New Features
New Features
Table 1-1
Table 1-1
New Features for FWSM Version 4.1(1)
Feature
Platform Features
Separate Host names for
Primary and Secondary
blades
Firewall Features
Creation of UDP
sessions with unresolved
ARP in the accelerated
path
DCERPC Enhancement:
Remote Create Instance
message support
NAT/PAT Global Pool
usage enhancement
Reset Connection
marked for Deletion
PPTP-GRE Timeout
Management Features
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
1-2
lists the new features for FWSM Release 4.1(1).
Description
This feature lets you configure a separate hostname on the primary and secondary FWSMs. If the
secondary hostname is not configured, the primary and secondary hostnames are the same.
The following command was modified: hostname primary_hostname [secondary
secondary_hostname].
If you configure the FWSM to create the session in the accelerated path even though the ARP
lookup fails, then it will drop all further packets to the destination IP address until the ARP lookup
succeeds. Without this feature, each subsequent UDP packet goes through the session management
path before being dropped by the accelerated path, causing potential overload of the session
management path.
The following command was introduced: sysopt connection udp create-arp-unresolved-conn.
In this release, DCERPC Inspection was enhanced to support inspection of
RemoteCreationInstance RPC messages.
No commands were modified.
This feature lets you track and manage the usage of global pools for NAT/PAT configurations.
The following command was introduced: show global usage.
You can now disable the sending of a reset (RST) packet for a connection marked for deletion.
Starting in this release, reset packets are not sent by default. You can restore the previous behavior,
so that when the FWSM receives a SYN packet on the same 5-tuple (source IP and port, destination
IP and port, protocol) which was marked for deletion, it will send a reset packet.
The following command was introduced: service reset connection marked-for-deletion.
You can now set the timeout for GRE connectionss that are built as a result of PPTP inspection.
The following command was modified: timeout pptp-gre.
Chapter 1
Introduction to the Firewall Services Module
OL-20748-01