Default FWSM inspection policy

Similar Messages

• Default class inspection policy

  Hi Everyone,
  Need to know if default class inspection policy matches the incoming or outging traffic flowing through the ASA?
  Example when i ping from PC  connecting to the ASA  to outside world will then it will match icmp traffic entering the ASA  then ICMP reply coming
  to outside interface?
  Thanks
  MAhesh

  Hello,
  The ASA is stateful in both directions, so the policy matches incoming and outgoing traffic.
  What happens is that you also have security levels, so from high to low it is allow but from low to high it will be deny unless you configure an ACL.
  Regards,
  Felipe.

• Potential Impact of Disabling Default HTTP Inspection Policy

  I have a 5500-series firewall configured with basic HTTP inspection via the default global policy-map.  The software for this firewall is recent 8.2(x).
  Some questions:
  1. I am under the impression that default HTTP inspection will do basic validation of RFC compliance for HTTP traffic without any custom configuration.  All such traffic is inspected by the appliance.  Am I correct in this understanding?
  2. If so, would basic HTTP inspection create the potential for additional latency in the environment for matched traffic?
  3. Would removing the policy via the "no inspect http" command within the global policy-map be service disrupting?  Would I see any noticeable impact to HTTP traffic by doing this?
  Thank you for your responses in advance.
  Jeff

  Hi,
  These are the response to your queries:-
  1) Yes ,HTTP inspection will check all the connections destined to port 80 through the ASA device as per the RFC standards.
  2) Might be yes , As the HTTP connections are the major amount of traffic on the ASA device , too much traffic have to be inspected by the ASA device and re-assembling will also cause the ASA device to do  some extra processing.
  3) No , I think you would reduce the processing for the ASA after disabling this inspection.
  This would not cause any disruption in the traffic as it is not applied on the existing connections but only on the new connections which are made through the ASA device after the policy is modified.
  Also , check this:-
  http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113393-asa-troubleshoot-throughput-00.html
  Thanks and Regards,
  Vibhor Amrodia

• Can't edit default domain controllers policy on windows 8 or server 2012

  I have found that I can't edit the "Default Domain Controllers Policy" from a Windows 8 or Server 2012 machine.  I can edit and save changes fine from a Windows 7 machine.  The domain controllers are running Windows 2012 Standard upgraded
  from Windows 2008 R2.  Is there a security setting I am missing?

  Posting the resolution from the other thread.  Hope it helps!
  I just accidentally resolved this issue today.  I added the GPMC to a 2008 R2 server so I could make a needed firewall
  change within the Windows Firewall with Advanced Security section of the Default Domain Controllers GPO (I enabled the Remote Event Log management rule for the Domain profile).  About an hour later, I forgot I was using my Windows 8 machine and I went
  to edit the Default Domain Controllers GPO and opened for edit without a problem.  I can now edit it from Windows 8 and from Windows Server 2012.  Until now, I was using a Windows 7 VM to make the edits, so in my case the problem was resolved by
  editing the GPO once from a 2008 R2 machine.

• Default HTTP inspection map

  Hi guys.
  When configuring Inspect HTTP there is an option to use Default HTTP Inspection Map.
  Its used here as an example on the documentation;
  From the Select HTTP Inspect Map window, check the radio button next to Use the Default HTTP inspection map. The default HTTP inspection is used in this example. Then, click OK.
  However I cannot actually see anywhere what these Default settings are.
  For example; it is possible to set varying security levels when configuring manually (low-medium-high) with differing options in each, but what are the security level and specific settings when choosing default?
  I cannot find any reference to these.
  If anyone can help that would be great.
  Thanks.
  Mike

  I'm not sure which reference you're citing, but in ASDM if you go to "Configuration > Firewall > Objects > Inspect Maps > HTTP" and click on "Add" you will see a dialog box with a slider which shows what each level consists of by default. You can further customize by choosing the Details, URI Filtering, etc.
  (Very very few people actually use the built-in http inspection and instead use either a 3rd party solution like WebSense URL filtering or a Proxy server like WSA or BlueCoat or else use the ASA CSC module of NGFX CX module with AVC and WSE.)
  See the following screenshot for what I wan talking about in my first paragraph:

