12-33
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 12 Introduction to Firewall Services
Managing Your Rules Tables
• Results Table—This table lists all rules that match your query. If you queried more than one type
of rule, select the rule type you want to examine in the Display field. The columns in the table are
the same as those for that type of rule, except for the following:
–
Match Status—Indicates how the rule matches your query:
Complete Match—The rule matches all query parameters.
Partial Match—All of the search criteria overlap or are a superset of the matched rule. For
example, if you have a rule defined with a source address of 10.100.20.0/24, a destination
address of 10.200.100.0/24 and a service of IP, and your query is to search for a source of
10.100.20.0/24, the match status is shown as a partial match because the query results represent
only a portion of the rule’s definition.
No Effect—Rules are blocked by other matching rules, or a conflict exists that has no effect.
For example, you might have two matching rules, A and B. If rule A’s source address,
destination address, and services are equivalent to, or contain, those of rule B, rule B is blocked
by rule A. Thus, rule B will have no effect on traffic.
In another example, you might have a global mandatory rule that permits a service, but a rule at
the device (local) level denies the service. Because rules are recognized on a first-match basis,
after discovering a match at the mandatory global scope, no other rules are checked. The local
rule has no effect; the service is permitted, not denied. You should edit your policies to ensure
you get the desired results.
–
Scope—Identifies whether a rule is shared or local, mandatory or default.
• Details Table—The details table shows the detailed query match information for the rule selected
in the results table. The folders on the left represent the attributes for which you can see detailed
information. Select a folder to view the details.
The details show the query value, which is the parameter you defined, and the item in the rule that
matches the parameter. The matching relationship is one of the following:
–
Identical—The parameter is identical to the value in the rule.
–
Contains—The parameter is a superset that contains the value in the rule. For example, the
query parameter might have been a network/host object, and the rule used an IP address that was
part of the object definition.
–
Is contained by—The parameter is a subset nested within the value of the rule.
–
Overlaps—The query parameter shows results that overlap between more than one policy object
used in the rule. For example, the service query parameter was tcp/70-90 and the results show
a service defined as tcp/80-100.
Related Topics
• AAA Rules Page, page 15-10
• Access Rules Page, page 16-9
• Inspection Rules Page, page 17-7
• Web Filter Rules Page (ASA/PIX/FWSM), page 18-3
• Zone-based Firewall Rules Page, page 21-57
