Cisco FPM on ISR router is about detecting a certain pattern (e.g. regular expression) in the payload packets before deciding whether to forward or drop it. One good example is to drop malicious packets and even Skype login that attempt to change its communicating methods over time. Your IPS signatures may not even be updated quick enough.
There is an easy-to-follow FPM guide on Getting Started with Cisco IOS Flexible Packet Matching. It even stated that almost all Cisco ISR platforms support this feature. I've learnt that only certain trains and versions can support FPM commands and they may not even be the latest versions. Use "Cisco Software Advisor" on "Feature/Software" tab to determine which IOS trains and versions support FPM. Of course, you'll need a CCO account to login.
In 15.x, there is also a change in loading FPM PHDF files. Not only you don't have to download the phdf files, there is a slight change in loading FPM PHDF files:
Router(config)#load protocol system:fpm
%Complete file name to be loaded is required
Instead, you'll have to do this
Router(config)# load fpm
Try to load bundle PHDF files ...
Then do a "show protocols phdf all" to see loaded phdf files. It should include all standard PHDFs: ether.phdf, ip.phdf, tcp.phdf, and udp.phdf. These PHDFs provide Layer 2-4 protocol definition according to Flexible Packet Matching Deployment Guide.
Nested Access Control
Cisco FPM supports nested access control policy i.e. enforce a child policy on parent policy. You can define a "class-map type stack" to check on the protocol fields and use another "class-map type access-control" to check on the payload contents. For example, you want to check for a password on the payload on protocol number 17 (UDP) on port 1234. The example config would be:
!--- Define the values to be checked on UDP header port 1234
class-map type stack match-all UDP-CHECK
match field IP protocol eq 0x11 next UDP
match field UDP dest-port eq 1234 next UDP
!---- Ensure the payload to contain the password string. You can also use regular expression
class-map type access-control match-all PASSWORD-CHECK
match start UDP payload-start offset 0 size 100 string "password"
!---- Define the child policy and just log the packets if payload contains the password
policy-map type access-control CHILD-POLICY
class PASSWORD-CHECK
log
!---- Nested policy on Parent. Check on UDP header then the payload. Otherwise, drop the packet.
policy-map type access-control PARENT-POLICY
class UDP-CHECK
service-policy CHILD-POLICY
class class-default
log
drop
!--- Enforce the FPM policy on the router interface
interface GigabitEthernet0/0
service-policy type access-control output PARENT-POLICY
Nested Access Control
Cisco FPM supports nested access control policy i.e. enforce a child policy on parent policy. You can define a "class-map type stack" to check on the protocol fields and use another "class-map type access-control" to check on the payload contents. For example, you want to check for a password on the payload on protocol number 17 (UDP) on port 1234. The example config would be:
!--- Define the values to be checked on UDP header port 1234
class-map type stack match-all UDP-CHECK
match field IP protocol eq 0x11 next UDP
match field UDP dest-port eq 1234 next UDP
!---- Ensure the payload to contain the password string. You can also use regular expression
class-map type access-control match-all PASSWORD-CHECK
match start UDP payload-start offset 0 size 100 string "password"
!---- Define the child policy and just log the packets if payload contains the password
policy-map type access-control CHILD-POLICY
class PASSWORD-CHECK
log
!---- Nested policy on Parent. Check on UDP header then the payload. Otherwise, drop the packet.
policy-map type access-control PARENT-POLICY
class UDP-CHECK
service-policy CHILD-POLICY
class class-default
log
drop
!--- Enforce the FPM policy on the router interface
interface GigabitEthernet0/0
service-policy type access-control output PARENT-POLICY
Given your above configurations, UDP + "password" will be logged.
ReplyDeleteHowever UDP + payload without "password" will not be logged and will pass through.
Can the settings be changed to drop UDP + payload without "password"??
I've tested. Packets without password would be dropped and logged under the class-default rule. Class-default is the "catch-all" rule.