• Multiple-node WebCenter Spaces config with default file-based policy

  hi,
  My customer will use web center 11g on multiple linux server, I noticed there is a comment in wc doc like this:
  =========================================
  The default file-based policy store can only be used for single-node WebCenter Spaces configurations. For multi-node configurations, you must reassociate the policy and credential store with an external LDAP-based store (such as Oracle Internet Directory) as described in Section 23.4, "Configuring the Policy and Credential Store."
  The policy store can be configured to use Oracle Internet Directory 11gR1 and 10.1.4.3, and OVD 11gR1 with the Local Store Adapter (LSA).
  The identity store can be configured to use the following LDAP servers:
  Oracle Internet Directory (OID) 11gR1 and 10.1.4.3
  Oracle Virtual Directory (OVD) 11gR1 and 10.1.4
  Sun iPlanet version 4.1.3
  Active Directory shipped as part of Windows 2000
  Open LDAP version 2.0.7
  Novell NDS version 8.5.1
  ========================================
  My customer only has AD, they don't have budget to buy oid at this time, according to the statement "The policy store can be configured to use Oracle Internet Directory 11gR1 and 10.1.4.3, and OVD 11gR1 with the Local Store Adapter (LSA).", does that mean the wc policy store can not use other ldap such as ad in multiple-node wc configuration?
  If performance is not an issue, can I use default file-based policy store in this case?
  If it's impossible for the customer to buy oid at this time, what's the possible solution?
  Thanks a lot!
  Regards

  You can configure directly with AD.
  Basically your WebLogic server needs to be configured to talk to AD. You can configure an Identity provider in Weblogic server which uses AD as LDAP.
  This should work in multi-node environment.
  Also, i do not see any reason why file based jazn-data should not work.
  Best solution from my perspective if Weblogic AD configuration does not work:
  Create and manage your users and roles in Weblogic embedded LDAP. All you have to change in your application is the realm to the name of weblogic realm(default is myrealm) and while deploying make sure you uncheck the create users and roles.
  Regards,
  Venkat

• Windows 2012 R2 default domain controllers policy set to enforced

  Hi Guys,
  So I've migrated my domain from Windows 2003 R2 over to Windows 2012 R2 and so far everything is running ok. Had a few problems relating to orphaned DC's but have cleared this up now. However, i'm now trying to get to grips with using group policy. When
  i migrated, the old policy settings seemed to have come across and things seem to be still locked down ok, in relation to certain OUs. I run a network at our local college so i have a student container which applies a lock-down policy. All these GPOs where
  previously setup by someone else.
  I setup a test network at home before i did the said migration and am now comparing some group policy settings, namely the default ones, and i have noticed that default domain controllers policy has been set to enforced on my newly migrated domain. At home
  on my test server i see it is not enforced by default and am wondering why this is? I have been reading up but i can't find anything that tells me it should be enforced but wary to disable this setting. The students return on Monday so i don't want to mess
  it up at this stage.
  One thing that i did find odd is when i first opened up the GPO's, i was prompted with a message which stated that the policies in the sysvol folder where not consistent with the ones in AD so i followed its recommendation to update.
  Any advise you guys have on this would be greatly appreciated.
  David

  > So I've migrated my domain from Windows 2003 R2 over to Windows 2012 R2
  > and so far everything is running ok.
  This does NOT touch any GPOs, so your GPOs are not "migrated" or
  something like that - they are still what they were before.
  > enforced on my newly migrated domain. At home on my test server i see it
  > is not enforced by default and am wondering why this is?
  "A sever misunderstanding of how group policy inheritance and link order
  works" is the closest reason I see for this. The DDCP is linked to
  "Domain Controllers", and as long as you do not create subordinate OUs
  there (which I've never seen) and block inheritance on them, there's no
  reason to enforce.
  To add my experience from the field: When I see enforced GPOs, in most
  cases this enforcement is not required. People simply use it because
  they do not understand "link order".
  > One thing that i did find odd is when i first opened up the GPO's, i was
  > prompted with a message which stated that the policies in the sysvol
  > folder where not consistent with the ones in AD so i followed its
  > recommendation to update.
  That's fairly ok and nothing to hassle about.
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Reboot domain controller changes audit policy on Default Domain Controller Policy

  This has been happening for a long time no matter whether my DCs were running Windows Server 2003 or, as they are now, are running Windows Server 2012 R2. It happens on DCs in one particular site, but the policy change it causes is domain-wide.
  I have 2 DCs at that site, every time one of them is rebooted, the following policy is turned off, from Success and Failure to No auditing:
  Default Domain Controllers Policy - Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies/Audit Policy.
  I have monitoring application relying on this policy being turned on, and if it's off, it's being reported. The monitoring application knows the change, but it doesn't know how the change was made.
  All my DCs are running Windows Server 2012 R2, DFL 2008 R2.
  Thanks and regards.

