that particular traffic flow.
A class map cannot be used to configure Application layer protocol inspection. Class maps identify traffic by matching a variable characteristic that you specify, such as traffic going to a unique IP address or traffic using a specific port. Generally, each class map can contain only a single match statement, and a packet can match only a single class map within the policy map of a particular feature type. For example, if a packet matched a class map for FTP inspection and a class map for traffic policing, the ASA would apply both policy map actions to the packet. However, if a packet matched a class map for FTP inspection and a second, different class map that included FTP inspection, the ASA would apply only the actions of the first matching policy map. Class maps are assigned to a policy map, which defines the action or actions to be performed on the traffic.
A service policy cannot be used to configure Application layer protocol inspection. Service policies tie the policy map to the interface and can be applied to an individual interface or globally to all interfaces? if traffic matches both an interface policy and a global policy, only the interface policy will be applied to that particular traffic flow. Service policies can be configured by using Cisco Adaptive Security Device Manager (ASDM) or by commandline interface (CLI) configuration. Neither an extended access list nor a standard access list can be used to configure Application layer protocol inspection. Access control lists (ACLs) can be used to filter traffic based on a set of configured rules. You can create either standard or extended ACLs. Whereas standard ACLs can be used to filter based only on source IP addresses, extended ACLs can be used to filter based on source and destination IP addresses, protocols, and ports. A class map can match traffic to an extended ACL that is specified as a parameter to the accesslist keyword in a match statement.