ISR Computing -

CCIE Security - FPM - Flexible Packet Matching

Flexible Packet Matching is a feature that allows event deeper packet inspections than extended ACLs have to offer. Sometimes it is called "ACL on steroids".

An FPM ACL understands all parts of the IP packet including the data portion. This allows you to use FPM to stop worms and viruses from entering your network. Worms like slammer were hard to stop using a normal ACL because it meant you had to block a business application port to do it. In slammers case you had to block port 1434 the same port used by SQL. Using FPM you can match on port as well as payload information.

PHDF - is a type of file with structures of packets.

Fist, you need to load protocol definitions:

load protocol system:/fpm/phdf/ip.phdf
 load protocol system:/fpm/phdf/tcp.phdf
 load protocol system:/fpm/phdf/udp.phdf 

Then you can configure your classes and policies:

class-map type access-control match-all FPM_CLASS_UDP
  match field udp dest-port eq 5000
  match field ip length eq 0x1000
  match start 13-start offset 123 size 2 eq 0xabab
 policy-map type access-control FPM_POLICY_UDP
  match class FPM_CLASS_UDP
   drop
 class-map type stack FPM_CLASS_STACK
  match field ip protocol eq 0x11 next udp
 policy-map type access-control FPM_POLICY
  class FPM_CLASS_STACK
   service-policy FPM_POLICY_UDP
 int Fa0/0
  service-policy type access-control input FPM_POLICY

NOTE: you have to understand that "class-map type stack" is needed for the main policy, because stack (in this case IP) is the base for the protocol (in this case udp). Parallel: OSI Layer 4 runs on top of OSI Layer 3.

IP Packet Structure

TCP Packet Structure

UDP Packet Structure

ICMP Packet Structure