Firewall-and-NAT Policy Configuration Mode Commands


Firewall-and-NAT Policy Configuration Mode Commands
 
 
The Firewall-and-NAT Policy Configuration Mode enables configuring Firewall-and-NAT policies.
Important: This configuration mode is only available in StarOS 8.1 and in StarOS 9.0 and later. This configuration mode must be used to configure Policy-based Stateful Firewall and NAT features.
 
Important: The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).
 
access-rule
This command creates and configures an access rule.
Product
FW, NAT
Privilege
Security Administrator, Administrator
Syntax
access-rule { no-ruledef-matches { downlink | uplink } action { deny [ charging-action charging_action ] | permit [ bypass-nat | nat-realm nat_realm ] } | priority priority { [ dynamic-only | static-and-dynamic ] access-ruledef ruledef_name { deny [ charging-action charging_action ] | permit [ [ bypass-nat | nat-realm nat_realm ] trigger open-port { port_number | range start_port to end_port } direction { both | reverse | same } ] } } }
default access-rule no-ruledef-matches { downlink | uplink } action
no access-rule priority priority
default
Configures the default setting.
Default: uplink direction: permit; downlink direction: deny
no
Removes the access rule specified by the priority.
no-ruledef-matches
Configures action on packets with no ruledef match.
downlink
Specifies to act on downlink packets with no ruledef match.
uplink
Specifies to act on uplink packets with no ruledef match.
action
Specifies action to take on downlink/uplink packets with no ruledef match.
deny
Specifies to deny packets.
permit
Specifies to permit packets and allow the creation of data flows.
charging-action charging_action
Specifies the charging action. Optionally, for deny action a charging action can be configured. If a packet matches the deny rule, action is taken as configured in the charging action. If a charging action is specified, the content-ID and billing-action configured in the charging action are used. Also, the flow may be terminated (instead of just discarding the packet), if so configured in the specified charging action.
charging_action must be an alpha and/or numeric string of 1 through 63 characters in length.
bypass-nat
Specifies to bypass NAT.
nat-realm nat_realm
Specifies the NAT realm to be used to perform NAT on subscriber packets matching the access ruledef. If the NAT realm is not specified, NAT will be bypassed. That is, NAT will not be performed on subscriber packets that are matching a ruledef with no NAT realm name configured in it.
nat_realm must be an alpha and/or numeric string of 1 through 31 characters in length.
priority priority
Specifies priority of an access ruledef in the Firewall-and-NAT policy.
priority must be an integer from 1 through 65535, and must be unique for each access ruledef in the Firewall-and-NAT policy.
[ dynamic-only | static-and-dynamic ] access-ruledef ruledef_name
Specifies the access ruledef name. Optionally, the ruledef type can also be specified.
dynamic-only: Dynamic Ruledef—Predefined ruledef that can be enabled/disabled by the policy server, and is disabled by default.
static-and-dynamic: Static and Dynamic Ruledef—Predefined ruledef that can be enabled/disabled by the policy server, and is enabled by default.
access-ruledef ruledef_name: Specifies the access ruledef name. ruledef_name must be an alpha and/or numeric string of 1 through 63 characters in length.
trigger open-port { port_number | range start_port to end_port } direction { both | reverse | same }
Optionally a port trigger can be specified to be used for this rule to limit the range of auxiliary data connections (a single or range of port numbers) for protocols having control and data connections (like FTP). The trigger port will be the destination port of an association which matches a rule.
port_number: Specifies the auxiliary port number to open for traffic, and must be an integer from 1 through 65535.
range start_port to end_port: Specifies the range of port numbers to open for subscriber traffic.
start_port must be an integer from 1 through 65535.
end_port must be an integer from 1 through 65535, and must be greater than start_port.
direction { both | reverse | same }: Specifies the direction from which the auxiliary connection is initiated. This direction can be same as the direction of control connection, or the reverse of the control connection direction, or in both directions.
both: Provides the trigger to open port for traffic in either direction of the control connection.
reverse: Provides the trigger to open port for traffic in the reverse direction of the control connection (from where the connection is initiated).
same: Provides the trigger to open port for traffic in the same direction of the control connection (from where the connection is initiated).
Usage
Use this command to add access ruledefs to the Firewall-and-NAT policy and configure the priority and actions for rule matching.
The policy specifies the rules to be applied on calls. The ruledefs in the policy have priorities, based on which priority matching is done.
For Stateful Firewall, the port trigger configuration is optional, and can be configured only if a rule action is permit. When a rule is matched and the rule action is permit, if the trigger is configured, the appropriate check is made. The trigger port will be the destination port of an association that matches the rule. Multiple triggers can be defined for the same port number to permit multiple auxiliary ports for subscriber traffic.
When a rule is matched and if the rule action is deny, the action taken depends on what is configured in the specified charging action. If the flow exists, flow statistics are updated and action is taken as configured in the charging action:
If the billing action, content ID, and flow action are not configured, no action is taken on the dropped packets.
Allowing/dropping of packets is determined in the following sequence:
For a packet dropped due to access ruledef match or no match (first packet of a flow), the charging action applied is the one configured in the access-rule priority or the access-rule no-ruledef-matches command respectively.
For action on packets dropped due to any error condition after data session is created, the charging action must be configured in the flow any-error charging-action command in the Rulebase Configuration Mode.
The GGSN can dynamically activate/deactivate dynamic ruledefs for a subscriber based on the rule name received from a policy server. At rule match, if a rule in the policy is a dynamic rule, and if the rule is enabled for the particular subscriber, rule matching is done for the rule. If the rule is disabled for the particular subscriber, rule matching is not done for the rule.
Example
For Stateful Firewall, the following command assigns a priority of 10 to the access ruledef test_rule, adds it to the policy, and permits port trigger to be used for the rule to open ports in the range of 1000 to 2000 in either direction of the control connection:
access-rule priority 1 access-ruledef test_rule permit trigger open-port range 1000 to 2000 direction both
 
