larger cover

Add To My Wish List

Register your product to gain access to bonus material or receive a coupon.

Cisco Secure Firewall Services Module (FWSM)


  • Sorry, this book is no longer in print.
Not for Sale
  • Description
  • Extras
  • Sample Content
  • Updates
  • Copyright 2009
  • Dimensions: 7-3/8" x 9-1/8"
  • Pages: 528
  • Edition: 1st
  • Book
  • ISBN-10: 1-58705-353-5
  • ISBN-13: 978-1-58705-353-5

Cisco Secure Firewall Services Module (FWSM)

Best practices for securing networks with FWSM

Ray Blair, CCIE® No. 7050

Arvind Durai, CCIE No. 7016

The Firewall Services Module (FWSM) is a high-performance stateful-inspection firewall that integrates into the Cisco® 6500 switch and 7600 router chassis. The FWSM monitors traffic flows using application inspection engines to provide a strong level of network security. The FWSM defines the security parameter and enables the enforcement of security policies through authentication, access control lists, and protocol inspection. The FWSM is a key component to anyone deploying network security.

Cisco Secure Firewall Services Module (FWSM) covers all aspects of the FWSM. The book provides a detailed look at how the FWSM processes information, as well as installation advice, configuration details, recommendations for network integration, and reviews of operation and management. This book provides you with a single source that comprehensively answers how and why the FWSM functions as it does. This information enables you to successfully deploy the FWSM and gain the greatest functional benefit from your deployment. Practical examples throughout show you how other customers have successfully deployed the FWSM.

By reading this book, you will learn how the FWSM functions, the differences between the FWSM and the ASA Security Appliance, how to implement and maintain the FWSM, the latest features of the FWSM, and how to configure common installations.

Ray Blair, CCIE® No. 7050, is a consulting systems architect who has been with Cisco for more than 8 years, working primarily on security and large network designs. He has 20 years of experience in designing, implementing, and maintaining networks that have included nearly all networking technologies. Mr. Blair maintains three CCIE certifications in Routing and Switching, Security, and Service Provider. He is also a CNE and a CISSP.

Arvind Durai, CCIE No. 7016, is an advanced services technical leader for Cisco. His primary responsibility has been in supporting major Cisco customers in the enterprise sector. One of his focuses has been on security, and he has authored several white papers and design guides in various technologies. Mr. Durai maintains two CCIE certifications, in Routing and Switching and Security.

  • Understand modes of operation, security levels, and contexts for the FWSM
  • Configure routing protocols and the host-chassis to support the FWSM
  • Deploy ACLs and Authentication, Authorization, and Accounting (AAA)
  • Apply class and policy maps
  • Configure multiple FWSMs for failover support
  • Configure application and protocol inspection
  • Filter traffic using filter servers, ActiveX, and Java filtering functions
  • Learn how IP multicast and the FWSM interact
  • Increase performance with firewall load balancing
  • Configure IPv6 and asymmetric routing
  • Mitigate network attacks using shunning, anti-spoofing, connection limits, and timeouts
  • Examine network design, management, and troubleshooting best practices

This security book is part of the Cisco Press® Networking Technology series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

Category: Networking: Security

Covers: Firewall security

Online Sample Chapter

Understanding Cisco Secure Firewall Services Module 4.x Routing and Feature Enhancements

Sample Pages

Download the sample pages

Table of Contents


Part I Introduction

Chapter 1 Types of Firewalls

Understanding Packet-Filtering Firewalls 5

    Advantages 5

    Caveats 6

Understanding Application/Proxy Firewalls 7

    Advantages 8

    Caveats 8

Understanding Reverse-Proxy Firewalls



Utilizing Packet Inspection

Reusing IP Addresses




Chapter 2 Overview of the Firewall Services Module





Comparing the FWSM to Other Security Devices

    IOS FW



Hardware Architecture

Software Architecture


Chapter 3 Examining Modes of Operation

Working with Transparent Mode



    Traffic Flow

    Multiple Bridge Groups

Working with Routed Mode



    Traffic Flow



Chapter 4 Understanding Security Levels

Traffic Flow Between Interfaces

Network Address Translation/Port Address Translation

    Static NAT

        Number of Simultaneous TCP Connections

        Number of Embryonic Connections





    Static PAT

    Dynamic NAT

    Dynamic PAT

    NAT Control

    NAT Bypass

        NAT 0 or Identity NAT

        Static Identity NAT



Chapter 5 Understanding Contexts

Benefits of Multiple Contexts

    Separating Security Policies

    Leveraging the Hardware Investment

Disadvantages of Multiple Contexts

Adding and Removing Contexts

    Adding a Context

    Removing a Context

        Storing Configuration Files

    Changing Between Contexts

Understanding Resource Management

    Memory Partitions


Part II Initial Configuration

Chapter 6 Configuring and Securing the 6500/7600 Chassis

Understanding the Interaction Between the Host-Chassis and the FWSM

Assigning Interfaces

Securing the 6500/7600 (Host-Chassis)

