Firewall Ruledef Configuration Mode Commands


Firewall Ruledef Configuration Mode Commands
 
 
The Firewall Ruledef Configuration Mode is used to configure and manage Access/Stateful Firewall rule definitions.
 
 
bearer 3gpp apn
This command configures an access/firewall ruledef to analyze user traffic based on APN bearer.
Product
GGSN
Privilege
Security Administrator, Administrator
Syntax
[ no ] bearer 3gpp apn [ case-sensitive ] operator value
no
Removes previously configured bearer ruledef.
case-sensitive
This keyword makes the rule case sensitive.
By default, ruledefs are not case sensitive.
Default: Disabled
operator
Specifies how to logically match the APN name.
operator must be one of the following:
!=: Does not equal
!contains: Does not contain
!ends-with: Does not end with
!starts-with: Does not start with
=: Equals
contains: Contains
ends-with: Ends with
starts-with: Starts with
value
The APN name to match in bearer flow.
value must be an alpha and/or numeric string of 1 through 62 characters in length, and can include punctuation characters.
Usage
Use this command to specify an access/firewall ruledef to analyze user traffic based on APN name.
Example
The following command creates an access/firewall ruledef for analyzing user traffic for an APN named apn12:
bearer 3gpp apn = apn12
 
bearer 3gpp imsi
This command configures an access/firewall ruledef to analyze user traffic based on International Mobile Station Identification (IMSI) number in bearer flow.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ no ] bearer 3gpp imsi { operator msid | { !range | range } imsi-pool imsi_pool }
no
Removes previously configured bearer ruledef.
operator
Specifies how to logically match the MSID.
operator must be one of the following:
!=: Does not equal
=: Equals
msid
Specifies the Mobile Station Identifier.
{ !range | range } imsi-pool imsi_pool
{ !range | range }: Specifies the range criteria:
!range: Not in the range of
range: In the range of
imsi-pool imsi_pool: Specifies the IMSI pool name. imsi_pool must be a string of 1 through 63 characters in length.
Usage
Use this command to specify an access/firewall ruledef to analyze user traffic based on IMSI number of mobile station.
Example
The following command creates an access/firewall ruledef to analyze user traffic for the IMSI number 9198838330912:
bearer 3gpp imsi = 9198838330912
 
bearer username
This command configures an access/firewall ruledef to analyze user traffic based on user name of the bearer flow.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ no ] bearer username [ case-sensitive ] operator value
no
Removes previously configured bearer ruledef.
case-sensitive
This keyword makes the rule case sensitive.
By default, ruledefs are not case sensitive.
Default: Disabled
operator
Specifies how to logically match the MSID.
operator must be one of the following:
!=: Does not equal
!contains: Does not contain
!ends-with: Does not end with
!starts-with: Does not start with
=: Equals
contains: Contains
ends-with: Ends with
starts-with: Starts with
value
Specifies the user name.
value must be an alpha and/or numeric string of 1 through 127 characters in length.
Usage
Use this command to specify a access/firewall ruledef to analyze user traffic based on user name of the bearer flow.
Example
The following command creates an access/firewall ruledef for analyzing user traffic for the user name user12:
bearer username = user12
 
create-log-record
This command enables/disables Firewall ruledef logging.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ no ] create-log-record
no
Disables Firewall ruledef logging.
Usage
Use this command to enable/disable Firewall ruledef logging.
Example
The following command enables Firewall ruledef logging:
create-log-record
The following command disables Firewall ruledef logging:
no create-log-record
 
end
This command exits the current configuration mode, and returns to the Executive mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
end
Usage
Use this command to change to the Executive mode.
 
exit
This command exits the current configuration mode, and returns to the parent configuration mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
exit
Usage
Use this command to returns to the parent configuration mode.
 
