disabling inspection of FWSM

Unanswered Question
Jul 16th, 2008


Does anybody can tell me how could I disable an inspection that is running by default in the global policy-map for particurar type of traffic on FWSM running in transparent mode ?

If I create a new policy-map in the global service policy what is the order in which the policy-maps are being check by the FW ?

And what is the command to disable particular inspection ?

Thanks for help


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
lukaszkhalil Wed, 07/16/2008 - 11:01

Actually, I would like to disable SQLNet inspection, but anyway I would like to do that on 3.1 software not on 2.3.

O 3.1 you have MPF where you can manipulate with inspections.

dhananjoy chowdhury Wed, 07/16/2008 - 11:37

For disabling SQLNet (for IOS 3.1)

policy-map global_policy

class inspection_default

no inspect sqlnet

lukaszkhalil Wed, 07/16/2008 - 11:43

It is correct when you want to disable the default inspection but I would like to disable the inspection for the particular flow, that I would like to specify by access-list.

I can create new class-map based on the ACL and then add it to the policy-map default, but the question is what is the order in which the class entried are being serviced. Does the default class-map is serviced last, no metter how many other classes do I have ?

And the other question is what will happen when I configure new class under default policy-map without selecting the inspection for it. Does the default inspections are going to be used for this kind of traffic or this traffic is going to be serviced without any inspections ?

dhananjoy chowdhury Wed, 07/16/2008 - 12:49

You can only apply one global policy, so if you want to alter the global policy, you need to either edit the default policy (add new class or inspects) or disable it and apply a new one.

So if you create a new policy-map, you need to create a service policy to apply it to particular interface and not globally.

But again , Interface service policies take precedence over the global service policy.

So in your case you can disable "inspect sqlnet" in the default global_policy and create a policy map with specific ACL and then apply it to particular interface.


This Discussion