end
This command returns the CLI prompt to the Exec mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
end
Usage
Use this command to change to the Exec mode.
 
exit
This command exits the current configuration mode and returns to the parent configuration mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
exit
Usage
Use this command to return to the parent configuration mode.
 
firewall dos-protection
This command configures Stateful Firewall protection for subscribers from Denial-of-Service (DoS) attacks.
Important: In StarOS 8.0, this configuration is available in the ACS Configuration Mode. In StarOS 8.1, for Rulebase-based Stateful Firewall configuration, this configuration is available in the Rulebase Configuration Mode. In StarOS 8.3, this configuration is available in the Rulebase Configuration Mode.
Product
FW
Privilege
Security Administrator, Administrator
Syntax
[ no ] firewall dos-protection { all | flooding { icmp | tcp-syn | udp } | ftp-bounce | ip-unaligned-timestamp | mime-flood | port-scan | source-router | tcp-window-containment | teardrop | winnuke }
default firewall dos-protection
no
Disables Stateful Firewall protection for subscribers against the specified DoS attack(s).
default
Disables Stateful Firewall protection for subscribers against all DoS attacks.
all
Enables Stateful Firewall protection for subscribers against all DoS attacks supported by the Stateful Firewall service.
flooding { icmp | tcp-syn | udp }
Enables protection against the specified flooding attack:
icmp: Enables protection against ICMP Flood attack
tcp-syn: Enables protection against TCP Syn Flood attack
udp: Enables protection against UDP Flood attack
ftp-bounce
Enables protection against FTP Bounce attacks.
ip-unaligned-timestamp
Enables protection against IP Unaligned Timestamp attacks.
mime-flood
Enables protection against HTTP Multiple Internet Mail Extension (MIME) header flooding attacks.
port-scan
Enables protection against Port Scan attacks.
tcp-window-containment
Enables protection against TCP sequence number out-of-range attacks.
source-router
Enables protection against IP Source Route IP Option attacks.
teardrop
Enables protection against Teardrop attacks.
winnuke
Enables protection against WIN-NUKE attacks.
Usage
Use this command to enable Stateful Firewall protection from different types of DoS attacks. This command can be used multiple times for different DoS attacks.
Important: DoS attacks are detected only in the downlink direction.
Example
The following command enables protection from all supported DoS attacks:
firewall dos-protection all
 