icmp any-match
This command configures an access/firewall ruledef to match any ICMP traffic for the user.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ no ] icmp any-match operator condition
no
Removes previously configured ICMP any-match ruledef.
operator
Specifies how to logically match the analyzed state.
operator must be one of the following:
!=: Does not equal
=: Equals
condition
Specifies the condition to be matched for the user traffic.
condition must be one of the following:
FALSE: Specified condition is FALSE.
TRUE: Specified condition is TRUE.
Usage
Use this command to specify an access/firewall ruledef to match any ICMP traffic of the user.
Example
The following command creates an access/firewall ruledef to match any non-ICMP traffic of the user:
icmp any-match = FALSE
 
icmp code
This command configures an access/firewall ruledef to analyze user traffic based on ICMP code.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ no ] icmp code operator code
no
Removes previously configured ICMP code ruledef.
operator
Specifies how to logically match the ICMP code.
operator must be one of the following:
!=: does not equal
<=: less than or equals
=: equals
>=: greater than or equals
code
Specifies the ICMP code.
code must be an integer from 0 through 255.
Usage
Use this command to define an access/firewall ruledef to analyze user traffic based on the ICMP code.
Example
The following command creates an access/firewall ruledef for analyzing user traffic using the ICMP code as 23:
icmp code = 23
 
icmp type
This command configures an access/firewall ruledef to analyze user traffic based on ICMP type.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ no ] icmp type operator type
no
Removes previously configured ICMP type ruledef.
operator
Specifies how to logically match the ICMP type.
operator must be one of the following:
!=: Does not equal
<=: Less than or equals
=: Equals
>=: Greater than or equals
type
Specifies the ICMP type.
type must be an integer from 0 through 255.
For example, 0 for ECHO Reply, 3 for Dest. Unreachable, and 5 for Redirect.
Usage
Use this command to define an access/firewall ruledef to analyze user traffic based on the ICMP type.
Example
The following command creates an access/firewall ruledef for analyzing user traffic using an ICMP type as 123:
icmp type = 123
 
ip any-match
This command configures an access/firewall ruledef to match any IP traffic for the user.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ no ] ip any-match operator condition
no
Removes previously configured IP any-match ruledef.
operator
Specifies how to logically match the analyzed state.
operator must be one of the following:
!=: Does not equal
=: Equals
condition
Specifies the condition to be matched for the user traffic.
condition must be one of the following:
FALSE: Specified condition is FALSE.
TRUE: Specified condition is TRUE.
Usage
Use this command to specify an access/firewall ruledef to match any IP traffic of the user.
Example
The following command creates an access/firewall ruledef to match any non-IP traffic of the user:
ip any-match = FALSE
 
ip downlink
This command configures an access/firewall ruledef to analyze user traffic based on IP packet flow in downlink direction (to subscriber).
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ no ] ip downlink operator condition
no
Removes previously configured IP ruledef.
operator
Specifies how to logically match the packet flow direction.
operator must be one of the following:
!=: Does not equal
=: Equals
condition
Specifies the condition to match.
condition must be one of the following:
TRUE: Analyzed
FALSE: Not analyzed
Usage
Use this command to define an access/firewall ruledef to analyze user traffic based on the IP packet flow direction as downlink.
Example
The following command creates firewall ruledef for analyzing user traffic using an IP packet direction to downlink (to subscriber):
ip downlink = TRUE
 
