Appendix A Sample Content Filtering Service Configuration This appendix includes the following sample configuration files for Content Filtering configuration within an ECS service: • URL Blacklisting Configuration • Category-based Content Filtering Configuration URL Blacklisting Configuration This section presents a sample configuration file with URL Blacklisting configuration within an ECS service. config license key "\ VER=1|C1M=SanDiskSDCFJ-4096|C1S=016816D2597X4624|C2M=SanDiskSDCFJ-4096\ FAA=Y|FCP=Y|LCF=30000|SIG=MC0CFQC2Zp+qSGqGR+VQ5QdhkHksZgXxgAIUN7+bT/OL\ qeFwAMiJbb4acy33JsU" aaa large-configuration timestamps autoconfirm clock timezone asia-calcutta crash enable encrypted url 01abc234d56e7f8g01abc234d56e7f8g card 1 mode active psc #exit card 2 mode active psc #exit card 3 mode active psc #exit require session recovery require active-charging require diameter-proxy multiple context local interface spio ip address 1.2.3.4 255.255.255.0 #exit server ftpd #exit ssh key f22330a765e10f40001920bf01dbf89a224dd8f09fe8d1598751401cb392f3c062f859a4335cb92f4a352a4686dcea99e4740be8a0063da1c657c560991ec87ce06728 len 461 server sshd subsystem sftp #exit server telnetd #exit server tftpd #exit subscriber default exit administrator administrator encrypted password 123abc456def789gh ftp aaa group default #exit gtpp group default #exit ip route 0.0.0.0 0.0.0.0 1.2.3.4 spio ip domain-lookup ip domain-name ind.star.com ip name-servers 1.2.3.4 #exit port ethernet 24/1 no shutdown bind interface spio local #exit ntp enable server 1.2.3.4 #exit snmp community private read-only snmp community public read-only snmp target abc1 1.2.3.4 port 162 security-name public version 2c traps active-charging service bl_service ruledef clwap-dst udp dst-port = 9200 rule-application routing #exit ruledef clwap-src udp src-port = 9200 rule-application routing #exit ruledef cowap-dst udp dst-port = 9201 rule-application routing #exit ruledef cowap-src udp src-port = 9201 rule-application routing #exit ruledef default ip any-match = TRUE #exit ruledef ftp-ctrl-dst tcp dst-port = 21 rule-application routing #exit ruledef ftp-ctrl-src tcp src-port = 21 rule-application routing #exit ruledef ftp-data-dst tcp dst-port = 20 rule-application routing #exit ruledef ftp-data-src tcp src-port = 20 rule-application routing #exit ruledef handshake tcp payload-length = 0 tcp any-match = TRUE tcp flag !contains fin tcp flag !contains reset #exit ruledef http-dst tcp dst-port = 80 rule-application routing #exit ruledef http-get http request method = get #exit ruledef http-pkts http any-match = TRUE #exit ruledef http-proxy-dst tcp dst-port = 3128 rule-application routing #exit ruledef http-proxy-src tcp src-port = 3128 rule-application routing #exit ruledef http-route tcp either-port = 80 rule-application routing #exit ruledef http-src tcp src-port = 80 #exit ruledef http-wap2-dst tcp dst-port = 8799 rule-application routing #exit ruledef http-wap2-src tcp src-port = 8799 rule-application routing #exit ruledef https-dst tcp dst-port = 443 rule-application routing #exit ruledef https-src tcp src-port = 443 rule-application routing #exit ruledef pop3-dst tcp dst-port = 110 rule-application routing #exit ruledef pop3-src tcp src-port = 110 rule-application routing #exit ruledef rtsp-dst tcp dst-port = 554 rule-application routing #exit ruledef rtsp-src tcp src-port = 554 rule-application routing #exit ruledef rule2 http uri starts-with http://1.2.3.4/test/service/2000/ #exit ruledef rule3 http uri starts-with http://1.2.3.4/test/service/3000/ #exit ruledef rule4 http uri starts-with http://1.2.3.4/test/service/4000/ #exit ruledef rule5 