firewall flooding
This command configures Stateful Firewall protection from Packet Flooding attacks.
Important: In StarOS 8.0, this configuration is available in the ACS Configuration Mode. In StarOS 8.1, for Rulebase-based Stateful Firewall configuration, this configuration is available in the Rulebase Configuration Mode. In StarOS 8.3, this configuration is available in the Rulebase Configuration Mode.
Product
FW
Privilege
Security Administrator, Administrator
Syntax
firewall flooding { protocol { icmp | tcp-syn | udp } packet limit packets } | sampling-interval interval }
default firewall flooding { protocol { icmp | tcp-syn | udp } packet limit } | sampling-interval }
default
Configures the default setting for the specified configuration.
protocol { icmp | tcp-syn | udp }
Specifies the transport protocol:
icmp: Configuration for ICMP protocol.
tcp-syn: Configuration for TCP-SYN packet limit.
udp: Configuration for UDP protocol.
packet limit packets
Specifies the maximum number of specified packets a subscriber can receive during a sampling interval.
packets must be an integer from 1 through 4294967295.
Default: 1000 packets per sampling interval for all protocols.
sampling-interval interval
Specifies the flooding sampling interval, in seconds.
interval must be an integer from 1 through 60.
Default: 1 second
The maximum sampling-interval configurable is 60 seconds.
Usage
Use this command to configure the maximum number of ICMP, TCP-SYN, / UDP packets allowed to prevent the packet flooding attacks to the host.
Example
The following command ensures a subscriber will not receive more that 1000 ICMP packets per sampling interval:
firewall flooding protocol icmp packet limit 1000
The following command ensures a subscriber will not receive more than 1000 UDP packets per sampling interval on different 5-tuples. That is, if an attacker is sending lot of UDP packets on different ports or using different spoofed IPs, those packets will be limited to 1000 packets per sampling interval. This way only “suspected” malicious packets are limited and not “legitimate” packets.
firewall flooding protocol udp packet limit 1000
The following command ensures a subscriber will not receive more than 1000 TCP-Syn packets per sampling interval.
firewall flooding protocol tcp-syn packet limit 1000
The following command specifies a flooding sampling interval of 1 second:
firewall flooding sampling-interval 1
 
firewall icmp-checksum-error
This command configures Stateful Firewall action on packets with ICMP Checksum errors.
Product
FW
Privilege
Security Administrator, Administrator
Syntax
firewall icmp-checksum-error { drop | permit }
default firewall icmp-checksum-error
default
Configures the default setting.
Default: drop
drop
Specifies to drop packets with ICMP Checksum errors.
permit
Specifies to permit packets with ICMP Checksum errors.
Usage
Use this command to configure Stateful Firewall action on packets with ICMP Checksum errors. This CLI also applies to ICMP packets with Inner IP Checksum error.
For NAT-only calls, packets with ICMP errors are dropped, and other packets are allowed.
Example
The following command configures Stateful Firewall to drop packets with ICMP Checksum errors:
firewall icmp-checksum-error drop
 
firewall icmp-destination-unreachable-message-threshold
This command configures a threshold on the number of ICMP error messages sent by the subscriber for a particular data flow.
Important: In StarOS 8.0, this configuration is available in the ACS Configuration Mode. In StarOS 8.1, for Rulebase-based Stateful Firewall configuration, this configuration is available in the Rulebase Configuration Mode. In StarOS 8.3, this configuration is available in the Rulebase Configuration Mode.
Product
FW
Privilege
Security Administrator, Administrator
Syntax
firewall icmp-destination-unreachable-message-threshold messages then-block-server
{ default | no } firewall icmp-destination-unreachable-message-threshold
default
Configures the default setting.
Default: No limit
no
Removes the previous configuration.
messages
Specifies the threshold on the number of ICMP error messages sent by the subscriber for a particular data flow. messages must be an integer from 1 through 100.
Usage
Use this command to configure a threshold on the number of ICMP error messages sent by the subscriber for a particular data flow. After the threshold is reached, it is assumed that the server is not reacting properly to the error messages, and further downlink traffic to the subscriber on the unwanted flow is blocked.
Some servers that run QChat ignore the ICMP error messages (Destination Port Unreachable and Host Unreachable) from the mobiles. So the mobiles continue to receive unwanted UDP traffic from the QChat servers, and their batteries get exhausted quickly.
Example
The following command configures a threshold of 10 ICMP error messages:
firewall icmp-destination-unreachable-message-threshold 10 then-block-server
 