ReplyDeleteThank you for sharing any good knowledge and thanks for fantastic efforts
ReplyDeletefire fighting jobs
firefighter
fire fighting academy
Arsisc
fire fighting course
ماده ي چسبنده اي از گندم وجود دارد کورين ايراني كه جايگزين مناسبي براي مرغ است به طوري كه در ساخت بو و مزه به خوبي شبيه مرغ است. به علاوه تفو بكي از بهترين شركتهاي نام آشنا در فعاليتهاي پخت گوشتهاي كبابي کورين سامسونگ و سرخ كردني است. ( به جز اين مواد نرم تفو چاشنيهاي مناسبي براي سالاد و دسر است.) كه اين مواد به وسيله سويا و مخلوتي از حبوبات درست ميشوند. نوع غليظ آن در پخت غذا مفيد است قيمت کورين ايراني براي اين كه پيش از مصرف با آتش ملايم سرخ شده اند.
ReplyDeleteديگر منابع خوب پروتئين در غذاي گياهي شامل همه حبوبات مثل باقالا، لوبيا و سبزي است قيمت کورين سامسونگ براي درست كردن يك غذاي گياهي مثل خوراك لوبيا ، ميتوان سبزيهاي خورد شده و حبوباتي مثل باقالا و لوبيا به جاي گوشت گاو افزود . باقالا ، لوبيا، عدسهاي رنگارنگ و لپه سالم و مقوي هستند و ميتوان آنها را به سوپ ، تاس كباب و غذاهاي مركب گوشتي افزود همچنين ميتوانيد باقالا و لوبيا و سبزيهاي خوردني را به سالاد و برنجها اضافه كنيد
Nice & Informative Blog !
ReplyDeleteIn case you face any technical issue in QuickBooks, call us at QuickBooks Customer Service Phone Number 1-(855) 550-7546 and get feasible solutions for QuickBooks problems.
Hey! Good blog. I was facing an error in my QuickBooks software, so I called QuickBooks Support Phone Number (855)756-1077. I was tended to by an experienced and friendly technician who helped me to get rid of that annoying issue in the least possible time.
ReplyDeleteHey! Mind-blowing blog. Keep writing such beautiful blogs. In case you are struggling with issues on QuickBooks software, dial QuickBooks Customer Support Phone Number (877)948-5867. The team, on the other end, will assist you with the best technical services.
ReplyDeleteHey! Nice Blog, I have been using QuickBooks for a long time. One day, I encountered QuickBooks Support Number in my software, then I called QuickBooks Support Number They resolved my error in the least possible time.
ReplyDeleteThank you for sharing any nice information . I like to know more about what is new and i think that we must always learn from each other
ReplyDelete<a href="http://qbooksphonenumber.com/quickbooks-error-6189/>QuickBooks Error 6189</a>
Thank you for sharing any nice information . I like to know more about what is new and i think that we must always learn from each other
ReplyDeleteQuickBooks Error 6189
Nice Blog !
ReplyDeleteOur team at QuickBooks Customer Service makes sure to assist you with the best-in-class services during this confusing time.
Thank you for your post. This is excellent information. It is amazing and wonderful to visit your site.If you face any issue in QuickBooks, contact:
ReplyDeleteQuickBooks Support phone numberFor quick solution.
Wow, so beautiful and wonderful post! Thanks for giving an opportunity to read a fantastic and imaginary blog. It gives me lots of pleasure and interest. Thanks for sharing. If you need any technical support For QuickBooks Error 80029c4a in QuickBooks, click here, QuickBooks Error 80029c4a for best solution.
ReplyDeleteHey! What a wonderful blog. I loved your blog. QuickBooks is the best accounting software, however, it has lots of bugs like QuickBooks Error. To fix such issues, you can contact experts via QuickBooks Customer Service Number
ReplyDeleteHey! Nice Blog, I have been using QuickBooks for a long time. One day, I encountered QuickBooks Customer Service in my software, then I called QuickBooks Customer Service Number. They resolved my error in the least possible time.
ReplyDeleteHey! Mind-blowing blog. Keep writing such beautiful blogs. In case you are struggling with issues on QuickBooks software, dial QuickBooks Customer Support Number . The team, on the other end, will assist you with the best technical services.
ReplyDelete