Important: The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).
action_priority must be an integer from 1 through 65535.
Important: When R7 Gx is enabled, “static-and-dynamic” rules behave exactly like “dynamic-only” rules. I.e. they must be activated explicitly by the PCRF. When Gx is not enabled, “static-and-dynamic” rules behave exactly like static rules.
Important: This keyword is only available in StarOS 8.1 and StarOS 9.0 and later releases.
timedef_name must be the name of a timedef, and must be an alpha and/or numeric string of 1 through 63 characters in length.
Important: The time considered for timedef matching is the system’s local time.
ruledef_name must be the name of an existing ruledef, and must be an alpha and/or numeric string of 1 through 63 characters in length.
Important: If the ruledef specified here is deleted or is not configured, the system accepts it without applying any ruledef under current rulebase for this action priority.
group_name must be the name of an existing group-of-ruledefs, and must be an alpha and/or numeric string of 1 through 63 characters in length.
Important: If the group-of-ruledefs specified here is deleted or is not configured, the system accepts it without applying any ruledefs under current rulebase for this action priority.
charging-action charging_action_name
charging_action_name must be the name of an existing charging action, and must be an alpha and/or numeric string of 1 through 63 characters in length.
Important: If the charging action specified here is deleted or not configured, the system accepts it without applying any charging action under current rulebase for this action priority.
monitoring-key monitoring_key
monitoring_key must be an integer from 1 through 4000000000.
description must be an alpha and/or numeric string of 1 through 63 characters in length.
The following command assigns a rule and action with the action priority of 23, a ruledef of
test, and a charging action of
test1 to the current rulebase:
policy must be an alpha and/or numeric string of 1 through 63 characters in length.
Important: In the GGSN, if in the APN configuration the “accounting-mode” is set to “none”, the system continues to send ACS-generated RADIUS accounting messages. In the PDSN, if in the subscriber default configuration the “accounting-mode” is set to “none”, the system does not send any RADIUS accounting messages (including ACS accounting messages).
udr udr-format udr_format_name
udr_format_name must be the name of an existing UDR format, and must be a string of 1 through 63 characters in length.
duration specifies charging time in seconds and must be an integer from 1 through 4,294,967,295.
charging_unit specifies service-specific charging unit and must be an integer from 1 through 4,000,000,000.
volume { cc-input-octets bytes | cc-output-octets bytes | cc-total-octets bytes } +
cc-input-octets: Specifies input charging octets.
cc-output-octets: Specifies output charging octets.
cc-total-octets: Specifies total charging octets.
bytes: Specifies volume in bytes, and must be an integer from 1 to 4,000,000,000.
holding-time holding_time
holding_time must be an integer from 1 to 4000000000.
After holding_time seconds has passed without user traffic, the quota is reported back and the charging stops until new traffic starts.
cont_id is the specified content id for credit control service in an active charging service and must be an integer from 0 through 4,294,967,295.
retry-time retry_time [ max-retries retries ]
retry_time must be an integer from 0 to 86400. To disable this assign 0.
max-retries retries option configures the maximum number of retries allowed for blacklisted categories. This option has default value of maximum retries of 65535 retries.
retries must be an integer from 1 through 65535. To disable this assign 0.
cca quota retry time allows operator to set the amount of time that the ACS waits before it retries the prepaid server for a content id for which quota was exausted earlier.
seconds must be an integer from 1 through 4,294,967,295.
When used along with consumed-time it indicates the active usage + idle time, when no traffic flow occurs.
seconds must be an integer from 1 through 4294967295.
seconds must be an integer from 1 through 4294967295.
content_id is the specified content ID for credit control service in an active charging service, and must be an integer from 1 through 65535.
If operator chooses parking-meter seconds style charging, then time is billed in
seconds chunks.
The following command sets time duration to 400 seconds for prepaid credit control time duration algorithm:
interval must be an integer from 0 through 3600.
group_name must be an alpha and/or numeric string of 1 through 63 characters in length.