ip dst-address
This command configures an access/firewall ruledef to analyze user traffic based on IP destination address.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ no ] ip dst-address { operator { ip_address | ip_address/mask } | { !range | range } host-pool host_pool }
no
Removes previously configured IP destination address ruledef.
operator { ip_address | ip_address/mask }
operator specifies how to logically match the IP destination address.
operator must be one of the following:
!=: does not equal
<=: less than or equals
=: equals
>=: greater than or equals
ip_address: Specifies the IP address of destination node for outgoing traffic in IPv4 or IPv6 standard notation. ip_address must be the IP address in dotted decimal notation for IPv4, or in colon notation for IPv6.
ip_address/mask: Specifies the IP address of destination node for outgoing traffic in IPv4 or IPv6 standard notation with subnet mask bit. ip_address/mask must be the IP address in dotted decimal notation for IPv4, or in colon notation for IPv6 with subnet mask bit. The mask bit is a numeric value which is the number of bits in the subnet mask.
{ !range | range } host-pool host_pool }
!range | range: Specifies the range criteria:
!range: Not in the range of
range: In the range of
host-pool host_pool: Specifies the host pool name. host_pool must be a string of 1 through 63 characters in length.
Usage
Use this command to specify an access/firewall ruledef to analyze user traffic based on the IP destination address.
Example
The following command creates IP ruledef for analyzing user traffic using an IP destination address of 1.1.1.1:
ip dst-address = 1.1.1.1
 
ip protocol
This command configures an access/firewall ruledef to analyze user traffic based on the protocol being transported by IP packets.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ no ] ip protocol { { operator { protocol | protocol_assignment } } | { operatorprotocol_assignment } }
no
Removes previously configured IP protocol address ruledef.
operator { protocol | protocol_assignment }
operator: Specifies how to logically match the IP protocol. operator must be one of the following:
!=: Does not equal
=: Equals
protocol: Specifies the protocol by name. protocol must be one of the following:
protocol_assignment: Specifies the protocol by assignment number. protocol_assignment must be an integer from 0 through 255 (e.g., 1 for ICMP, 6 for TCP, and 17 for UDP).
operator protocol_assignment
operator: Specifies how to logically match the IP protocol. operator must be one of the following:
<=: less than or equals
>=: greater than or equals
protocol_assignment: Specifies the protocol by assignment number. protocol_assignment must be an integer from 0 through 255 (e.g., 1 for ICMP, 6 for TCP, and 17 for UDP).
Usage
Use this command to specify an access/firewall ruledef to analyze user traffic based on the IP protocol.
Example
The following command creates IP ruledef for analyzing user traffic using a protocol assignment of 1:
ip protocol = 1
 
ip src-address
This command configures an access/firewall ruledef to analyze user traffic based on IP source address.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ no ] ip src-address { operator { ip_address | ip_address/mask } | { !range | range } host-pool host_pool }
no
Removes previously configured IP destination address ruledef.
operator { ip_address | ip_address/mask }
operator: Specifies how to logically match the IP source address. operator must be one of the following:
!=: does not equal
<=: less than or equals
=: equals
>=: greater than or equals
ip_address: Specifies the IP address of source node for incoming traffic in IPv4 or IPv6 standard notation. ip_address must be the IP address in dotted decimal notation for IPv4, or in colon notation for IPv6.
ip_address/mask: Specifies the IP address of source node for incoming traffic in IPv4 or IPv6 standard notation with subnet mask bit. ip_address/mask must be the IP address in dotted decimal notation for IPv4, or in colon notation for IPv6 with subnet mask bit. The mask bit is a numeric value which is the number of bits in the subnet mask.
{ !range | range } host-pool host_pool
!range | range: Specifies the range criteria:
!range: Not in the range of
range: In the range of
host-pool host_pool: Specifies the host pool name. host_pool must be a string of 1 through 63 characters in length.
Usage
Use this command to specify an access/firewall ruledef to analyze user traffic based on the IP source address.
Example
The following command creates IP ruledef for analyzing user traffic using an IP source address of 1.1.1.1:
ip src-address = 1.1.1.1
 
ip uplink
This command configures an access/firewall ruledef to analyze user traffic based on IP packet flow in uplink direction (from subscriber).
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ no ] ip uplink operator condition
no
Removes previously configured IP uplink match ruledef.
operator
Specifies how to logically match the IP packet flow direction.
operator must be one of the following:
!=: Does not equal
=: Equals
condition
Specifies the condition to match.
condition must be one of the following:
TRUE: Not analyzed
FALSE: Analyzed
Usage
Use this command to define an access/firewall ruledef to analyze user traffic based on the IP packet flow direction as uplink.
Example
The following command creates firewall ruledef for analyzing user traffic using an IP packet direction to uplink (from subscriber):
ip uplink = TRUE
 