    Controlling Physical Access

    Being Mindful of Environmental Considerations

    Controlling Management Access

    Disabling Unnecessary Services

    Controlling Access Using Port-Based Security

    Controlling Spanning Tree

    Leveraging Access Control Lists

    Securing Layer 3

    Leveraging Control Plane Policing

    Protecting a Network Using Quality of Service

    Employing Additional Security Features



Chapter 7 Configuring the FWSM

Configuring FWSM in the Switch

Exploring Routed Mode

Exploring Transparent Mode

Using Multiple Context Mode for FWSM

    Context Configurations

    System Context Configurations

    Admin Context Configurations

    Packet Classifier in FWSM Context Mode

    Understanding Resource Management in Contexts

Configuration Steps for Firewall Services Module

    Type 1: Configuring Single Context Routed Mode

    Type 2: Configuring Single Context Transparent Mode

    Type 3: Configuring Multiple Context Mixed Mode


Chapter 8 Access Control Lists

Introducing Types of Access Lists

    Understanding Access Control Entry

    Understanding Access List Commit

Understanding Object Groups

Monitoring Access List Resources

Configuring Object Groups and Access Lists

    Working with Protocol Type

    Working with Network Type

    Working with Service Type

    Working with Nesting Type

    Working with EtherType


Chapter 9 Configuring Routing Protocols

Supporting Routing Methods

    Static Routes

    Default Routes

    Open Shortest Path First

        SPF Algorithm

        OSPF Network Types

        Concept of Areas

        OSPF Link State Advertisement

        Types of Stub Area in OSPF

    OSPF in FWSM

    OSPF Configuration in FWSM

        Interface-Based Configuration for OSPF Parameters


        Stub Configuration

        NSSA Configuration

        Default Route Information


    OSPF Design Example 1

    OSPF Design Example 2

    Routing Information Protocol

    RIP in FWSM

        Configuration Example of RIP on FWSM

    Border Gateway Protocol

    BGP in FWSM

    BGP Topology with FWSM


Chapter 10 AAA Overview

Understanding AAA Components

    Authentication in FWSM

    Authorization in FWSM

    Accounting in FWSM

Comparing Security Protocols

Understanding Two-Step Authentication

Understanding Fallback Support

    Configuring Fallback Authentication

    Configuring Local Authorization

Understanding Cut-Through Proxy in FWSM

    Configuring Custom Login Prompts

    Using MAC Addresses to Exempt Traffic from Authentication and Authorization


Chapter 11 Modular Policy

Using Modular Policy in FWSM

Understanding Classification of Traffic

    Understanding Application Engines

Defining Policy Maps

    Configuring Global Policy

Configuring Service Policy

Understanding Default Policy Map

Sample Configuration of Modular Policy in FWSM


Part III Advanced Configuration

Chapter 12 Understanding Failover in FWSM

Creating Redundancy in the FWSM

    Understanding Active/Standby Mode

    Understanding Active/Active Mode

Understanding Failover Link and State Link

Requirements for Failover

Synchronizing the Primary and Secondary Firewalls

Monitoring Interfaces

Configuring Poll Intervals

Design Principle for Monitoring Interfaces

Configuring Single Context FWSM Failover

Configuring Multiple Context FWSM Failover


Chapter 13 Understanding Application Protocol Inspection

Inspecting Hypertext Transfer Protocol

Inspecting File Transfer Protocol

Working with Supported Applications

Configuring ARP

    Inspecting ARP

    Configuring Parameters for ARP

        Configuring MAC Entries

        Adding Static Entries



Chapter 14 Filtering

Working with URLs and FTP

Configuring ActiveX and Java



Chapter 15 Managing and Monitoring the FWSM

Using Telnet

Using Secure Shell

Using Adaptive Security Device Manager

    Configuring the FWSM Using ASDM

    Managing the FWSM from the Client

Securing Access

    Configuring the FWSM for VPN Termination

    Configuring the VPN Client

Working with Simple Network Management Protocol

Examining Syslog

Working with Cisco Security Manager

Monitoring Analysis and Response System



Chapter 16 Multicast

Protocol Independent Multicast

Understanding Rendezvous Point

PIM Interface Modes

IGMP Protocol

Multicast Stub Configuration

Multicast Traffic Across Firewalls

    FWSM 1.x and 2.x Code Releases

    FWSM 3.x Code Release

Configuration Methods

    Method 1: Configuration Example for Multicast Through Firewall in Single Context Routed Mode

