-
Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S
-
Zone-Based Policy Firewall
-
Zone-Based Policy Firewall IPv6 Support
-
VRF-Aware Cisco IOS XE Firewall
-
Nested Class Map Support for Zone-Based Policy Firewall
-
Configuring Firewall Stateful Interchassis Redundancy
-
Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
-
Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT
-
Interchassis High Availability Support in IPv6 Zone-Based Firewalls
-
Firewall Stateful Inspection of ICMP
-
Firewall Support of Skinny Client Control Protocol
-
Configuring the VRF-Aware Software Infrastructure
-
IPv6 Zone-Based Firewall Support over VASI Interfaces
-
Protection Against Distributed Denial of Service Attacks
-
Configuring Firewall Resource Management
-
IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
-
Configuring Firewall TCP SYN Cookie
-
Configuring GPRS Tunneling Protocol Support
-
GPRS Tunneling Protocol V2\nSupport
-
GGSN Pooling Support for Firewalls
-
Cisco Firewall-SIP Enhancements ALG
-
MSRPC ALG Support for Firewall and NAT
-
Sun RPC ALG Support for Firewalls and NAT
-
vTCP for ALG Support
-
ALG—H.323 vTCP with High Availability Support for Firewall and NAT
-
FTP66 ALG Support for IPv6 Firewalls
-
SIP ALG Hardening for NAT and Firewall
-
TCP Reset Segment Control
-
Firewall High-Speed Logging
-
Feedback
Contents
- IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
- Finding Feature Information
- Restrictions for IPv6 Firewall Support for Protection Against Distributed Denial of Service Attacks and Resource Management
- Information About IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
- Aggressive Aging of Firewall Sessions
- Event Rate Monitoring Feature
- Half-Opened Connections Limit
- TCP SYN-Flood Attacks
- Firewall Resource Management
- Firewall Sessions
- Session Definition
- Session Rate
- Incomplete or Half-Opened Sessions
- Firewall Resource Management Sessions
- How to Configure IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
- Configuring an IPv6 Firewall
- Configuring the Aggressive Aging of Firewall Sessions
- Configuring per-Box Aggressive Aging
- Configuring Aggressive Aging for a Default VRF
- Configuring per-VRF Aggressive Aging
- Configuring the Aging Out of Firewall Sessions
- Configuring Firewall Event Rate Monitoring
- Configuring the per-Box Half-Opened Session Limit
- Configuring the Half-Opened Session Limit for an Inspect-VRF Parameter Map
- Configuring the Global TCP SYN Flood Limit
- Configuring Firewall Resource Management
- Configuration Examples for IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
- Example: Configuring an IPv6 Firewall
- Example: Configuring the Aggressive Aging of Firewall Sessions
- Example: Configuring per-Box Aggressive Aging
- Example: Configuring Aggressive Aging for a Default VRF
- Example: Configuring per-VRF Aggressive Aging
- Example: Configuring the Aging Out of Firewall Sessions
- Example: Configuring Firewall Event Rate Monitoring
- Example: Configuring the per-Box Half-Opened Session Limit
- Example: Configuring the Half-Opened Session Limit for an Inspect VRF Parameter Map
- Example: Configuring the Global TCP SYN Flood Limit
- Example: Configuring Firewall Resource Management
- Additional References for IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
- Feature Information for IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
IPv6 zone-based firewalls support the Protection of Distributed Denial of Service Attacks and the Firewall Resource Management features.
The Protection Against Distributed Denial of Service Attacks feature provides protection from Denial of Service (DoS) attacks at the global level (for all firewall sessions) and at the VPN routing and forwarding (VRF) level. With the Protection Against Distributed Denial of Service Attacks feature, you can configure the aggressive aging of firewall sessions, event rate monitoring of firewall sessions, half-opened connections limit, and global TCP synchronization (SYN) cookie protection to prevent distributed DoS attacks.
The Firewall Resource Management feature limits the number of VPN Routing and Forwarding (VRF) and global firewall sessions that are configured on a device.
This module describes how to configure the Protection of Distributed Denial of Service Attacks and the Firewall Resource Management features.