The following command defines RADIUS charging context prepaid_rad1 for RADIUS prepaid charging in a rulebase:
password without encryption must be an alpha and/or numeric string of 1 through 63 characters, and when encrypted must be alpha and/or numeric string of 1 through 127 characters in length.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the
encrypted keyword in the configuration file as a flag that the variable following the
password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.
The following command defines the user password user_123 without encryption for a prepaid service subscriber with RADIUS charging in a rulebase.
bandwidth-policy bandwidth_policy
bandwidth_policy specifies the bandwidth policy name, and must be a string of 1 through 63 characters in length.
cbb_policy specifies the CBB policy name, and must be a string of 1 through 63 characters in length.
Important: This keyword is customer-specific.
fw_policy specifies the Firewall policy name, and must be a string of 1 through 63 characters in length.
Important: This keyword is customer specific, and is only available in StarOS 8.1.
fw_nat_policy specifies the Firewall-and-NAT policy name, and must be a string of 1 through 63 characters in length.
cf_policy_id must be the ID of an existing Content Filtering Category Policy, and must be an integer from 1 through 4294967295.
Important: In case the specified Content Filtering Category Policy does not exist, all packets will be passed regardless of the categories/actions determined for such packets.
Important: The category policy ID configured using the
category policy-id cf_policy_id command in the APN/Subscriber Configuration mode prevails over this configuration.
static-only Configures Content Filtering mode as Static only. Compares all URLs agains internal database to determine the category or categories of the requested content.
Use of this category-based content filtering support requires configuration of the require active-charging content-filtering category CLI command in the Global Configuration mode.
static-and-dynamic Configures Content Filtering mode as Static-and-Dynamic, wherein first static rating of the URL is performed, and only if the static rating fails to find a match dynamic rating of the content that the server returns is performed.
Important: Before enabling static-and-dynamic rating in the rulebase, it must be enabled at the global level as the resources required for dynamic rating are allocated at the global level. To enable static-and-dynamic rating at the global level, in the Global Configuration Mode, use the
require active-charging content-filtering category static-and-dynamic CLI command.
server-group cf_server_group
cf_server_group specifies the name of a pre-configured unique content filtering server group in Content Configuration Mode, and must be an alpha and/or numeric string of 1 through 63 characters in length.
•
|
always-first: If this option is configured, then all the dynamic rules are matched against the flow prior to any static rule.
|
•
|
first-if-tied : If this option is configured, then rules are matched against the flow based on their priority with condition that dynamic rules match before a static rule of the same priority.
|
Default: no edr suppress-zero-byte-records
Important: This command is only available in StarOS 8.1 and StarOS 9.0 and later.
Default: same as no edr transaction-complete
edr_format must be an alpha and/or numeric string of 1 through 63 characters in length.
Default: no edr voip-call-end
edr-format edr_format_name
edr_format_name must be an existing EDR format’s name, and must be a string of 1 through 63 characters in length.
DescriptionThis command is obsolete. It is included in the CLI for backward compatibility with older configuration files. When executed performs no function. Use
egcdr threshold interval interval [ regardless-of-other-triggers ] command for this functionality.
interval must be an integer from 60 through 400,00,000.
•
|
downlink bytes - Sets the limit for the number of octets downlink after which the eG-CDR is closed. bytes (in bytes) must be an integer from 10,000 through 400000000. Default is 400,000,000.
|
•
|
total bytes - Sets the limit for the total number of octets (uplink+downlink) after which the eG-CDR is closed. bytes (in bytes) must be an integer from 10,000 through 400,000,000. This configuration is disabled by default.
|
•
|
uplink bytes - Sets the limit for the number of octets uplink after which the eG-CDR is closed. bytes ( in bytes) must be an integer from 10,000 through 400,000,000. Default is 400,000,000.
|
minute must be an integer from 0 through 59.