    Method 2: Configuration Example for Multicast Through Firewall via GRE

    Method 3: Configuration Example for Multicast Through Transparent Firewall in Multiple Context Mode


Chapter 17 Asymmetric Routing

Asymmetric Routing Without a Firewall

Asymmetric Traffic Flow in a Firewall Environment

Avoiding Asymmetric Routing Through Firewalls

    Option 1: Symmetric Routing Through Firewalls

    Option 2: Firewall Redundancy and Routing Redundancy Symmetry

Supporting Asymmetric Routing in FWSM

    Asymmetric Routing Support in Active/Standby Mode

    Asymmetric Routing Support in Active/Active Mode

Configuring ASR in FWSM


Chapter 18 Firewall Load Balancing

Reasons for Load Balancing Firewalls

Design Requirements for Firewall Load Balancing

Firewall Load-Balancing Solutions

    Firewall Load Balancing with Policy-Based Routing

    Firewall Load Balancing with Content Switch Module

        Configuring the CSM

        Snapshot Configuration for CSM Supporting Firewall Load Balancing

    Firewall Load Balancing Using the Application Control Engine

        ACE Design for Firewall Load Balancing

Firewall Load Balancing Configuration Example

    OUT2IN Policy Configuration

    Firewall Configuration

    IN2OUT Policy Configuration


Chapter 19 IP Version 6

Understanding IPv6 Packet Header

Examining IPv6 Address Types

    Neighbor Discovery Protocol

IPv6 in FWSM

    Configuring Multiple Features of IPv6 in FWSM

        Interface Configuration

        Router Advertisement

        Duplicate Address Detection

        Timer for Duplicate Address Detection

        Configuring Access Lists

        Configuring Static Routes

        Configuring IPv6 Timers in FWSM

    Configuring IPv6 in FWSM

        Configuring PFC (Layer 3 Device) on the Outside Security Domain

        Configuring FWSM

        Configuring a Layer 3 Device on the Inside Security Domain

        Verify the Functionality of FWSM

        Working with the showCommand for IPv6 in FWSM


Chapter 20 Preventing Network Attacks

Protecting Networks

Shunning Attackers


Understanding Connection Limits and Timeouts

    Configuring Connection Limits

    Configuring Timeouts



Chapter 21 Troubleshooting the FWSM

Understanding Troubleshooting Logic

Assessing Issues Logically

Connectivity Test of a Flow at the FWSM

    Troubleshooting Flow Issues

FAQs for Troubleshooting

    How Do You Verify Whether the Traffic Is Forwarded to a Particular Interface in the FWSM?

    How Do I Verify ACL Resource Limits?

    How Do I Verify the Connectivity and Packet Flow Through the Firewall?

    What Is Network Analysis Module?

    What Are Some Useful Management and Monitoring Tools?

    How Do I Recover Passwords?


Part IV Design Guidelines and Configuration Examples

Chapter 22 Designing a Network Infrastructure

Determining Design Considerations

    Documenting the Process

Determining Deployment Options

    Determining Placement

    Working with FWSM and the Enterprise Perimeter

    FWSM in the Datacenter




    Supporting Virtualized Networks



Chapter 23 Design Scenarios

Layer 3 VPN (VRF) Terminations at FWSM

    Configuring the PFC

    Configuring the FWSM

Failover Configuration in Mixed Mode

Interdomain Communication of Different Security Zones Through a Single FWSM

    Configuring the PFC

    FWSM Configuration

Dynamic Learning of Routes with FWSM

    Single Box Solution with OSPF

Data Center Environment with the FWSM

    Method 1: Layer 3 VPN Segregation with Layer 3 FWSM (Multiple Context Mode)

    Method 2: Layer 3 VPN Segregation with Layer 2 FWSM (Multiple Context Mode)


    PVLAN Configuration in FWSM

    Design Scenario 1 for PVLAN in FWSM

    Design Scenario 2 for PVLAN in FWSM

    Configuring PVLAN


Part V FWSM 4.x

Chapter 24 FWSM 4.x Performance and Scalability Improvements

Increasing Performance by Leveraging the Supervisor

Using the PISA for Enhanced Traffic Detection

Improving Memory

    Partitioning Memory

    Reallocating Rules

    Optimizing ACL


Chapter 25 Understanding FWSM 4.x Routing and Feature Enhancements

Configuring EIGRP

Configuring Route Health Injection

Understanding Application Support

    Configuring Regular Expressions

    Understanding Application Inspection Improvements

Additional Support for Simple Network Management Protocol Management Information Base

Miscellaneous Security Features

    Dynamic Host Configuration Protocol Option 82

    Smartfilter HTTPS Support



1587053535   TOC   8/12/2008

Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Cisco Press products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive:

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020