- Finding Feature Information
- Restrictions for IPv6 Firewall Support for Protection Against Distributed Denial of Service Attacks and Resource Management
- Information About IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
- How to Configure IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
- Configuration Examples for IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
- Additional References for IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
- Feature Information for IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for IPv6 Firewall Support for Protection Against Distributed Denial of Service Attacks and Resource Management
The following restriction applies to the Firewall Resource Management feature:
- After you configure the global-level or the virtual routing and forwarding (VRF)-level session limit and reconfigure the session limit, if the global-level or the VRF-level session limit is below the initially configured session count, no new session is added; however, no current session is dropped.
Information About IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
Aggressive Aging of Firewall Sessions
The Aggressive Aging feature provides the firewall the capability of aggressively aging out sessions to make room for new sessions, thereby protecting the firewall session database from filling. The firewall protects its resources by removing idle sessions. The Aggressive Aging feature allows firewall sessions to exist for a shorter period of time defined by a timer called aging-out time.
The Aggressive Aging feature includes thresholds to define the start and end of the aggressive aging period—high and low watermarks. The aggressive aging period starts when the session table crosses the high watermark and ends when it falls below the low watermark. During the aggressive aging period, sessions will exist for a shorter period of time that you have configured by using the aging-out time. If an attacker initiates sessions at a rate that is faster than the rate at which the firewall terminates sessions, all resources that are allocated for creating sessions are used and all new connections are rejected. To prevent such attacks, you can configure the Aggressive Aging feature to aggressively age out sessions. This feature is disabled by default.
You can configure aggressive aging for half-opened sessions and total sessions at the box level (box refers to the entire firewall session table) and the virtual routing and forwarding (VRF) level. If you have configured this feature for total sessions, all sessions that consume firewall session resources are taken into account. Total sessions comprise established sessions, half-opened sessions, and sessions in the imprecise session database. (A TCP session that has not yet reached the established state is called a half-opened session.)
A firewall has two session databases: the session database and the imprecise session database. The session database contains sessions with 5-tuple (the source IP address, the destination IP address, the source port, the destination port, and the protocol). A tuple is an ordered list of elements. The imprecise session database contains sessions with fewer than 5-tuple (missing IP addresses, port numbers, and so on). In the case of aggressive aging for half-opened sessions, only half-opened sessions are considered.
You can configure an aggressive aging-out time for Internet Control Message Protocol (ICMP), TCP, and UDP firewall sessions. The aging-out time is set by default to the idle time.
Event Rate Monitoring Feature
The Event Rate Monitoring feature monitors the rate of predefined events in a zone. The Event Rate Monitoring feature includes basic threat detection, which is the ability of a security device to detect possible threats, anomalies, and attacks to resources inside the firewall and to take action against them. You can configure a basic threat detection rate for events. When the incoming rate of a certain type of event exceeds the configured threat detection rate, event rate monitoring considers this event as a threat and takes action to stop the threat. Threat detection inspects events only on the ingress zone (if the Event Rate Monitoring feature is enabled on the ingress zone).
The network administrator is informed about the potential threats via an alert message (syslog or high-speed logger [HSL]) and can take actions such as detecting the attack vector, detecting the zone from which the attack is coming, or configuring devices in the network to block certain behaviors or traffic.
The Event Rate Monitoring feature monitors the following types of events:
- Firewall drops due to basic firewall checks failure—This can include zone or zone-pair check failures, or firewall policies configured with the drop action, and so on.
- Firewall drops due to Layer 4 inspection failure—This can include TCP inspections that have failed because the first TCP packet is not a synchronization (SYN) packet.
- TCP SYN cookie attack—This can include counting the number of SYN packets that are dropped and the number of SYN cookies that are sent as a spoofing attack.
The Event Rate Monitoring feature monitors the average rate and the burst rate of different events. Each event type has a rate object that is controlled by an associated rate that has a configurable parameter set (the average threshold, the burst threshold, and a time period). The time period is divided into time slots; each time slot is 1/30th of the time period.
