Configuration Components for Tuning Inspection Timers on Cisco ZBFW

C3PL Configuration Component

Prev Question Next Question


Which C3PL configuration component is used to tune the inspection timers such as setting the tcp idle-time and tcp synwait-time on the Cisco ZBFW?



Click on the arrows to vote for the correct answer

A. B. C. D. E.


The correct answer to this question is B. parameter-map type inspect.

Parameter maps are used in Cisco Zone-Based Policy Firewall (ZBFW) to define customized inspection policies for different types of traffic. They are used to set specific parameters for the inspection of different types of traffic such as the TCP idle-time and TCP SYN wait time.

In the context of ZBFW, the TCP idle-time is the time interval between two successive packets belonging to the same TCP flow. If no packet is seen during this interval, the connection is considered idle and will be closed. The TCP SYN wait time is the maximum amount of time a device will wait for a response to a TCP SYN packet. If no response is received within this time, the connection is terminated.

To configure parameter maps, you need to create a named parameter map using the command "parameter-map type inspect <name>". Then, you can set various parameters for different types of traffic using the appropriate commands. For example, to set the TCP idle-time for HTTP traffic to 120 seconds, you can use the following command:

"parameter-map type inspect http-param match protocol http set tcp idle-time 120"

Once the parameter map is created, it can be referenced in a class map or policy map to apply the configured parameters to specific traffic flows.

In summary, parameter maps are used to customize inspection policies for different types of traffic in ZBFW, and they can be used to set specific parameters such as TCP idle-time and TCP SYN wait time.