Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

disabling inspection of FWSM


Does anybody can tell me how could I disable an inspection that is running by default in the global policy-map for particurar type of traffic on FWSM running in transparent mode ?

If I create a new policy-map in the global service policy what is the order in which the policy-maps are being check by the FW ?

And what is the command to disable particular inspection ?

Thanks for help



Re: disabling inspection of FWSM


Suppose you want to disable FTP inspection then

"no fixup protocol ftp".

New Member

Re: disabling inspection of FWSM

Actually, I would like to disable SQLNet inspection, but anyway I would like to do that on 3.1 software not on 2.3.

O 3.1 you have MPF where you can manipulate with inspections.

Re: disabling inspection of FWSM

For disabling SQLNet (for IOS 3.1)

policy-map global_policy

class inspection_default

no inspect sqlnet

New Member

Re: disabling inspection of FWSM

It is correct when you want to disable the default inspection but I would like to disable the inspection for the particular flow, that I would like to specify by access-list.

I can create new class-map based on the ACL and then add it to the policy-map default, but the question is what is the order in which the class entried are being serviced. Does the default class-map is serviced last, no metter how many other classes do I have ?

And the other question is what will happen when I configure new class under default policy-map without selecting the inspection for it. Does the default inspections are going to be used for this kind of traffic or this traffic is going to be serviced without any inspections ?

Re: disabling inspection of FWSM

You can only apply one global policy, so if you want to alter the global policy, you need to either edit the default policy (add new class or inspects) or disable it and apply a new one.

So if you create a new policy-map, you need to create a service policy to apply it to particular interface and not globally.

But again , Interface service policies take precedence over the global service policy.

So in your case you can disable "inspect sqlnet" in the default global_policy and create a policy map with specific ACL and then apply it to particular interface.

CreatePlease to create content