The average rate is calculated for every event type. Each rate object holds 30 completed sampling values plus one value to hold the current ongoing sampling period. The current sampling value replaces the oldest calculated value and the average is recalculated. The average rate is calculated during every time period. If the average rate exceeds the average threshold, the Event Rate Monitoring feature will consider this as a possible threat, update the statistics, and inform the network administrator.
The burst rate is implemented by using the token bucket algorithm. For each time slot, the token bucket is filled with tokens. For each event that occurs (of a specific event type), a token is removed from the bucket. An empty bucket means that the burst threshold is reached, and the administrator receives an alarm through the syslog or HSL. You can view the threat detection statistics and learn about possible threats to various events in the zone from the output of the show policy-firewall stats zone command.
You must first enable basic threat detection by using the threat-detection basic-threat command. Once basic threat detection is configured, you can configure the threat detection rate. To configure the threat detection rate, use the threat-detection rate command.
The following table describes the basic threat detection default settings that are applicable if the Event Rate Monitoring feature is enabled.
Table 1 Basic Threat Detection Default Settings Packet Drop Reason
Threat Detection Settings
Basic firewall drops
average-rate 400 packets per second (pps)
burst-rate 1600 pps
rate-interval 600 seconds
Inspection-based firewall drops
average-rate 400 pps
burst-rate 1600 pps
rate-interval 600 seconds
SYN attack firewall drops
average-rate 100 pps
burst-rate 200 pps
rate-interval 600 seconds
Half-Opened Connections Limit
The firewall session table supports the limiting of half-opened firewall connections. Limiting the number of half-opened sessions will defend the firewall against attacks that might fill the firewall session table at the per-box level or at the virtual routing and forwarding (VRF) level with half-opened sessions and prevent sessions from being established. The half-opened connection limit can be configured for Layer 4 protocols, Internet Control Message Protocol (ICMP), TCP, and UDP. The limit set to the number of UDP half-opened sessions will not affect the TCP or ICMP half-opened sessions. When the configured half-opened session limit is exceeded, all new sessions are rejected and a log message is generated, either in syslog or in the high-speed logger (HSL).
TCP SYN-Flood Attacks
You can configure the global TCP SYN-flood limit to limit SYN flood attacks. TCP SYN-flooding attacks are a type of denial of service (DoS) attack. When the configured TCP SYN-flood limit is reached, the firewall verifies the source of sessions before creating more sessions. Usually, TCP SYN packets are sent to a targeted end host or a range of subnet addresses behind the firewall. These TCP SYN packets have spoofed source IP addresses. A spoofing attack is when a person or program tries to use false data to gain access to resources in a network. TCP SYN flooding can take up all resources on a firewall or an end host, thereby causing denial of service to legitimate traffic. You can configure TCP SYN-flood protection at the VRF level and the zone level.
SYN flood attacks are divided into two types:
- Host flood—SYN flood packets are sent to a single host intending to utilize all resources on that host.
- Firewall session table flood—SYN flood packets are sent to a range of addresses behind the firewall, with the intention of exhausting the session table resources on the firewall, thereby denying resources to the legitimate traffic going through the firewall.
Firewall Resource Management
Resource Management limits the level of usage of shared resources on a device. Shared resources on a device include:
- Bandwidth
- Connection states
- Memory usage (per table)
- Number of sessions or calls
- Packets per second
- Ternary content addressable memory (TCAM) entries
The Firewall Resource Management feature extends the zone-based firewall resource management from the class level to the VRF level and the global level. Class-level resource management provides resource protection for firewall sessions at a class level. For example, parameters such as the maximum session limit, the session rate limit, and the incomplete session limit protect firewall resources (for example, chunk memory) and keep these resources from being used up by a single class.
When virtual routing and forwarding (VRF) instances share the same policy, a firewall session setup request from one VRF instance can make the total session count reach the maximum limit. When one VRF consumes the maximum amount of resources on a device, it becomes difficult for other VRF instances to share device resources. To limit the number of VRF firewall sessions, you can use the Firewall Resource Management feature.
At the global level, the Firewall Resource Management feature helps limit the usage of resources at the global routing domain by firewall sessions.