http uri starts-with http://1.2.3.4/test/service/5000/ #exit ruledef rule6 http uri starts-with http://1.2.3.4/test/service/6000/ #exit ruledef rule7 http uri starts-with http://1.2.3.4/test/service/7000/ #exit ruledef rule8 http uri starts-with http://1.2.3.4/test/service/8000/ #exit ruledef rule9 http uri starts-with http://1.2.3.4/test/service/9000/ #exit ruledef sdp_route sip content type = application/sdp rule-application routing #exit ruledef sip-dst udp dst-port = 5060 rule-application routing #exit ruledef sip-src udp src-port = 5060 rule-application routing #exit ruledef smtp-dst tcp dst-port = 25 rule-application routing #exit ruledef smtp-src tcp src-port = 25 rule-application routing #exit ruledef tcp ip protocol = 6 rule-application routing #exit ruledef udp ip protocol = 17 rule-application routing #exit charging-action standard content-id 10 retransmissions-counted #exit url-blacklisting method exact-match rulebase rulebase1 action priority 1 ruledef http-get charging-action standard action priority 65000 ruledef default charging-action standard url-blacklisting action discard route priority 80 ruledef http-route analyzer http no transport-layer-checksum verify-during-packet-inspection #exit rulebase default #exit #exit context source interface chassis1_2_CLIENT ip address 1.2.3.4 255.255.255.0 ip address 1.2.3.5 255.255.255.255 secondary ip address 1.2.3.6 255.255.255.255 secondary #exit interface chassis1_2_RADIUS ip address 1.2.3.4 255.255.255.0 #exit subscriber default ip access-group acl1 in ip access-group acl1 out ip context-name dest active-charging rulebase rulebase1 exit aaa group default radius attribute nas-ip-address address 1.2.3.4 radius server 1.2.3.4 encrypted key 01abc234d56e7f8g port 1812 radius accounting server 1.2.3.4 encrypted key 01abc234d port 1813 #exit gtpp group default #exit ha-service HA mn-ha-spi spi-number 1000 encrypted secret 01abc234d56e7f8g hash-algorithm md5 fa-ha-spi remote-address 1.2.3.4 spi-number 256 encrypted secret 01abc234d56e7f8g hash-algorithm md5 fa-ha-spi remote-address 1.2.3.4 spi-number 256 encrypted secret 01abc234d56e7f8g hash-algorithm md5 no reg-lifetime bind address 1.2.3.4 #exit edr-module active-charging-service #exit ip igmp profile default #exit #exit context dest ip access-list acl1 redirect css service srv1 any #exit ip pool callgen_A11 1.2.3.4 255.255.0.0 static ip pool callgen_B11 1.2.3.5 255.255.0.0 static ip pool dpool00 1.2.3.6 255.255.0.0 public 0 ip pool dpool01 1.2.3.7 255.255.0.0 public 0 interface chassis1_2_SERVER ip address 1.2.3.4 255.255.255.0 #exit subscriber default exit aaa group default #exit gtpp group default #exit ip igmp profile default #exit #exit port ethernet 17/1 no shutdown vlan 4000 no shutdown bind interface chassis1_2_SERVER dest #exit #exit port ethernet 18/1 no shutdown vlan 2000 no shutdown bind interface chassis1_2_CLIENT source #exit vlan 3000 no shutdown bind interface chassis1_2_RADIUS source #exit #exit port ethernet 18/5 no shutdown #exit port ethernet 18/6 no shutdown #exit port ethernet 18/7 no shutdown #exit port ethernet 18/8 no shutdown #exit port ethernet 19/1 no shutdown #exit task facility sessmgr start aggressive task facility acsmgr start aggressive end Category-based Content Filtering Configuration This section presents a sample configuration file with Category-based Content Filtering configuration within an ECS service. config license key "\ VER=1|C1M=SanDiskSDCFJ-4096|C1S=016816D2597X4624|C2M=SanDiskSDCFJ-4096\ FAA=Y|FCP=Y|LCF=30000|SIG=MC0CFQC2Zp+qSGqGR+VQ5QdhkHksZgXxgAIUN7+bT/OL" aaa large-configuration timestamps autoconfirm clock timezone asia-calcutta