Specifies the hour of the day. hour must be an integer from 0 through 23.
interval interval [ regardless-of-other-triggers ]
regardless-of-other-triggers: This option enables the eG-CDR generation at the fixed time interval irrespective of any other eG-CDR triggers that may have happened in between.
•
|
downlink bytes - Sets the limit for the number of octets downlink after which the eG-CDR is closed. bytes (in bytes) must be an integer from 100,000 through 4,000,000,000. Default is 4,000,000,000.
|
•
|
total bytes - Sets the limit for the total number of octets (uplink+downlink) after which the eG-CDR is closed. bytes (in bytes) must be an integer from 100,000 through 4,000,000,000. This configuration is disabled by default.
|
•
|
uplink bytes - Sets the limit for the number of octets uplink after which the eG-CDR is closed. bytes ( in bytes) must be an integer from 100,000 through 4,000,000,000. Default is 4,000,000,000.
|
consumed-time con_time [ plus-idle ]
con_time must be an integer from 1 through 4,294,967,295.
plus-idle: Defines the idle time between arrival of two packets to include in time usage record in eG-CDR.
When used along with consumed-time it indicates the active usage + idle time, when no traffic flow occurs.
ctp_time sets the audition in seconds to start a counter on arrival of first packet and there after include only that period in charging in which one or more packets arrived. The period where no packets arrived or traffic detected no usage will be computed.
ctp_time must be an integer from 1 through 4294967295.
seconds must be an integer from 1 through 4294967295.
consumed-time in above scenario calculates the time duration as (T2 – T1) + (T4 – T3) where
consumed-time with
plus-idle calculates the time duration as (T2-T1)+I + (T4 – T3)+I or (T4-T1).
Default: no extract-host-from-uri
Important: Applying the
extract-host-from-uri command a second time will overwrite the previous configuration. For example, if you apply the command
extract-host-from-uri http wsp http, and then apply the command
extract-host-from-uri http wsp, extraction of host from URI will happen only for WSP analyzer.
waiver_percent must be an integer from 0 through 1000.
Important: In StarOS 8.0, this command is available in the ACS Configuration Mode. In StarOS 8.1 and StarOS 8.3, use this command for Rulebase-based Firewall-and-NAT configuration. In StarOS 8.1 and StarOS 9.0 and later, for Policy-based Firewall-and-NAT configuration, this command is available in the Firewall-and-NAT Policy Configuration Mode.
•
|
icmp: Enables protection against ICMP Flood attack
|
•
|
tcp-syn: Enables protection against TCP Syn Flood attack
|
•
|
udp: Enables protection against UDP Flood attack
|
Important: The DoS attacks are detected only in the downlink direction.
Important: In StarOS 8.0, this command is available in the ACS Configuration Mode. In StarOS 8.1 and StarOS 8.3, use this command for Rulebase-based Firewall-and-NAT configuration. In StarOS 8.1 and StarOS 9.0 and later, for Policy-based Firewall-and-NAT configuration, this command is available in the Firewall-and-NAT Policy Configuration Mode.
•
|
icmp: Configuration for ICMP protocol.
|
•
|
tcp-syn: Configuration for TCP-SYN packet limit.
|
•
|
udp: Configuration for UDP protocol.
|
packets must be an integer from 1 through 4294967295.
interval must be an integer from 1 through 60.
Important: In StarOS 8.0, this command is available in the ACS Configuration Mode. In StarOS 8.1 and StarOS 8.3, use this command for Rulebase-based Firewall-and-NAT configuration. In StarOS 8.1 and StarOS 9.0 and later, for Policy-based Firewall-and-NAT configuration, this command is available in the Firewall-and-NAT Policy Configuration Mode.
Important: In StarOS 8.0, this command is available in the ACS Configuration Mode. In StarOS 8.1 and StarOS 8.3, use this command for Rulebase-based Firewall-and-NAT configuration. In StarOS 8.1 and StarOS 9.0 and later, for Policy-based Firewall-and-NAT configuration, this command is available in the Firewall-and-NAT Policy Configuration Mode.
packet_size must be an integer from 30000 through 65535.