Firewall Sessions
- Session Definition
- Session Rate
- Incomplete or Half-Opened Sessions
- Firewall Resource Management Sessions
Session Definition
At the virtual routing and forwarding (VRF) level, the Firewall Resource Management feature tracks the firewall session count for each VRF instance. At the global level, the firewall resource management tracks the total firewall session count at the global routing domain and not at the device level. In both the VRF and global levels, session count is the sum of opened sessions, half-opened sessions, and sessions in the imprecise firewall session database. A TCP session that has not yet reached the established state is called a half-opened session.
A firewall has two session databases: the session database and the imprecise session database. The session database contains sessions with 5-tuple (source IP address, destination IP address, source port, destination port, and protocol). A tuple is an ordered list of elements. The imprecise session database contains sessions with fewer than 5-tuple (missing IP addresses, port numbers, and so on).
The following rules apply to the configuration of a session limit:
Session Rate
The session rate is the rate at which sessions are established at any given time interval. You can define maximum and minimum session rate limits. When the session rate exceeds the maximum specified rate, the firewall starts rejecting new session setup requests.
From the resource management perspective, setting the maximum and minimum session rate limit helps protect Cisco Packet Processor from being overwhelmed when numerous firewall session setup requests are received.
Incomplete or Half-Opened Sessions
Incomplete sessions are half-opened sessions. Any resource used by an incomplete session is counted, and any growth in the number of incomplete sessions is limited by setting the maximum session limit.
Firewall Resource Management Sessions
The following rules apply to firewall resource management sessions:
- By default, the session limit for opened and half-opened sessions is unlimited.
- Opened or half-opened sessions are limited by parameters and counted separately.
- Opened or half-opened session count includes Internet Control Message Protocol (ICMP), TCP, or UDP sessions.
- You can limit the number and rate of opened sessions.
- You can only limit the number of half-opened sessions.
How to Configure IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
Configuring an IPv6 Firewall
SUMMARY STEPSThe steps to configure an IPv4 firewall and an IPv6 firewall are the same. To configure an IPv6 firewall, you must configure the class map in such a way that only an IPv6 address family is matched.
The match protocol command applies to both IPv4 and IPv6 traffic and can be included in either an IPv4 policy or an IPv6 policy.
1. enable
2. configure terminal
3. vrf-definition vrf-name
4. address-family ipv6
5. exit-address-family
6. exit
7. parameter-map type inspect parameter-map-name
8. sessions maximum sessions
9. exit
10. ipv6 unicast-routing
11. ip port-map appl-name port port-num list list-name
12. ipv6 access-list access-list-name
13. permit ipv6 any any
14. exit
15. class-map type inspect match-all class-map-name
16. match access-group name access-group-name
17. match protocol protocol-name
18. exit
19. policy-map type inspect policy-map-name
20. class type inspect class-map-name
21. inspect [parameter-map-name]
22. end
DETAILED STEPSConfiguring the Aggressive Aging of Firewall Sessions
You can configure the Aggressive Aging feature for per-box (per-box refers to the entire firewall session table), default-VRF, and per-VRF firewall sessions. Before the Aggressive Aging feature can work, you must configure the aggressive aging and the aging-out time of firewall sessions.
Perform the following tasks to configure the aggressive aging of firewall sessions.
- Configuring per-Box Aggressive Aging
- Configuring Aggressive Aging for a Default VRF
- Configuring per-VRF Aggressive Aging
- Configuring the Aging Out of Firewall Sessions
Configuring per-Box Aggressive Aging
SUMMARY STEPSPer-box refers to the entire firewall session table. Any configuration that follows the parameter-map type inspect-global command applies to the box.
