When security parameters are configured, data packets entering or leaving a zone are extracted from the datapath to the CSM for examination. Application Level Gateway (ALG) TFTP/FTP or strict TCP data packets that are extracted are placed into access or network security data queues. These access and network security queues are able to control the rate of traffic scheduled through these queues by using security queue QoS policies (see Security Queue QoS Policies for information).
Non-ALG and non-strict TCP datapath traffic that is extracted from the datapath for CSM security examination is extracted into a security control queue that has one queue per security zone.
In order to limit the aggregate datapath traffic being extracted to the CSM via the access/network security queues and all the security control queues (one per zone), a security-aggregate-rate shaper can be configured, which defaults to a rate of 50 Mb/s. For information about configuring the security-aggregate-rate shaper, refer to the 7705 SAR Interface Configuration Guide, ‟Adapter Card Commands”.
Firewall traffic that is permitted through the firewall will be forwarded across the data path using datapath traffic management.