•
|
icmp: Configuration for ICMP protocol.
|
•
|
non-icmp: Configuration for protocols other than ICMP.
|
Important: In StarOS 8.0, this command is available in the ACS Configuration Mode. In StarOS 8.1 and StarOS 8.3, use this command for Rulebase-based Firewall-and-NAT configuration. In StarOS 8.1 and StarOS 9.0 and later, for Policy-based Firewall-and-NAT configuration, this command is available in the Firewall-and-NAT Policy Configuration Mode.
max_limit must be an integer from 1 through 256.
max_size must be an integer from 1 through 8192.
Important: In StarOS 8.0, this command is available in the ACS Configuration Mode. In StarOS 8.1 and StarOS 8.3, use this command for Rulebase-based Firewall-and-NAT configuration. In StarOS 8.1 and StarOS 9.0 and later, for Policy-based Firewall-and-NAT configuration, use the
access-rule no-ruledef-matches command available in the Firewall-and-NAT Policy Configuration Mode.
downlink: Downlink packets with no Firewall ruledef match.
uplink: Uplink packets with no Firewall ruledef match.
action { deny [ charging-action charging_action ] | permit [ bypass-nat | nat-realm nat_realm ] }
permit [ bypass-nat | nat-realm nat_realm ]: Permit packets. Optionally specify:
Important: The
bypass-nat keyword is only available in StarOS 8.3 and later.
•
|
bypass-nat: Specifies to bypass Network Address Translation (NAT).
|
•
|
nat-realm nat_realm: Specifies a NAT realm to be used for performing NAT on subscriber packets. nat_realm must be an alpha and/or numeric string of 1 through 31 characters in length.
|
Important: If neither
bypass-nat or
nat-realm are configured, NAT is performed if the
nat policy nat-required CLI command is configured with the
default-nat-realm option.
deny [ charging-action charging_action ]: Deny specified packets.
Optionally, a charging action can be specified. charging_action must be the name of a charging action, and must be a string of 1 through 63 characters in length.
Important: In StarOS 8.0, this command is available in the APN/Subscriber Configuration Mode. In StarOS 8.1 and StarOS 8.3, use this command for Rulebase-based Firewall-and-NAT configuration. In StarOS 8.1 and StarOS 9.0 and later, for Policy-based Firewall-and-NAT configuration, this command is available in the Firewall-and-NAT Policy Configuration Mode.
Important: In StarOS 8.1 and StarOS 9.0 and later, for Policy-based Firewall-and-NAT configuration, use the
access-rule priority command available in the Firewall-and-NAT Policy Configuration Mode.
firewall priority priority [ dynamic-only | static-and-dynamic ] firewall-ruledef
firewall_ruledef { { deny [ charging-action charging_action ] } | { permit [ nat-realm nat_realm | [ trigger open-port { aux_port_number | range start_port_number to end_port_number } direction { both | reverse | same } ] ] } }
priority must be unique, and must be an integer from 1 through 65535.
dynamic-only: Firewall Dynamic Ruledef—Predefined ruledef that can be enabled/disabled by the policy server, and is disabled by default.
static-and-dynamic: Firewall Static and Dynamic Ruledef—Predefined ruledef that can be disabled/enabled by the policy server, and is enabled by default.
firewall_ruledef must be the name of a predefined firewall ruledef, and must be a string of 1 through 63 characters in length.
charging_action must be a string of 1 through 63 characters in length.
permit [ nat-realm nat_realm | [ bypass-nat ] [ trigger open-port { aux_port_number | range start_port_number to end_port_number } ] ]
nat-realm nat_realm: Specifies the NAT realm to be used for performing NAT on subscriber packets matching the firewall ruledef.
nat_realm specifies the NAT realm name, and must be a string of 1 through 31 characters in length.
bypass-nat: Specifies that packets bypass Network Address Translation (NAT).