1. enable
2. configure terminal
3. Enter one of the following commands:
4. per-box max-incomplete number aggressive-aging high {value low value | percent percent low percent percent}
5. per-box aggressive-aging high {value low value | percent percent low percent percent}
6. exit
7. parameter-map type inspect parameter-map-name
8. tcp synwait-time seconds [ageout-time seconds]
9. end
10. show policy-firewall stats global
DETAILED STEPSConfiguring Aggressive Aging for a Default VRF
SUMMARY STEPS
1. enable
2. configure terminal
3. Enters one of the following commands:
4. max-incomplete number aggressive-aging high {value low value | percent percent low percent percent}
5. session total number [aggressive-aging high {value low value | percent percent low percent percent}]
6. exit
7. parameter-map type inspect parameter-map-name
8. tcp synwait-time seconds [ageout-time seconds]
9. end
10. show policy-firewall stats vrf global
DETAILED STEPSConfiguring per-VRF Aggressive Aging
SUMMARY STEPS
1. enable
2. configure terminal
3. ip vrf vrf-name
4. rd route-distinguisher
5. route-target export route-target-ext-community
6. route-target import route-target-ext-community
7. exit
8. parameter-map type inspect-vrf vrf-pmap-name
9. max-incomplete number aggressive-aging high {value low value | percent percent low percent percent}
10. session total number [aggressive-aging {high value low value | percent percent low percent percent}]
11. alert on
12. exit
13. Enter one of the following commands:
14. vrf vrf-name inspect vrf-pmap-name
15. exit
16. parameter-map type inspect parameter-map-name
17. tcp idle-time seconds [ageout-time seconds]
18. tcp synwait-time seconds [ageout-time seconds]
19. exit
20. policy-map type inspect policy-map-name
21. class type inspect match-any class-map-name
22. inspect parameter-map-name
23. end
24. show policy-firewall stats vrf vrf-pmap-name
DETAILED STEPSExample
The following is sample output from the show policy-firewall stats vrf vrf1-pmap command:
Device# show policy-firewall stats vrf vrf1-pmap VRF: vrf1, Parameter-Map: vrf1-pmap Interface reference count: 2 Total Session Count(estab + half-open): 80, Exceed: 0 Total Session Aggressive Aging Period Off, Event Count: 0 Half Open Protocol Session Cnt Exceed -------- ----------- ------ All 0 0 UDP 0 0 ICMP 0 0 TCP 0 0 TCP Syn Flood Half Open Count: 0, Exceed: 116 Half Open Aggressive Aging Period Off, Event Count: 0Configuring the Aging Out of Firewall Sessions
SUMMARY STEPS
1. enable
2. configure terminal
3. Enter one of the following commands:
4. vrf vrf-name inspect vrf-pmap-name
5. exit
6. parameter-map type inspect parameter-map-name
7. tcp idle-time seconds [ageout-time seconds]
8. tcp synwait-time seconds [ageout-time seconds]
9. exit
10. policy-map type inspect policy-map-name
11. class type inspect match-any class-map-name
12. inspect parameter-map-name
13. end
14. show policy-firewall stats vrf vrf-pmap-name
DETAILED STEPSExample
The following is sample output from the show policy-firewall stats vrf vrf1-pmap command:
Device# show policy-firewall stats vrf vrf1-pmap VRF: vrf1, Parameter-Map: vrf1-pmap Interface reference count: 2 Total Session Count(estab + half-open): 270, Exceed: 0 Total Session Aggressive Aging Period Off, Event Count: 0 Half Open Protocol Session Cnt Exceed -------- ----------- ------ All 0 0 UDP 0 0 ICMP 0 0 TCP 0 0 TCP Syn Flood Half Open Count: 0, Exceed: 12 Half Open Aggressive Aging Period Off, Event Count: 0Configuring Firewall Event Rate Monitoring
SUMMARY STEPS
1. enable
2. configure terminal
3. parameter-map type inspect-zone zone-pmap-name
4. alert on
5. threat-detection basic-threat
6. threat-detection rate fw-drop average-time-frame seconds average-threshold packets-per-second burst-threshold packets-per-second
7. threat-detection rate inspect-drop average-time-frame seconds average-threshold packets-per-second burst-threshold packets-per-second
8. threat-detection rate syn-attack average-time-frame seconds average-threshold packets-per-second burst-threshold packets-per-second
9. exit
10. zone security security-zone-name
11. protection parameter-map-name
12. exit
13. zone-pair security zone-pair-name source source-zone destination destination-zone
14. end
15. show policy-firewall stats zone
DETAILED STEPSConfiguring the per-Box Half-Opened Session Limit
SUMMARY STEPSPer-box refers to the entire firewall session table. Any configuration that follows the parameter-map type inspect-global command applies to the box.