crash enable encrypted url 90b248ca778edc0db4a55318525bc card 1 mode active psc #exit card 2 mode active psc #exit card 3 mode active psc #exit card 4 mode active psc #exit require session recovery content-filtering category database directory path /flash/cf/ require active-charging content-filtering category static-and-dynamic context local interface spio ip address 1.2.3.4 255.255.255.0 #exit server ftpd #exit ssh key f22330a765e10f40001920bf01dbf89a224dd8f09fe8d1598751401cb392f3c062f859a59520b1a8f0684335cb92f4a352a4686dcea99e4740be8a0063da1c657c5609 len 006 ssh key 75f41778bab0a173ee6e4e79c1026389918dca8b9f4701078f6841add6a81a669d183107638abac6c0de03f606736334e1f5ee618dc370636824c0c8aaffc96050ecb88 len 007 type v2-dsa server sshd subsystem sftp #exit server telnetd #exit server tftpd #exit subscriber default exit administrator test encrypted password abc123def456ghi789 ftp aaa group default #exit gtpp group default #exit ip route 0.0.0.0 0.0.0.0 2.3.4.5 spio ip domain-lookup ip domain-name test.ind.testing.com ip name-servers 10.4.5.253 #exit port ethernet 24/1 no shutdown bind interface spio local #exit ntp enable server 3.4.5.6 #exit snmp community private read-only snmp community public read-only snmp target test 1.3.5.7 port 162 security-name public version 2c traps active-charging service srv1 ruledef http-dst tcp dst-port = 80 rule-application routing #exit ruledef http-response-1x http reply code >= 100 http reply code < 199 #exit ruledef http-response-2x http reply code >= 200 http reply code < 299 #exit ruledef http-response-3x http reply code >= 300 http reply code < 399 #exit ruledef http-response-4x http reply code >= 400 http reply code < 499 #exit ruledef http-response-5x http reply code >= 500 #exit ruledef http-get http request method = get #exit ruledef http-post-req http request method = post #exit ruledef http-src tcp src-port = 80 rule-application routing #exit ruledef wsp-cl-dst udp dst-port = 9200 rule-application routing #exit ruledef wsp-cl-src udp src-port = 9200 rule-application routing #exit ruledef wsp-co-dst udp dst-port = 9201 rule-application routing #exit ruledef wsp-co-src udp src-port = 9201 rule-application routing #exit ruledef wsp-get-req wsp pdu-type = get #exit ruledef wsp-post-req wsp pdu-type = post #exit ruledef wsp-put-req wsp pdu-type = put #exit edr-format web-hit attribute radius-user-name priority 1 attribute radius-calling-station-id priority 2 attribute sn-end-time format MM/DD/YYYY-HH:MM:SS priority 3 attribute sn-start-time format MM/DD/YYYY-HH:MM:SS priority 4 attribute radius-nas-ip-address priority 5 rule-variable http url priority 6 rule-variable wsp url priority 7 rule-variable ip subscriber-ip-address priority 8 attribute sn-closure-reason priority 22 attribute sn-cf-category-policy priority 23 attribute sn-cf-category-rating-type priority 24 attribute sn-cf-category-classification-used priority 25 attribute sn-cf-category-flow-action priority 26 attribute sn-cf-category-unknown-url priority 27 attribute sn-volume-amt ip pkts uplink priority 50 attribute sn-volume-amt ip pkts downlink priority 51 attribute sn-volume-amt ip bytes uplink priority 52 attribute sn-volume-amt ip bytes downlink priority 53 rule-variable http request method priority 54 rule-variable http content type priority 70 rule-variable http reply code priority 75 #exit charging-action standard content-id 10 #exit content-filtering category policy-id 1 analyze priority 65535 all action allow #exit content-filtering category policy-id 2 analyze priority 65535 all action allow #exit content-filtering category policy-id 3 analyze priority 65535 all action allow #exit content-filtering category policy-id 4 analyze priority 1 category ABOR action allow edr web-hit analyze priority 2 category ADULT action allow edr web-hit analyze priority 3 category ADVERT action allow edr web-hit analyze priority 4 category ANON action allow edr web-hit analyze priority 5 category ART action allow edr web-hit analyze priority 7 category AUTO action allow edr web-hit analyze priority 8 category BLACK action allow edr web-hit analyze priority 9 category BLOG action allow edr web-hit analyze priority 10 category BUSI action allow edr web-hit analyze priority 11 category CAR action allow edr web-hit analyze priority 12 category CHAT action allow edr web-hit analyze priority 14 category CMC action allow edr web-hit analyze priority 15 category CRIME action allow edr web-hit analyze priority 16 category CULT action allow edr web-hit analyze priority 17 category DRUG action allow edr web-hit analyze priority 18 category EDU action allow edr web-hit analyze priority 19 category ENT action allow edr web-hit analyze priority 20 category FIN action allow edr web-hit analyze priority 21 category FORUM action allow edr web-hit analyze priority 22 category GAMB action allow edr web-hit analyze priority 23 category GAME action allow edr web-hit analyze priority 24 category GOVERN action allow edr web-hit analyze priority 25 category GLAM action allow edr web-hit analyze priority 26 category HACK action allow edr web-hit analyze priority 27 category HATE action allow edr web-hit analyze priority 28 category HEALTH action allow edr web-hit analyze priority 29 category HOBBY action allow edr web-hit analyze priority 30 category HOSTS action allow edr web-hit analyze priority 31 category KIDS action allow edr web-hit analyze priority 32 category LEGAL action allow edr web-hit analyze priority 33 category LIFES action allow edr web-hit analyze priority 34 category MAIL action allow edr web-hit analyze priority 35 category MIL action allow edr web-hit analyze priority 36 category NEWS action allow edr web-hit analyze priority 37 category OCCULT action allow edr web-hit analyze priority 39 category PEER action allow edr web-hit analyze priority 40 category PERS action allow edr web-hit analyze priority 42 category POLTIC action allow edr web-hit analyze priority 43 category PORN action allow edr web-hit analyze priority 44 category PORTAL action allow edr web-hit analyze priority 45 category PROXY action allow edr web-hit analyze priority 47 category REF action allow edr web-hit analyze priority 48 category REL action allow edr web-hit analyze priority 49 category SEARCH action allow edr web-hit analyze priority 50 category SCI action allow edr web-hit analyze priority 52 category SHOP action allow edr web-hit analyze priority 53 category SPORT action allow edr web-hit analyze priority 55 category SUIC action allow edr web-hit analyze priority 57 category SXED action allow edr web-hit analyze priority 58 category TECH action allow edr web-hit analyze priority 59 category TRAV action allow edr web-hit analyze priority 60 category VIOL action allow edr web-hit analyze priority 61 category WEAP action allow edr web-hit analyze priority 62 category WHITE action allow edr web-hit analyze priority 63 category UNKNOW action allow edr web-hit #exit rulebase rulebase1 action priority 1 ruledef http-response-1x charging-action standard action priority 2 ruledef http-response-2x charging-action standard action priority 3 ruledef http-response-3x charging-action standard action priority 4 ruledef http-response-4x charging-action standard action priority 5 ruledef http-response-5x charging-action