Important: If the
nat-realm is not configured, NAT is performed if the
nat policy nat-required CLI command is configured with the
default-nat-realm option.
trigger open-port { aux_port_number | range start_port_number to end_port_number }: Permits packets if the rule is matched, and allows the creation of data flows for firewall. Optionally a port trigger can be specified to be used for this rule to limit the range of auxiliary data connections (a single or range of port numbers) for protocols having control and data connections (like FTP). The trigger port will be the destination port of an association which matches a rule.
aux_port_number: Specifies the number of auxiliary ports to open for traffic, and must be an integer from 1 through 65535.
range start_port_number to
end_port_number: Specifies the range of ports to open for subscriber traffic.
start_port_number must be an integer from 1 through 65535. This is the start of the port range and must be less than
end_port_number.
end_port_number must be an integer from 1 through 65535. This is the end of the port range and must be greater than
start_port_number.
both: Provides the trigger to open port for traffic in either direction of the control connection.
reverse: Provides the trigger to open port for traffic in the reverse direction of the control connection (from where the connection is initiated).
same: Provides the trigger to open port for traffic in the same direction of the control connection (from where the connection is initiated).
Important: For firewall ruledefs, only the terminate-flow action is applicable if configured in the specified charging action.
The following command assigns a priority of 10 to the firewall ruledef
fw_rule1, adds it to the rulebase, and permits port trigger to be used for the rule to open ports in the range of
100 to
200 in either direction of the control connection:
firewall priority 10 firewall-ruledef
fw_rule1 permit trigger open-port range
100 to
200 direction both
Important: In StarOS 8.1 and StarOS 8.3, use this command for Rulebase-based Firewall-and-NAT configuration. In StarOS 8.1 and StarOS 9.0 and later, for Policy-based Firewall-and-NAT configuration, this command is available in the Firewall-and-NAT Policy Configuration Mode.
drop: Drops the packet or session
Important: In StarOS 8.1 and StarOS 8.3, use this command for Rulebase-based Firewall-and-NAT configuration. In StarOS 8.1 and StarOS 9.0 and later, for Policy-based Firewall-and-NAT configuration, this command is available in the Firewall-and-NAT Policy Configuration Mode.
drop: Drops the packet or session
Important: This command is only available in StarOS 8.3 and later. In StarOS 8.3, use this command for Rulebase-based Firewall-and-NAT configuration. In StarOS 9.0 and later, for Policy-based Firewall-and-NAT configuration, this command is available in the Firewall-and-NAT Policy Configuration Mode.
Default: The same as no firewall tcp-reset-message-threshold
messages must be an integer from 1 through 100.
Important: In StarOS 8.0, this command is available in the ACS Configuration Mode. In StarOS 8.1 and StarOS 8.3, use this command for Rulebase-based Firewall-and-NAT configuration. In StarOS 8.1 and StarOS 9.0 and later, for Policy-based Firewall-and-NAT configuration, this command is available in the Firewall-and-NAT Policy Configuration Mode.
•
|
none: Disables TCP SYN flood intercept feature.
|
•
|
watch: Configures TCP SYN flood intercept feature in watch mode. The firewall passively watches to see if TCP connections become established within a configurable interval. If connections are not established within the timeout period, the firewall clears the half-open connections by sending RST to TCP client and server. The default watch-timeout for connection establishment is 30 seconds.
|
•
|
aggressive: Configures TCP SYN flood Intercept or Watch feature for aggressive behavior. Each new connection request causes the oldest incomplete connection to be deleted. When operating in watch mode, the watch timeout is reduced by half. If the watch-timeout is 30 seconds, under aggressive conditions it becomes 15 seconds. When operating in intercept mode, the retransmit timeout is reduced by half (i.e. if the timeout is 60 seconds, it is reduced to 30 seconds). Thus the amount of time waiting for connections to be established is reduced by half (i.e. it is reduced to 150 seconds from 300 seconds under aggressive conditions).