firewall icmp-fsm
This command enables/disables Stateful Firewall’s ICMP Finite State Machine (FSM).
Product
FW
Privilege
Security Administrator, Administrator
Syntax
[ default | no ] firewall icmp-fsm
default
Configures the default setting.
Default: Enabled. Same as firewall icmp-fsm.
no
Disables Stateful Firewall ICMP FSM checks.
Usage
Use this command to enable/disable Stateful Firewall ICMP FSM checks. When Stateful Firewall and ICMP FSM are enabled, ICMP reply messages for which there is no saved ICMP request message are discarded. ICMP error messages (i.e., messages containing an embedded message) for which there is no saved flow for the embedded message are discarded.
Example
The following command disables Stateful Firewall’s ICMP FSM checks:
no firewall icmp-fsm
 
firewall ip-reassembly-failure
This command configures Stateful Firewall action on packets involved in IP Reassembly Failure scenarios.
Product
FW
Privilege
Security Administrator, Administrator
Syntax
firewall ip-reassembly-failure { drop | permit }
default firewall ip-reassembly-failure
default
Configures the default setting.
Default: permit
drop
Specifies to drop packets involved in IP reassembly failure scenarios.
permit
Specifies to permit packets involved in IP reassembly failure scenarios.
Usage
Use this command to configure Stateful Firewall action on packets involved in IP reassembly failure scenarios such as missing fragments, overlapping offset, etc.
For NAT-only calls, packets involved in IP reassembly failure scenarios are dropped.
Example
The following command specifies to drop packets involved in IP reassembly failure scenarios:
firewall ip-reassembly-failure drop
 
firewall malformed-packets
This command configures Stateful Firewall action on malformed packets.
Product
FW
Privilege
Security Administrator, Administrator
Syntax
firewall malformed-packets { drop | permit }
default firewall malformed-packets
default
Configures the default setting.
Default: permit
drop
Specifies to drop malformed packets.
permit
Specifies to permit malformed packets.
Usage
Use this command to configure Stateful Firewall action on malformed packets.
For NAT-only calls, malformed packets are always permitted.
Example
The following command specifies Stateful Firewall to drop malformed packets:
firewall malformed-packets drop
 
firewall max-ip-packet-size
This command configures the maximum IP packet size (after IP reassembly) allowed over Stateful Firewall.
Important: In StarOS 8.0, this configuration is available in the ACS Configuration Mode. In StarOS 8.1, for Rulebase-based Stateful Firewall configuration, this configuration is available in the Rulebase Configuration Mode. In StarOS 8.3, this configuration is available in the Rulebase Configuration Mode.
Product
FW
Privilege
Security Administrator, Administrator
Syntax
firewall max-ip-packet-size packet_size protocol { icmp | non-icmp }
default firewall max-ip-packet-size protocol { icmp | non-icmp }
default
Configures the default setting.
Default: 65535 bytes (for both ICMP and non-ICMP)
packet_size
Specifies the maximum packet size allowed.
packet_size must be an integer from 30000 through 65535.
protocol { icmp | non-icmp }
Specifies the transport protocol:
icmp: Configuration for ICMP protocol.
non-icmp: Configuration for protocols other than ICMP.
Usage
Use this command to configure the maximum IP packet size allowed for ICMP and non-ICMP packets to prevent packet flooding attacks to the host. Packets exceeding the configured size will be dropped for “Jolt” and “Ping-Of-Death” attacks.
Example
The following command allows a maximum packet size of 60000 for ICMP protocol:
firewall max-ip-packet-size 60000 protocol icmp
 