  Hi,
  >>I have 2 DCs at that site, every time one of them is rebooted, the following policy is turned off, from Success and Failure to No auditing:
  Did we try to run command gpresult/h report.html with admin privileges to collect group policy result report to check how the policy setting was  applied after rebooting?  Besides, we can also try to run command
  auditpol /get / category:* from an elevated command prompt to check what audit settings are applied.
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Restore Default Domain Controllers Policy in its original state

  Hello,
  Our domain has 2003 DCs. For some reason, someone has unlinked Default Domain Controllers Policy from Domain Controllers OU and also modified it extensively.
  Domain Controllers OU has a GPO with basically same settings as DDCP but it has also been heavily modified.
  I'm in the process of upgrading our domain to 2012 level and would like to sort out DDCP before doing so.
  What would be the best course of action to restore DDCP in its place? I was planning to match all settings between custom GPO and currently unlinked DDCP and then disable custom GPO and enable DDCP. But sincerily I'm not sure what would be the best way to
  go.

  Hi,
  Any update?
  Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.
  Best Regards,
  Andy Qi
  TechNet Subscriber Support
  If you are
  TechNet Subscription user and have any feedback on our support quality, please send your feedback
  here.
  Andy Qi
  TechNet Community Support

• Default Domain Controller Policy

  Hello All,
  We will be starting promotion of Windows Server 2012 R2 Domain Controller in our organisation. For that we are trying to implement the Default Domain Controller Policy for 2012 r2 related.
  We already have Account Policies, Password policy, Audit Policy and Security Option Firewall Settings
  But would like your advice about any new features which we can applied in our Default Domain Controller
  policy.
  Thanks.
  Thanks HA

  Hi,
  >>But would like your advice about any new features which we can applied in our Default Domain
  Controller policy.
  Regarding this point, the following articles can be referred to as reference.
  Chapter 4: Strengthening Domain and Domain Controller Policy Settings
  https://technet.microsoft.com/en-us/library/cc773205(v=ws.10).aspx
  Applying Selected Domain and Domain Controller Policy Settings
  https://technet.microsoft.com/en-us/library/cc773164(v=ws.10).aspx
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Default domain Group Policy

  Hello,
  In my new company, I noticed that the default domain controllers policy has been (largely) modified.
  I thought it was a best practice to keep it clean (In case of restore).
  So I would like to create a new GPOs for my DCs to move some of those settings out of the default domain policy.
  For example, "Add workstations to domain". If I want to create a new policy for this particular setting, what kind of rules am I supposed to follow to make sure that my new setting will be applied before the default DC policy ?
  Is the GPO Link order enough ?
  Thank you

  Hi,
  Just a confirmation, did you mean that want to overwrite some settings in the
  Default Domain Controllers Policy?
  Within each domain, site, and OU, the
  Link Order controls the order in which GPOs are applied. If several GPOs are linked to an organizational unit, their processing is in the order that is specified by the administrator, on the
  Linked Group Policy Objects tab for the organizational unit in GPMC. The GPO with the lowest
  Link Order is processed last, and therefore has the highest precedence. Since Default Domain Controllers Policy is linked to the Domain Controllers organizational unit, you can create a new GPO and link it to this Domain Controllers organizational
  unit, then control thier order of them via Link Order.
  If anything I misunderstand or any update, please feel free to let us know.
  Hope this helps.
  Best regards,
  Justin Gu

• Default domain controller policy audit

  If I enable auditing in default domain controller policy, I see event only from all domain controller or see event from all workstation in domain, or I should create new audit GPO and then linked it to workstation UO?

  If I enable auditing in default domain controller policy, I see event only from all domain controller or see event from all workstation in domain, or I should create new audit GPO and then linked it to workstation UO?
  If I enable auditing in default domain controller policy, I see event only from all domain controller or
  see event from all workstation in domain
  ---NO you wont see workstations, only if editing the default domain policy, as described prior best practice would be to create a new GPO with a great name that you
  wont mix up such as "workstation audit GPO" and link to the site, domain or OU you require.
  Its not great practise IMO adding loads of stuff to default domain policy when you want to troubleshoot best to segregate GPOS with great easy to
  interpret names for brevity 