|
watch-timeout intercept_watch_timeout
intercept_watch_timeout must be an integer from 5 through 30.
charging-action charging_action
Important: The charging action specified here should preferably not be used for action on packets dropped due to firewall ruledef match or no-match (in the
firewall priority and
firewall no-ruledef-matches commands) and the content ID within the charging action must be unique so that dropped counts will not interfere with other content IDs.
charging_action must be the name of a charging action, and must be a string of 1 through 63 characters in length.
If the charging action applied on a packet is the one specified in the flow any-error charging-action command, flow statistics are updated and action is taken as configured in the charging action:
The following command specifies the charging action test2 for accounting action on packets dropped/discarded by Firewall due to any error:
In this command, the optional keyword charge-to-application is deprecated and has no effect.
Default: The same as no flow control-handshaking.
Specifies to create an EDR with format named edr_format when category-based content filtering application action leads to a flow end. Possible Content-filtering actions redirect-url, terminate-flow, content-insert.
Specify to create an EDR with format named edr_format when flow ended due to session handoff according to Interchassis Session Recovery support.
Specify to create an EDR with format named edr_format when flow ended due to hand-off. Whenever a handoff occurs, ACS closes the EDRs for all current flows using the EDR format
edr_format, and begin new statistics collection for the flows for the EDRs that will be generated when the flows actually end.
Specify to create an EDR when a subscriber session ends. By this option ACS creates an EDR with format named edr_format for every flow that has had any activity since last EDR was created for the flow on session end.
Specify to create an EDT with format named edr_format when a flow ends or deleted due to a timeout condition.
Important: This keyword is only available in StarOS 8.3 and later. And, is only applicable when used with the
hagr,
handoff, and
session-end keywords.
Specifies to create an EDR with format named edr_format when URL Blacklisting application action leads to a flow end.
edr_format is a pre-configured format, and must be a unique alpha and/or numeric string 1 through 63 characters in length.
limit must be an integer from 1 through 4000000000.
limit must be an integer from 1 through 4000000000.
limit must be an integer from 1 through 4000000000.
Exempted flows: System exempts all the other flows specified with the flow limit-for-flow-type command in the Charging Action Configuration Mode set to
no.
Important: This command is only available in StarOS 8.1 and StarOS 9.0 and later. This command must be used to configure the Policy-based Firewall-and-NAT feature.
fw_nat_policy must be an alpha and/or numeric string of 1 through 63 characters in length.
For more information, see the Personal Stateful Firewall Administration Guide.
Specifies the user configured value to timeout timer to hold fragmented packets before reassembly. timeout_duration is the duration, in milliseconds, and must be an integer from 100 through 30000.
Important: This command is only available in StarOS 8.3. In StarOS 9.0 this command is available in the Firewall-and-NAT Policy Configuration Mode.
edr_format must be an alpha and/or numeric string of 1 through 63 characters in length.
The following command configures an EDR format named test123 and specifies generating NAT binding record when a port chunk is allocated, and when a port chunk is released:
Important: In StarOS 8.1 and StarOS 9.0 and later, for Policy-based Firewall-and-NAT, this command is available in the Firewall-and-NAT Policy Configuration Mode.
Important: Before enabling NAT processing for a subscriber, Firewall must be enabled for the subscriber. See the
firewall policy CLI command.
Important: This keyword is only available in StarOS 8.3 and later.
realm_name must be an alpha and/or numeric string of 1 through 31 characters in length.
Important: Including the default NAT realm, a maximum of three NAT realms are supported.
Important: This command is customer-specific. For more information please contact your local service representative. In StarOS 9.0, this command is available in the Firewall-and-NAT Policy Configuration Mode.
