hi ,
1. when you enable tcp inspection it would enable state fullness
for all TCP traffic.
when you enable tcp inspection , all tcp traffic will be inspected
with the RFC of tcp ,so if you enable inspection of tcp alone, the
parameters inspected would be related to tcp alone. ie timeout ,fin wait
etc..
other parametes to tweak are as follows
block-non-session Block non-session TCP traffic
finwait-time Specify timeout for TCP connections after a
FIN
idle-time Specify idle timeout for tcp connections
max-incomplete Specify max half-open connection per host
reassembly Specify parameters for Out of Order
queue
processing
synwait-time Specify timeout for TCP connections after a
SYN and no further data
2. when you enable inspection for http , the traffic would be
inspected for compliance to the RFC standard of the hyper text exchange.
when you have http inspection these are the parameters that you can
tweak
you can use a appfw to tweak the inspection of http using the command
appfw policy-name asa
application http
these are the parameters that you can tweak under http
audit-trail Application HTTP audit-trail
content-length Specify the range of content length
content-type-verification Content-type inspection
default Set a command to its defaults
exit Exit from http-policy configuration mode
max-header-length Maximum header size inspection
max-uri-length Maximum URI length inspection
no Negate a command or set its defaults
port-misuse HTTP port misuse inspection
request-method Request method inspection
strict-http Strict HTTP Compliance
timeout Application HTTP Timeout
transfer-encoding Transfer Encoding inspection
hope this helps.
Faisal Bhura
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