standard action priority 10 ruledef http-get charging-action standard route priority 78 ruledef http-src analyzer http route priority 79 ruledef http-dst analyzer http no transport-layer-checksum verify-during-packet-inspection #exit rulebase rulebase2 content-filtering category policy-id 4 content-filtering mode category static-and-dynamic content-filtering flow-any-error permit action priority 1 ruledef http-response-1x charging-action standard action priority 2 ruledef http-response-2x charging-action standard action priority 3 ruledef http-response-3x charging-action standard action priority 4 ruledef http-response-4x charging-action standard action priority 5 ruledef http-response-5x charging-action standard action priority 10 ruledef http-get charging-action standard route priority 78 ruledef http-src analyzer http route priority 79 ruledef http-dst analyzer http no transport-layer-checksum verify-during-packet-inspection #exit rulebase default #exit #exit context test_src interface TEST_CLIENT ip address 1.1.1.1 255.255.255.0 ip address 1.1.1.200 255.255.255.0 secondary #exit subscriber default encrypted password 123abc456def789ghi ip context-name test_dest exit subscriber name cf encrypted password 123abc456def789ghi ip access-group acl1 in ip access-group acl1 out ip context-name test_dest active-charging rulebase rulebase2 exit subscriber name ecs encrypted password 123abc456def789ghi ip access-group acl1 in ip access-group acl1 out ip context-name test_dest active-charging rulebase rulebase1 exit domain cf.com default subscriber cf domain ecs.com default subscriber ecs aaa group default radius attribute nas-ip-address address 1.1.1.200 radius server 1.1.1.10 key secret port 1111 radius accounting server 1.1.1.10 key secret port 2222 #exit gtpp group default #exit ha-service test_ha mn-ha-spi spi-number 1000 encrypted secret 123abc456def789ghi hash-algorithm md5 fa-ha-spi remote-address 1.1.1.100 spi-number 777 secret 123abc456def789ghi hash-algorithm md5 no reg-lifetime bind address 1.1.1.200 #exit pdsn-service test_pdsn spi remote-address 1.1.1.100 spi-number 256 encrypted secret 123abc456def789ghi authentication pap 1 chap 2 mschap 3 bind address 1.1.1.200 #exit #exit context test_dest ip access-list acl1 redirect css service srv1 any #exit ip pool pool3 70.70.0.0 255.255.0.0 public 0 policy allow-static-allocation interface TEST_SERVER ip address 1.1.1.1 255.255.255.0 ip address 1.1.1.200 255.255.255.0 secondary #exit ssh key 75f41778bab0a1731c19851a8e68f5e9cef4cca2bd3adf9544ec64f75a8d3823028f57815369b9b73388f688261e49f5d200bef8c435459db536c97e4eb len 777 type v2-raa subscriber default exit aaa group default #exit gtpp group default #exit ip route 0.0.0.0 0.0.0.0 1.1.1.100 TEST_SERVER edr-module active-charging-service file rotation volume 123456789 headers cdr use-harddisk #exit #exit bulkstats collection bulkstats mode file 1 schema cf format %cf-ttlsub%,%cf-cursub% schema cf-system format CF,PDSNSystem,%date%,%time%,%cf-static-ratereq%,%cf-static-ratesucc%,%cf-static-rateblock%,%cf-static-ratefail%,%cf-static-ratefail-nr%,%cf-static-ratefail-notindb%,%cf-dyn-ratereq%,%cf-dyn-ratesucc%,%cf-dyn-rateblock%,%cf-dyn-ratefail%,%cf-cache-hits%,%cf-cache-misses%,%cf-cache-has-path-hits%,%cf-cache-flushes%,%cf-ratereq%,%cf-ratesucc%,%cf-rateblock%,%cf-ratefail%,%cf-cat-pkts-hit-summary%,%cf-cat-pkts-block-summary% #exit #exit #exit port ethernet 18/4 no shutdown vlan 11 no shutdown bind interface TEST_CLIENT test_src #exit #exit port ethernet 18/8 no shutdown vlan 31 no shutdown bind interface TEST_SERVER test_dest #exit #exit task facility sessmgr start aggressive end