Default: no p2p dynamic-flow-detection
Important: This command is only available in StarOS 8.3 and later.
post-processing priority priority { group-of-ruledefs group_name | ruledef ruledef_name } charging-action charging_action_name [ description description ]
priority must be an integer from 1 through 65535, and must be unique.
group_name must be the name of a group-of-ruledefs, and must be an alpha and/or numeric string of 1 through 63 characters in length.
Important: The group-of-ruledefs specified must be configured for post-processing. See the
group-of-ruledefs-application CLI command in the Group-of-Ruledefs Configuration mode.
ruledef_name must be an alpha and/or numeric string of 1 through 63 characters in length.
Important: The ruledef specified must be configured for post-processing. See the
rule-application CLI command in the Ruledef Configuration mode.
charging-action charging_action_name
charging_action_name must be an alpha and/or numeric string of 1 through 63 characters in length.
description must be an alpha and/or numeric string of 1 through 31 characters in length.
The following command configures the ruledef named test_ruledef with a priority of
10, and the charging action named
test_ca for post processing:
group_name must be an alpha and/or numeric string of 1 through 63 characters in length.
ruledef_name must be an alpha and/or numeric string of 1 through 63 characters in length.
charging-action charging_action
charging_action must be an alpha and/or numeric string of 1 through 63 characters in length.
description must be an alpha and/or numeric string of 1 through 31 characters in length.
The following command specifies the ruledef named test_rule as a dynamic post-processing ruledef configured with the charging action
ca13 and a description of
testing:
Important: This command is controlled by the dynamic-qos-renegotiation license.
timeout must be the timeout period, in seconds, and must be an integer from 0 through 4294967295.
volume must be an integer from 100,000 to 4,000,000,000.
route priority route_priority ruledef ruledef_name analyzer { dns | file-transfer | ftp-control | ftp-data | http | imap | mms | p2p | pop3 | pptp | rtcp | rtp | rtsp | sdp | secure-http | sip [ advanced ] | smtp | tftp | wsp-connection-less | wsp-connection-oriented } [ description description ]
route_priority must be an integer from 1 through 65535.
ruledef_name specifies the name of an existing ruledef configured for the route application using the
rule-application command in the Ruledef Configuration Mode.
•
|
dns: Route to DNS protocol analyzer.
|
•
|
ftp-data: Route to FTP data protocol analyzer.
|
•
|
http: Route to HTTP protocol analyzer.
|
•
|
imap: Route to IMAP protocol analyzer.
|
•
|
mms: Route to MMS protocol analyzer.
|
•
|
p2p: Route to the P2P protocol analyzer.
|
•
|
pop3: Route to POP3 protocol analyzer.
|
•
|
pptp: Route to PPTP protocol analyzer.
|
•
|
rtcp: Route to RTCP protocol analyzer.
|
•
|
rtp: Route to RTP protocol analyzer.
|
•
|
rtsp: Route to RTSP protocol analyzer.
|
•
|
sdp: Route to SDP protocol analyzer.
|
Also, see firewall nat-alg CLI command in the ACS Configuration Mode.
•
|
tftp: Route to TFTP protocol analyzer.
|
•
|
smtp: Route to SMTP protocol analyzer.
|
Important: To route packets to the P2P analyzer, the ruledef should have rules to match all IP packets. Otherwise, the analyzer may not detect all P2P traffic.
Important: Use the
show active-charging analyzer statistics command in the Exec Mode to see the list of supported analyzers.
description must be an alpha and/or numeric string of 1 through 63 characters in length.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
FTP and the command name is retr or stor; or, HTTP and the request method is get or post.
|
|
WSP content type is application/vnd.wap.mms-message; or, WSP uri contains “ mms”; or, HTTP content type is application/vnd.wap.mms-message; or, HTTP uri contains “ mms”.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Use the p2p dynamic-flow-detection CLI command to enable detection of the different P2P applications specified by the p2p application CLI command; that will cause every TCP or UDP packet to be automatically routed here
|
route priority 23 ruledef
test analizer
test_analyzer description
route_test1
Default: no rtp dynamic-flow-detection
Default: no ruledef-parsing ignore-port-numbers-embedded-in-application-headers analyzers { http rstp sip wsp }—not ignoring port numbers that are embedded in application headers
seconds must be an integer from 1 through 20.