• Changing the application wide default focus traversal policy

  Hi,
  I have a Swing application built using JDK1.3 where there lots of screens (frames, dialogs with complex screens - panels, tables, tabbed panes etc), in some screens layouts have been used and in other screens instead of any layout, absolute positions and sizes of the controls have been specified.
  In some screens setNextFocusableComponent() methods for some components have been called at some other places default focus traversal is used. (which I think is the order in which the components are placed and their postions etc). Focus traversal in each screen works fine.
  Now I have to migrate to JDK1.4. Problem now is that after migrating to JDK1.4.2, focus traversal has become a headache. In some screens there is no focus traversal and in some there is it is not what I wanted.
  So I thought to replace applicaiton wide default focus traversal policy and I did the following:
  ///////// Replace default focus traversal policy
  java.awt.KeyboardFocusManager.getCurrentKeyboardFocusManager().setDefaultFocusTraversalPolicy(new java.awt.ContainerOrderFocusTraversalPolicy());
  But there is no change in the behaviour.
  Then I tried following:
  ///////// Replace default focus traversal policy
  java.awt.KeyboardFocusManager.getCurrentKeyboardFocusManager().setDefaultFocusTraversalPolicy(new java.awt.DefaultFocusTraversalPolicy());
  I did all this in the main() method of the application before anything else just to ensure that all the components get added after this policy has been set. But no luck.
  Does someone has any idea what is the problem here ? I do not want to define my own focus traversal policy for each screen that I use (because thats lot of codes).
  Thanks

  not that hard if you only have the one focus cycle ( > 1 cycle and it gets a bit harder, sometimes stranger)
  import javax.swing.*;
  import java.awt.*;
  class Testing
    int focusNumber = 0;
    public void buildGUI()
      JTextField[] tf = new JTextField[10];
      JPanel p = new JPanel(new GridLayout(5,2));
      for(int x = 0, y = tf.length; x < y; x++)
        tf[x] = new JTextField(5);
        p.add(tf[x]);
      final JTextField[] focusList = new JTextField[]{tf[1],tf[0],tf[3],tf[2],tf[5],tf[4],tf[7],tf[6],tf[9],tf[8]};
      JFrame f = new JFrame();
      f.setFocusTraversalPolicy(new FocusTraversalPolicy(){
        public Component getComponentAfter(Container focusCycleRoot,Component aComponent)
          focusNumber = (focusNumber+1) % focusList.length;
          return focusList[focusNumber];
        public Component getComponentBefore(Container focusCycleRoot,Component aComponent)
          focusNumber = (focusList.length+focusNumber-1) % focusList.length;
          return focusList[focusNumber];
        public Component getDefaultComponent(Container focusCycleRoot){return focusList[0];}
        public Component getLastComponent(Container focusCycleRoot){return focusList[focusList.length-1];}
        public Component getFirstComponent(Container focusCycleRoot){return focusList[0];}
      f.getContentPane().add(p);
      f.pack();
      f.setLocationRelativeTo(null);
      f.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);
      f.setVisible(true);
    public static void main(String[] args)
      SwingUtilities.invokeLater(new Runnable(){
        public void run(){
          new Testing().buildGUI();
  }

• Unable to edit the "Default Domain Controllers Policy" from a Server 2012 machine

  I am unable to edit the "Default Domain Controllers Policy" from a Server 2012 machine. The error message i recieve is:
  "Failed to open the group policy object.  You might not have the appropriate rights.  Details: The volume for a file has been externally altered so that the open file is no longer valid."
  The domain controllers are running Windows 2012 R2 upgraded from Windows 2008 R2, the domain functional level is Server 2012.
  I am able to edit the policy from both a Windows 7 and Server 2008 R2 machine.
  The following post is identical however the fix for them does not work for me:
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/2d968a05-2cff-4dd0-9c5d-dd810d1fa66f/cant-edit-default-domain-controllers-policy-on-windows-8-or-server-2012
  Any ideas?

  MuhammadUmar
  Yes, the Unique ID is available on 2012 server
  Lany Zhang
  This only affects the default domain controllers policy object
  Another user added to amins and tested has no effect
  It is the same on another server
  DCDiag passes all tests
  Thanks for all your help so far

• LMS 4.0 Default Credential Set Policy

  Hello,
  I would like to assign to all hosts in the subnet 192.168.252.0/24 and 192.168.254.0/24 a dedicated credential set named set01. I created a default credential set policy configuration
  IPRange#192.168.254.*#Set1
  IPRange#192.168.252.*#Set1
  right after the discovery process i run a device credential verification job. where only the read community is OK. So I assume the policy isn't working. Is there any prerequisites for deploying credential policy sets?
  thanks in advanced
  Alex

  Credential sets are only applied to devices when they are added to DCR.  If they were already in DCR, you have to go to Inventory > Add / Import / Manage Devices to forcibly change the credentials to those in the credential set.