firewall mime-flood
This command configures Stateful Firewall protection from MIME Flood attacks.
Important: In StarOS 8.0, this configuration is available in the ACS Configuration Mode. In StarOS 8.1, for Rulebase-based Stateful Firewall configuration, this configuration is available in the Rulebase Configuration Mode. In StarOS 8.3, this configuration is available in the Rulebase Configuration Mode.
Product
FW
Privilege
Security Administrator, Administrator
Syntax
firewall mime-flood { http-headers-limit max_limit | max-http-header-field-size max_size }
default firewall mime-flood { http-headers-limit | max-http-header-field-size }
default
Configures the default setting for the specified parameter.
http-headers-limit max_limit
Specifies the maximum number of headers allowed in an HTTP packet. If the number of HTTP headers in a page received is more than the specified limit, the request will be denied.
max_limit must be an integer from 1 through 256.
Default: 16
max-http-header-field-size max_size
Specifies the maximum header field size allowed in the HTTP header, in bytes. If the size of HTTP header in the received page is more than the specified number of bytes, the request will be denied.
max_size must be an integer from 1 through 8192.
Default: 4096 bytes
Usage
Use this command to configure the maximum number of headers allowed in an HTTP packet, and the maximum header field size allowed in the HTTP header to prevent MIME flooding attacks.
This command is only effective if Stateful Firewall DoS protection for MIME flood attacks has been enabled using the firewall dos-protection mime-flood command, and the route command has been configured to send HTTP packets to the HTTP analyzer.
Example
The following command sets the maximum number of headers allowed in an HTTP packet to 100:
firewall mime-flood http-headers-limit 100
The following command sets the maximum header field size allowed in the HTTP header to 1000 bytes:
firewall mime-flood max-http-header-field-size 1000
 
firewall policy
This command enables/disables Stateful Firewall support in a Firewall-and-NAT policy.
Important: In StarOS 8.0, this configuration is available in the ACS Configuration Mode. In StarOS 8.1, for Rulebase-based Stateful Firewall configuration, this configuration is available in the Rulebase Configuration Mode. In StarOS 8.3, this configuration is available in the Rulebase Configuration Mode.
Product
FW
Privilege
Security Administrator, Administrator
Syntax
firewall policy firewall-required
no firewall policy
no
Disables Stateful Firewall support in the Firewall-and-NAT policy.
firewall-required
Enables Stateful Firewall support in the Firewall-and-NAT policy.
Usage
Use this command to enable/disable Stateful Firewall support for all subscribers using a Firewall-and-NAT policy.
Example
The following command enables Stateful Firewall support in a Firewall-and-NAT policy:
firewall policy firewall-required
The following command disables Stateful Firewall support in a Firewall-and-NAT policy:
no firewall policy
 
firewall tcp-checksum-error
This command configures Stateful Firewall action on packets with TCP Checksum error.
Product
FW
Privilege
Security Administrator, Administrator
Syntax
firewall tcp-checksum-error { drop | permit }
default firewall tcp-checksum-error
default
Configures the default setting.
Default: drop
drop
Specifies to drop packets with TCP Checksum errors.
permit
Specifies to permit packets with TCP Checksum errors.
Usage
Use this command to configure Stateful Firewall action on packets with TCP Checksum error.
For NAT-only calls, packets with TCP Checksum errors are permitted.
Example
The following command specifies Stateful Firewall to drop packets with TCP Checksum errors:
firewall tcp-checksum-error drop
 
firewall tcp-first-packet-non-syn
This command configures Stateful Firewall action on TCP flows starting with a non-SYN packet.
 
Product
FW
Privilege
Security Administrator, Administrator
Syntax
firewall tcp-first-packet-non-syn { drop | reset }
default firewall tcp-first-packet-non-syn
default
Configures the default setting.
Default: drop
drop
Specifies to drop the non-SYN packet.
reset
Specifies to send reset.
Usage
Use this command to configure Stateful Firewall action on TCP flows starting with a non-SYN packet.
Example
For flows starting with a non-SYN packet, the following command specifies Stateful Firewall to drop the non-SYN packet:
firewall tcp-first-packet-non-syn drop
 