tcp any-match
This command configures an access/firewall ruledef to match any TCP traffic for the user.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ no ] tcp any-match operator condition
no
Removes previously configured TCP any-match ruledef.
operator
Specifies how to logically match the analyzed state.
operator must be one of the following:
!=: does not equal
=: equals
condition
Specifies the condition to be matched for the user traffic.
condition must be one of the following:
FALSE: Specified condition is FALSE.
TRUE: Specified condition is TRUE.
Usage
Use this command to specify an access/firewall ruledef to match any TCP traffic of the user.
Example
The following command creates an access/firewall ruledef to match any non-TCP traffic of the user:
tcp any-match = FALSE
 
tcp dst-port
This command configures an access/firewall ruledef to analyze user traffic based on destination TCP port.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ no ] tcp dst-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map } }
no
Removes the previously configured destination TCP port ruledef.
operator
Specifies how to logically match the port number.
operator must be one of the following:
!=: Does not equal
<=: Less than or equals
=: Equals
>=: Greater than or equals
port_number
Specifies the port number to match.
port_number must be an integer from 1 to 65535.
range | !range
Specifies the range criteria:
!range: Not in the range
range: In the range
start_range to end_range
Specifies the starting and ending port numbers for the range of destination TCP ports.
start_range must be an integer from 1 through 65535.
end_range must be an integer from 1 through 65535, and must be greater than start_range.
port-map port_map
Specifies name of the port-map for the port range.
port_map must be a string of 1 through 63 characters in length.
Usage
Use this command to specify an access/firewall ruledef to analyze user traffic based on destination TCP port.
Example
The following command creates an access/firewall ruledef for analyzing user traffic matching destination port for TCP as 10:
tcp dst-port = 10
 
tcp either-port
This command configures an access/firewall ruledef to analyze user traffic based on either (destination or source) TCP ports.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ no ] tcp either-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map } }
no
Removes previously configured TCP either-port (destination or source) ruledef.
operator
Specifies how to logically match the port number.
operator must be one of the following:
!=: Does not equal
<=: Less than or equals
=: Equals
>=: Greater than or equals
port_number
Specifies the port number to match.
port_number must be an integer from 1 through 65535.
range | !range
Specifies the range criteria:
!range: Not in the range
range: In the range
start_range to end_range
Specifies the starting and ending port numbers for the port range.
start_range must be an integer from 1 through 65535.
end_range must be an integer from 1 through 65535, and must be greater than start_range.
port-map port_map
Specifies name of the port-map for the port range.
port_map must be a string of 1 through 63 characters in length.
Usage
Use this command to specify an access/firewall ruledef to analyze user traffic based on either TCP port.
Example
The following command creates an access/firewall ruledef for analyzing user traffic matching destination or source port for TCP as 10:
tcp either-port = 10
 
tcp src-port
This command configures an access/firewall ruledef to analyze user traffic based on source TCP port.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ no ] tcp src-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map } }
no
Removes previously configured source TCP port ruledef.
operator
Specifies how to logically match the port number.
operator must be one of the following:
!=: Does not equal
<=: Less than or equals
=: Equals
>=: Greater than or equals
port_number
Specifies the port number to match.
port_number must be an integer from 1 to 65535.
range | !range
Specifies the range criteria:
!range: Not in the range
range: In the range
start_range to end_range
Specifies the starting and ending port numbers for the port range.
start_range must be an integer from 1 through 65535.
end_range must be an integer from 1 through 65535, and must be greater than start_range.
port-map port_map
Specifies name of the port-map for the port range.
port_map must be a string of 1 through 63 characters in length.
Usage
Use this command to specify an access/firewall ruledef to analyze user traffic based on source TCP port.
Example
The following command creates an access/firewall ruledef for analyzing user traffic matching source port for TCP as 10:
tcp src-port = 10
 