1. enable
2. configure terminal
3. Enter one of the following commands:
4. alert on
5. per-box max-incomplete number
6. session total number
7. end
8. show policy-firewall stats global
DETAILED STEPSConfiguring the Half-Opened Session Limit for an Inspect-VRF Parameter Map
SUMMARY STEPS
1. enable
2. configure terminal
3. parameter-map type inspect-vrf vrf-name
4. alert on
5. max-incomplete number
6. session total number
7. exit
8. Enter one of the following commands:
9. alert on
10. vrf vrf-name inspect vrf-pmap-name
11. end
12. show policy-firewall stats vrf vrf-pmap-name
DETAILED STEPSConfiguring the Global TCP SYN Flood Limit
SUMMARY STEPS
1. enable
2. configure terminal
3. Enter one of the following commands:
4. alert on
5. per-box tcp syn-flood limit number
6. end
7. show policy-firewall stats vrf global
DETAILED STEPSConfiguring Firewall Resource Management
SUMMARY STEPS
1. enable
2. configure terminal
3. parameter-map type inspect-vrf vrf-pmap-name
4. session total number
5. tcp syn-flood limit number
6. exit
7. parameter-map type inspect-global
8. vrf vrf-name inspect parameter-map-name
9. exit
10. parameter-map type inspect-vrf vrf-default
11. session total number
12. tcp syn-flood limit number
13. end
DETAILED STEPSConfiguration Examples for IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
Example: Configuring an IPv6 Firewall
Device# configure terminal Device(config)# vrf-definition VRF1 Device(config-vrf)# address-family ipv6 Device(config-vrf-af)# exit-address-family Device(config-vrf)# exit Device(config)# parameter-map type inspect ipv6-param-map Device(config-profile)# sessions maximum 10000 Device(config-profile)# exit Device(config)# ipv6 unicast-routing Device(config)# ip port-map ftp port 8090 list ipv6-acl Device(config)# ipv6 access-list ipv6-acl Device(config-ipv6-acl)# permit ipv6 any any Device(config-ipv6-acl)# exit Device(config)# class-map type inspect match-all ipv6-class Device(config-cmap)# match access-group name ipv6-acl Device(config-cmap)# match protocol tcp Device(config-cmap)# exit Device(config)# policy-map type inspect ipv6-policy Device(config-pmap)# class type inspect ipv6-class Device(config-pmap-c)# inspect ipv6-param-map Device(config-pmap-c)# endExample: Configuring the Aggressive Aging of Firewall Sessions
Example: Configuring per-Box Aggressive Aging
Device# configure terminal Device(config)# parameter-map type inspect global Device(config-profile)# per-box max-incomplete 2000 aggressive-aging 1500 low 1200 Device(config-profile)# per-box aggressive-aging high 1700 low 1300 Device(config-profile)# exit Device(config)# parameter-map type inspect pmap1 Device(config-profile)# tcp synwait-time 30 ageout-time 10 Device(config-profile)# endExample: Configuring Aggressive Aging for a Default VRF
Device# configure terminal Device(config)# parameter-map type inspect global Device(config-profile)# max-incomplete 2000 aggressive-aging high 1500 low 1200 Device(config-profile)# session total 1000 aggressive-aging high percent 80 low percent 60 Device(config-profile)# exit Device(config)# parameter-map type inspect pmap1 Device(config-profile)# tcp synwait-time 30 ageout-time 10 Device(config-profile)# endExample: Configuring per-VRF Aggressive Aging
Device# configure terminal Device(config)# ip vrf ddos-vrf1 Device(config-vrf)# rd 100:2 Device(config-vrf)# route-target export 100:2 Device(config-vrf)# route-target import 100:2 Device(config-vrf)# exit Device(config)# parameter-map type inspect-vrf vrf1-pmap Device(config-profile)# max-incomplete 3455 aggressive-aging high 2345 low 2255 Device(config-profile)# session total 1000 aggressive-aging high percent 80 low percent 60 Device(config-profile)# alert on Device(config-profile)# exit Device(config)# parameter-map type inspect global Device(config-profile)# vrf vrf1 inspect vrf1-pmap Device(config-profile)# exit Device(config)# parameter-map type inspect pmap1 Device(config-profile)# tcp idle-time 3000 ageout-time 100 Device(config-profile)# tcp synwait-time 30 ageout-time 10 Device(config-profile)# exit Device(config)# policy-map type inspect ddos-fw Device(config-pmap)# class type inspect match-any ddos-class Device(config-pmap-c)# inspect pmap1 Device(config-profile)# endExample: Configuring the Aging Out of Firewall Sessions