firewall tcp-fsm
This command enables/disables Stateful Firewall’s TCP Finite State Machine (FSM).
Product
FW
Privilege
Security Administrator, Administrator
Syntax
firewall tcp-fsm [ first-packet-non-syn { drop | permit | send-reset } ]
{ default | no } firewall tcp-fsm
default
Configures the default setting.
Default: firewall tcp-fsm first-packet-non-syn drop
no
Disables Stateful Firewall’s TCP FSM.
first-packet-non-syn { drop | permit | send-reset }
Specifies Stateful Firewall action on TCP flows starting with a non-SYN packet:
drop: Specifies to drop the packet.
permit: Specifies to permit the packet.
send-reset: Specifies to drop the packet and send TCP RST.
Default: drop
Usage
Use this command to enable/disable Stateful Firewall’s TCP FSM checks. When Stateful Firewall and TCP FSM are enabled, state of the TCP session is checked to decide whether to forward TCP packets.
Example
The following command enables TCP FSM, and configures action to take on TCP flows starting with a non-SYN packet to drop the packet:
firewall tcp-fsm first-packet-non-syn drop
 
firewall tcp-idle-timeout-action
This command configures action on TCP idle timeout expiry.
 
Product
FW, NAT
Privilege
Security Administrator, Administrator
Syntax
firewall tcp-idle-timeout-action { drop | reset }
{ default | no } firewall tcp-idle-timeout-action
default
Configures the default setting.
Default: reset
no
Configures the TCP idle timeout expiry action to reset.
drop | reset
Specifies the action to take on TCP idle timeout expiry.
drop: Drops the session.
reset: Sends TCP RST. When configured to reset, the session is dropped, and the system can avoid packets arriving for the idle flow from getting dropped.
Usage
Use this command to configure action to take on TCP idle timeout expiry.
Example
The following command configures action to take on TCP idle timeout expiry to drop:
firewall tcp-idle-timeout-action drop
 
 
firewall tcp-options-error
This command configures Stateful Firewall action on packets with TCP Option errors.
Product
FW
Privileges
Security Administrator, Administrator
Syntax
firewall tcp-options-error { drop | permit }
default firewall tcp-options-error
default
Configures the default setting.
Default: permit
drop
Specifies to drop packets with TCP Option errors.
permit
Specifies to permit packets with TCP Option errors.
Usage
Use this command to configure Stateful Firewall action on packets with TCP Option errors.
Example
The following command configures Stateful Firewall to drop packets with TCP Option errors:
firewall tcp-options-error drop
 
 
firewall tcp-reset-message-threshold
This command configures a threshold on the number of TCP reset messages sent by the subscriber for a particular data flow. After this threshold is reached, further downlink traffic to the subscriber on the unwanted flow is blocked.
Product
FW
Privilege
Security Administrator, Administrator
Syntax
firewall tcp-reset-message-threshold messages then-block-server
{ default | no } firewall tcp-reset-message-threshold
default
Configures the default setting.
Default: Disabled
no
Disables the configuration.
messages
Specifies the threshold on the number of TCP reset messages sent by the subscriber for a particular data flow.
messages must be an integer from 1 through 100.
Usage
Use this command to configure a threshold on the number of TCP reset messages (TCP RST+ACK) sent by the subscriber for a particular data flow. After the threshold is reached, assuming the server is not reacting properly to the reset messages further downlink traffic to the subscriber on the unwanted flow is blocked. This configuration enables QCHAT noise suppression for TCP.
Example
The following command sets the threshold on the number of TCP reset messages to 10:
firewall tcp-reset-message-threshold 10 then-block-server
 