udp any-match
This command configures an access/firewall ruledef to match any UDP traffic for the user.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ no ] udp any-match operator condition
no
Removes previously configured UDP any-match ruledef.
operator
Specifies how to logically match the analyzed state.
operator must be one of the following:
!=: does not equal
=: equals
condition
Specifies the condition to be matched for the user traffic.
condition must be one of the following:
FALSE: Specified condition is FALSE.
TRUE: Specified condition is TRUE.
Usage
Use this command to specify an access/firewall ruledef to match any UDP traffic of the user.
Example
The following command creates an access/firewall ruledef to match any UDP traffic of the user:
udp any-match = TRUE
 
udp dst-port
This command configures an access/firewall ruledef to analyze user traffic based on destination UDP port.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ no ] udp dst-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map } }
no
Removes previously configured destination UDP ports ruledef.
operator
Specifies how to logically match the port number.
operator must be one of the following:
!=: Does not equal
<=: Less than or equals
=: Equals
>=: Greater than or equals
port_number
Specifies the port number to match.
port_number must be an integer from 1 through 65535.
!range | range
Specifies the range criteria.
!range: Not in the range
range: In the range
start_range to end_range
Specifies the starting and ending port numbers for the port range.
start_range must be an integer from 1 through 65535.
end_range must be an integer from 1 through 65535, and must be greater than start_range.
port-map port_map
Specifies name of the port-map for the port range.
port_map must be a string of 1 through 63 characters in length.
Usage
Use this command to specify an access/firewall ruledef to analyze user traffic based on destination UDP port.
Example
The following command creates an access/firewall ruledef for analyzing user traffic matching destination port for UDP as 10:
udp dst-port = 10
 
udp either-port
This command configures an access/firewall ruledef to analyze user traffic based on either (destination or source) UDP port.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ no ] udp either-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map } }
no
Removes previously configured either-port (destination or source) UDP ruledef.
operator
Specifies how to logically match the port number.
operator must be one of the following:
!=: Does not equal
<=: Less than or equals
=: Equals
>=: Greater than or equals
port_number
Specifies the port number to match.
port_number must be an integer from 1 through 65535.
!range | range
Specifies the range criteria.
!range: Not in the range
range: In the range
start_range to end_range
Specifies the starting and ending port numbers for the port range.
start_range must be an integer from 1 through 65535.
end_range must be an integer from 1 through 65535, and must be greater than start_range.
port-map port_map
Specifies name of the port-map for the port range.
port_map must be a string of 1 through 63 characters in length.
Usage
Use this command to specify an access/firewall ruledef to analyze user traffic based on either UDP port.
Example
The following command creates an access/firewall ruledef for analyzing user traffic matching destination or source port for UDP as 10:
udp either-port = 10
 
udp src-port
This command configures an access/firewall ruledef to analyze user traffic based on source UDP port.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ no ] udp src-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map } }
no
Removes previously configured source UDP port ruledef.
operator
Specifies how to logically match the port number.
operator must be one of the following:
!=: Does not equal
<=: Less than or equals
=: Equals
>=: Greater than or equals
port_number
Specifies the port number to match.
port_number must be an integer from 1 through 65535.
!range | range
Specifies the range criteria.
!range: Not in the range
range: In the range
start_range to end_range
Specifies the starting and ending port numbers for the port range.
start_range must be an integer from 1 through 65535.
end_range must be an integer from 1 through 65535, and must be greater than start_range.
port-map port_map
Specifies name of the port-map for the port range.
port_map must be a string of 1 through 63 characters in length.
Usage
Use this command to specify an access/firewall ruledef to analyze user traffic based on source UDP port.
Example
The following command creates an access/firewall ruledef for analyzing user traffic matching source port for UDP as 10:
udp src-port = 10
 
 

Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883