Configure a Security Appliance Modular Policy
Modular policy overview

There is a growing need to provide greater granularity and flexibility in configuring network policies. For example, the ability to identify and prioritize voice traffic, the ability to rate limit remote access VPN connections, the ability to perform deep packet inspection on specific flows of traffic, or the ability to set connection values. The PIX Security Appliance Software release 7.0 provides this functionality with the introduction of modular policy framework (MPF). MPF is a framework in which administrators have the ability to define traffic classes at the desired granularity and apply actions, or policies, to them. 

MPF is configured using three main commands:

  • class-map – This command is used to identify a traffic flow. A traffic flow is a set of traffic that is identifiable by its packet content. In Figure , voice traffic between Site B and Headquarters is an example of a traffic flow, as are remote access VPNs that allow the system engineers and executives to access network resources at the headquarters.
  • policy-map – This command is used to associate one or more actions with a class of traffic. For example, in Figure , all voice traffic between Site B and headquarters is provided low latency queuing.
  • service-policy – This command is used to enable a set of policies on an interface. In the example in Figure , the voice priority queuing policy is applied to the outside interface.

In the example in Figure , a network administrator identified five traffic flows, Internet traffic, system engineer and executive remote VPN traffic, and two site-to-site VPN tunnels to Site B and Site C with voice. Once the traffic flows are identified, security policies are mapped to each flow. The policy for traffic from the Internet is to perform deep packet inspection and inline IPS. For both the system engineers and the executive remote VPN traffic, the administrator will police the amount of bandwidth used by each group. For site-to-site traffic over a VPN, all voice connection traffic is given higher priority queuing. The last class is the default inspection class. All traffic is subject to the default inspection policy. After the classes and policies are defined, policies are assigned to a specific interface, or assigned globally. In the example in the Figure , the global_policy is assigned globally. The outside_policy is assigned to the outside interface.


Web Links