firewall tcp-syn-flood-intercept
This command configures TCP SYN intercept parameters for protection against TCP SYN flooding attacks.
Important: In StarOS 8.0, this configuration is available in the ACS Configuration Mode. In StarOS 8.1, for Rulebase-based Stateful Firewall configuration, this configuration is available in the Rulebase Configuration Mode. In StarOS 8.3, this configuration is available in the Rulebase Configuration Mode.
Product
FW
Privilege
Security Administrator, Administrator
Syntax
firewall tcp-syn-flood-intercept { mode { none | watch [ aggressive ] } | watch-timeout intercept_watch_timeout }
default firewall tcp-syn-flood-intercept { mode | watch-timeout }
default
Configures the default settings for SYN Flood DoS protection.
mode { none | watch [ aggressive ] }
Specifies the TCP SYN flood intercept mode:
none: Disables the TCP SYN Flood Intercept feature.
watch: Configures TCP SYN flood intercept feature in watch mode. The Stateful Firewall passively watches to see if TCP connections become established within a configurable interval. If connections are not established within the timeout period, the Stateful Firewall clears the half-open connections by sending RST to TCP client and server. The default watch-timeout for connection establishment is 30 seconds.
aggressive: Configures TCP SYN flood Intercept or Watch feature for aggressive behavior. Each new connection request causes the oldest incomplete connection to be deleted. When operating in watch mode, the watch timeout is reduced by half. If the watch-timeout is 30 seconds, under aggressive conditions it becomes 15 seconds. When operating in intercept mode, the retransmit timeout is reduced by half (i.e. if the timeout is 60 seconds, it is reduced to 30 seconds). Thus the amount of time waiting for connections to be established is reduced by half (i.e. it is reduced to 150 seconds from 300 seconds under aggressive conditions).
Default: none
watch-timeout intercept_watch_timeout
Specifies the TCP intercept watch timeout, in seconds.
intercept_watch_timeout must be an integer from 5 through 30.
Default: 30
Usage
This TCP intercept functionality provides protection against TCP SYN Flooding attacks. This command enables and configures TCP intercept parameters to prevent TCP SYN flooding attacks by intercepting and validating TCP connection requests for DoS protection mechanism configured with the dos-protection command
The system captures TCP SYN requests and responds with TCP SYN-ACKs. If a connection initiator completes the handshake with a TCP ACK, the TCP connection request is considered as valid by system and system forwards the initial TCP SYN to the valid target which triggers the target to send a TCP SYN-ACK. Now system intercepts with TCP SYN-ACK and sends the TCP ACK to complete the TCP handshake. Any TCP packet received before the handshake completion will be discarded.
Example
The following command sets the intercept watch timeout setting to 15 seconds:
firewall tcp-syn-flood-intercept watch-timeout 15
 
firewall tcp-syn-with-ecn-cwr
This command configures Stateful Firewall action on TCP SYN packets with either ECN or CWR flag set.
Product
FW
Privileges
Security Administrator, Administrator
Syntax
firewall tcp-syn-with-ecn-cwr { drop | permit }
default firewall tcp-syn-with-ecn-cwr
default
Configures the default setting.
Default: permit
drop
Specifies to drop TCP SYN packets with either ECN or CWR flag set.
permit
Specifies to permit TCP SYN packets with either ECN or CWR flag set.
Usage
Use this command to configure Stateful Firewall action on receiving a TCP SYN packet with either ECN or CWR flag set.
Example
The following command configures Stateful Firewall to drop TCP SYN packets with ECN / CWR flag set:
firewall tcp-syn-with-ecn-cwr drop
 
firewall udp-checksum-error
This command configures Stateful Firewall action on packets with UDP Checksum error.
Product
FW
Privilege
Security Administrator, Administrator
Syntax
firewall udp-checksum-error { drop | permit }
default firewall udp-checksum-error
default
Configures the default setting.
Default: drop
drop
Specifies to drop packets with UDP Checksum error.
permit
Specifies to permit packets with UDP Checksum error.
Usage
Use this command to configure Stateful Firewall action on packets with UDP Checksum error.
For NAT-only calls, packets with UDP Checksum error are permitted.
Example
The following command specifies to drop packets with UDP Checksum error:
firewall udp-checksum-error drop
 
 
firewall validate-ip-options
This command enables / disables the Stateful Firewall validation of IP options for errors.
Product
FW
Privilege
Security Administrator, Administrator
Syntax
[ default | no ] firewall validate-ip-options
default
Configures the default setting.
Default: Disabled. Same as no firewall validate-ip-options
no
Disables validation of IP options.
Usage
Use this command to enable / disable Stateful Firewall validation of IP options. When enabled, Stateful Firewall will drop packets with IP option errors.
For NAT calls, validation of IP Options is disabled.
Example
The following command enables validation of IP options:
firewall validate-ip-options
 