Important: This command is only available in StarOS 8.1 and later releases.
tcp mss tcp_mss { add-if-not-present | limit-if-present } +
tcp_mss must be an integer from 496 through 65535.
tcp mss 3000 limit-if-present add-if-not-present
Description This command has been deprecated, and is replaced by the
tcp packets-out-of-order command.
Specifies the timeout period for re-assembly of TCP out-of-order packets. duration_ms is the timeout period in milliseconds, and must be an integer from 100 through 30000.
•
|
after-reordering: Sends the TCP out-of-order segment after all packets are received and successfully reordered. If reordering is not successful due to a timeout, the received packets are forwarded without being passed through the protocol analyzers. If memory allocation fails or the received packet is partial retransmitted data, the packet will be forwarded immediately without being passed through the protocol analyzers, except for the IP analyzer.
|
•
|
immediately: Sends the TCP out-of-order segment immediately after buffering a copy. The packets are transmitted as they are received without any in-line services or charging action processing, but also a copy of each packet is held onto. When the missing packet is received, complete deep packet inspection of all the packets and all relevant in-line services is done, and then the last packet is forwarded.
|
Default: transport-layer-checksum verify-during-packet-inspection—to perform the checksum verification calculation on all TCP and UDP packets.
Default: no udr threshold interval;
no udr threshold volume—disables the UDR threshold settings.
interval must be an integer from 60 through 40000000.
•
|
downlink bytes: Sets the limit for the number of octets downlink after which the UDR is closed. bytes (in bytes) must be an integer from 100,000 to 4,000,000,000. Default is 4,000,000,000.
|
•
|
total bytes: Sets the limit for the total number of octets (uplink+downlink) after which the UDR is closed. bytes (in bytes) must be an integer from 100,000 to 4,000,000,000. By default, this configuration is disabled.
|
•
|
uplink bytes: Sets the limit for the number of octets uplink after which the UDR is closed. bytes ( in bytes) must be an integer from 100,000 through 4,000,000,000. Default is 4,000,000,000.
|
Important: This command is only available in StarOS 8.3 and later.
url specifies the redirect URL/URI.
url must be a fully qualified URL/URI, and must be a string of 1 through 1023 characters in length.
reply_code specifies the reply code, and must be an integer from 100 through 599.
Important: This command is customer specific. For more information, please contact your local service representative.
group_name must be an alpha and/or numeric string of 1 through 63 characters in length.
Description This command has been deprecated, and is replaced by the
wtp packets-out-of-order command.
timeout is the timeout duration in milliseconds, and must be an integer from 100 through 30000.
after-reordering: Send WTP out-of-order segment after it becomes ordered
immediately: Send WTP out-of-order segment immediately after buffering a copy
If after-reordering transmitting is specified, the packets are held onto and reordered. After successfully reordering the packets, they are processed in the proper order. If reordering is not successful due to timeout (wtp out-of-order-timeout), the received packets are forwarded without being passed through the protocol analyzers.
If immediately is specified, the packets are transmitted as they are received without any in-line services or Charging Action processing, however a copy of each packet is retained. When the missing packet is received, complete deep packet inspection of all the packets and all relevant in-line services is undertaken, and then the last packet is forward (unless otherwise configured by the in-line services or Charging Action).
Important: This command is license dependent. For more information, please contact your local sales representative.
certificate-name certificate_name
certificate_name must be the name of a certificate, and must be an an alpha and/or numeric string of 1 through 63 characters in length.
period specifies the re-encryption time period in minutes, and must be an integer from 1 through 10000.