Device# configure terminal Device(config-profile)# exit Device(config)# parameter-map type inspect global Device(config-profile)# vrf vrf1 inspect vrf1-pmap Device(config-profile)# exit Device(config)# parameter-map type inspect pmap1 Device(config-profile)# tcp idle-time 3000 ageout-time 100 Device(config-profile)# tcp synwait-time 30 ageout-time 10 Device(config-profile)# exit Device(config)# policy-map type inspect ddos-fw Device(config-profile)# class type inspect match-any ddos-class Device(config-profile)# inspect pmap1 Device(config-profile)# endExample: Configuring Firewall Event Rate Monitoring
Device> enable Device# configure terminal Device(config)# parameter-map type inspect zone zone-pmap1 Device(config-profile)# alert on Device(config-profile)# threat-detection basic-threat Device(config-profile)# threat-detection rate fw-drop average-time-frame 600 average-threshold 100 burst-threshold 100 Device(config-profile)# threat-detection rate inspect-drop average-time-frame 600 average-threshold 100 burst-threshold 100 Device(config-profile)# threat-detection rate syn-attack average-time-frame 600 average-threshold 100 burst-threshold 100 Device(config-profile)# exit Device(config)# zone security public Device(config-sec-zone)# protection zone-pmap1 Device(config-sec-zone)# exit Device(config)# zone-pair security private2public source private destination public Device(config-sec-zone-pair)# endExample: Configuring the Half-Opened Session Limit for an Inspect VRF Parameter Map
Device# configure terminal Device(config)# parameter-map type inspect vrf vrf1-pmap Device(config-profile)# alert on Device(config-profile)# max-incomplete 3500 Device(config-profile)# session total 34500 Device(config-profile)# exit Device(config)# parameter-map type inspect global Device(config-profile)# alert on Device(config-profile)# vrf vrf1 inspect vrf1-pmap Device(config-profile)# endExample: Configuring Firewall Resource Management
Device# configure terminal Device(config)# parameter-map type inspect-vrf vrf1-pmap Device(config-profile)# session total 1000 Device(config-profile)# tcp syn-flood limit 2000 Device(config-profile)# exit Device(config)# parameter-map type inspect-global Device(config-profile)# vrf vrf1 inspect pmap1 Device(config-profile)# exit Device(config)# parameter-map type inspect-vrf vrf-default Device(config-profile)# session total 6000 Device(config-profile)# tcp syn-flood limit 7000 Device(config-profile)# endAdditional References for IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
Technical Assistance
Description
Link
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.
Feature Information for IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 2 Feature Information for IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management Feature Name
Releases
Feature Information
IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
Cisco IOS XE Release 3.7S
IPv6 zone-based firewalls support the Protection of Distributed Denial of Service Attacks and the Firewall Resource Management features.
The Protection Against Distributed Denial of Service Attacks feature provides protection from Denial of Service (DoS) attacks at the global level (for all firewall sessions) and at the VPN routing and forwarding (VRF) level. You can configure the aggressive aging of firewall sessions, event rate monitoring of firewall sessions, half-opened connections limit, and global TCP SYN cookie protection to prevent distributed DoS attacks.
The Firewall Resource Management feature limits the number of VPN routing and forwarding (VRF) instances and global firewall sessions that are configured on a device.