 
nat binding-record
This command configures the generation of NAT Binding Records.
Product
NAT
Privilege
Security Administrator, Administrator
Syntax
nat binding-record edr-format edr_format [ port-chunk-allocation ] [ port-chunk-release ]
{ default | no } nat binding-record
default
Configures the default setting.
Default: port-chunk-release
no
Disables generating NAT Binding Records.
edr-format edr_format
Specifies the EDR format name.
edr_format must be an alpha and/or numeric string of 1 through 63 characters in length.
port-chunk-allocation
Specifies generating NAT Binding Records when a port-chunk is allocated.
port-chunk-release
Specifies generating NAT Binding Record when a port-chunk is released.
Usage
Use this command to configure the generation of NAT Binding Records.
Example
The following command configures an EDR format named test123 and specifies generating NAT Binding Records when a port chunk is allocated:
nat binding-record edr-format test123 port-chunk-allocation
 
nat policy
This command enables/disables Network Address Translation (NAT) support in a Firewall-and-NAT policy.
Important: In StarOS 8.3, this configuration is available in the Rulebase Configuration Mode.
Product
NAT
Privilege
Security Administrator, Administrator
Syntax
nat policy nat-required [ default-nat-realm nat_realm_name ]
no nat policy
no
Disables NAT support in the Firewall-and-NAT policy.
nat-required
Enables NAT support in the Firewall-and-NAT policy.
default-nat-realm nat_realm_name
Specifies the default NAT realm for the Firewall-and-NAT policy.
nat_realm_name must be the name of an existing NAT realm, and must be an alpha and/or numeric string of 1 through 31 characters in length.
Usage
Use this command to enable/disable NAT support for all subscribers using a Firewall-and-NAT policy.
In StarOS 8.1, to enable NAT support for a subscriber, Stateful Firewall must also be enabled for that subscriber. See the firewall policy CLI command.
Once NAT is enabled for a subscriber, the NAT IP address to be used is chosen from the NAT realms specified in the rules. See the access-rule CLI command.
You can enable/disable NAT at any time, however the changed NAT status will not be applied to active calls. The new NAT status will only be applied to new calls.
Example
The following command enables NAT support in a Firewall-and-NAT policy:
nat policy nat-required
The following command disables NAT support in a Firewall-and-NAT policy:
no nat policy
 
nat private-ip-flow-timeout
This command configures the Private IP NPU flow timeout setting.
Product
NAT
Privilege
Security Administrator, Administrator
Syntax
nat private-ip-flow-timeout timeout
{ default | no } nat private-ip-flow-timeout
default
Configures the default setting.
Default: 180 seconds
no
Disables the Private IP NPU flow timeout configuration.
When disabled, the flow is installed at call setup and will be removed only when the subscriber disconnects.
timeout
Specifies the Private IP NPU flow timeout period in seconds.
timeout must be an integer from 180 through 86400.
Usage
Use this command to configure the Private IP NPU flow timeout setting.
For NAT-enabled calls, by default, the downlink private IP NPU flow will not be installed at call setup for a subscriber session. The flow will only be installed on demand. When there is no traffic on the private flow, the private IP flow will be removed after the configurable timeout period.
Example
The following command configures the Private IP NPU flow timeout setting to 36000 seconds:
nat private-ip-flow-timeout 36000
 
 
nat suppress-aaa-update
This command suppresses sending NAT Bind Update (NBU) to the AAA server when PPP disconnect happens.
Important: This command is customer-specific. For more information please contact your local service representative.
Product
NAT
Privilege
Security Administrator, Administrator
Syntax
nat suppress-aaa-update call-termination
default nat suppress-aaa-update
default
Configures the default setting.
Default: No suppression of AAA updates.
Usage
Use this command to suppress sending of NBU to the AAA server when PPP disconnect happens, as these NBUs would be cleared at the AAA after receiving the accounting-stop. This enables to minimize the number of messages between the chassis and AAA server. When not configured, NBU are sent to the AAA server whenever a port chunk is allocated, de-allocated, or the call is cleared (PPP disconnect).
Example
The following command suppresses the sending of NBU to the AAA server:
nat suppress-aaa-update call-termination
 
 

Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883