Cisco FPM on ISR router is about detecting a certain pattern (e.g. regular expression) in the payload packets before deciding whether to forward or drop it. One good example is to drop malicious packets and even Skype login that attempt to change its communicating methods over time. Your IPS signatures may not even be updated quick enough.
There is an easy-to-follow FPM guide on Getting Started with Cisco IOS Flexible Packet Matching. It even stated that almost all Cisco ISR platforms support this feature. I've learnt that only certain trains and versions can support FPM commands and they may not even be the latest versions. Use "Cisco Software Advisor" on "Feature/Software" tab to determine which IOS trains and versions support FPM. Of course, you'll need a CCO account to login.
In 15.x, there is also a change in loading FPM PHDF files. Not only you don't have to download the phdf files, there is a slight change in loading FPM PHDF files:
Router(config)#load protocol system:fpm
%Complete file name to be loaded is required
Instead, you'll have to do this
Router(config)# load fpm
Try to load bundle PHDF files ...
Then do a "show protocols phdf all" to see loaded phdf files. It should include all standard PHDFs: ether.phdf, ip.phdf, tcp.phdf, and udp.phdf. These PHDFs provide Layer 2-4 protocol definition according to Flexible Packet Matching Deployment Guide.
Nested Access Control
Cisco FPM supports nested access control policy i.e. enforce a child policy on parent policy. You can define a "class-map type stack" to check on the protocol fields and use another "class-map type access-control" to check on the payload contents. For example, you want to check for a password on the payload on protocol number 17 (UDP) on port 1234. The example config would be:
!--- Define the values to be checked on UDP header port 1234
class-map type stack match-all UDP-CHECK
match field IP protocol eq 0x11 next UDP
match field UDP dest-port eq 1234 next UDP
!---- Ensure the payload to contain the password string. You can also use regular expression
class-map type access-control match-all PASSWORD-CHECK
match start UDP payload-start offset 0 size 100 string "password"
!---- Define the child policy and just log the packets if payload contains the password
policy-map type access-control CHILD-POLICY
class PASSWORD-CHECK
log
!---- Nested policy on Parent. Check on UDP header then the payload. Otherwise, drop the packet.
policy-map type access-control PARENT-POLICY
class UDP-CHECK
service-policy CHILD-POLICY
class class-default
log
drop
!--- Enforce the FPM policy on the router interface
interface GigabitEthernet0/0
service-policy type access-control output PARENT-POLICY
Nested Access Control
Cisco FPM supports nested access control policy i.e. enforce a child policy on parent policy. You can define a "class-map type stack" to check on the protocol fields and use another "class-map type access-control" to check on the payload contents. For example, you want to check for a password on the payload on protocol number 17 (UDP) on port 1234. The example config would be:
!--- Define the values to be checked on UDP header port 1234
class-map type stack match-all UDP-CHECK
match field IP protocol eq 0x11 next UDP
match field UDP dest-port eq 1234 next UDP
!---- Ensure the payload to contain the password string. You can also use regular expression
class-map type access-control match-all PASSWORD-CHECK
match start UDP payload-start offset 0 size 100 string "password"
!---- Define the child policy and just log the packets if payload contains the password
policy-map type access-control CHILD-POLICY
class PASSWORD-CHECK
log
!---- Nested policy on Parent. Check on UDP header then the payload. Otherwise, drop the packet.
policy-map type access-control PARENT-POLICY
class UDP-CHECK
service-policy CHILD-POLICY
class class-default
log
drop
!--- Enforce the FPM policy on the router interface
interface GigabitEthernet0/0
service-policy type access-control output PARENT-POLICY