Sample Personal Stateful Firewall Configuration The following is a sample Personal Stateful Firewall configuration: configure license key "\ VER=1|C1M=SanDiskSDJNJKL742749406|C1S=14J3KJI20|DOI=108|DOE=12\ SIG=MC4CFQCf9f7bAibGKJWqMd5XowxVwIVALIVgTVDsVAAogKe7fUHAEUTokw" aaa default-domain subscriber radius aaa last-resort context subscriber radius gtpp single-source system hostname ABCCH4 autoconfirm clock timezone asia-calcutta crash enable encrypted url 123abc456def789ghi card 1 mode active psc exit card 2 mode active psc exit card 4 mode active psc exit require session recovery require active-charging context local interface SPIO1 ip address 1.2.3.4 255.255.255.0 exit server ftpd exit ssh key 123abc456def789ghi123abc456def789ghi len 461 server sshd subsystem sftp exit server telnetd exit subscriber default exit administrator staradmin encrypted password 123abc456def789ghi ftp aaa group default exit gtpp group default exit ip route 0.0.0.0 0.0.0.0 2.3.4.5 SPIO1 exit port ethernet 24/1 no shutdown bind interface SPIO1 local exit ntp enable server 10.6.1.1 exit snmp engine-id local 77777e66666a55555 active-charging service service_1 nat allocation-failure send-icmp-dest-unreachable p2p-dynamic-rules protocol all host-pool host1 ip range 1.2.3.4 to 2.3.4.5 exit host-pool host2 ip range 3.4.5.6 to 4.5.6.7 exit host-pool host3 ip range 5.6.7.8 to 6.7.8.9 exit ruledef ip_any ip any-match = TRUE exit ruledef rt_ftp tcp either-port = 21 rule-application routing exit ruledef rt_ftp_data tcp either-port = 20 rule-application routing exit ruledef rt_http tcp either-port = 80 rule-application routing vexit ruledef rt_rtp rtp any-match = TRUE rule-application routing exit ruledef rt_rtsp tcp either-port = 554 rule-application routing exit access-ruledef fw_icmp icmp any-match = TRUE exit access-ruledef fw_tcp tcp any-match = TRUE exit access-ruledef fw_udp udp any-match = TRUE exit edr-format nbr_format1 attribute sn-start-time format MM/DD/YYYY-HH:MM:SS priority 5 attribute sn-end-time format MM/DD/YYYY-HH:MM:SS priority 10 attribute radius-nas-ip-address priority 15 attribute sn-correlation-id priority 20 rule-variable ip subscriber-ip-address priority 25 rule-variable ip server-ip-address priority 30 attribute sn-subscriber-port priority 35 attribute sn-server-port priority 40 attribute sn-flow-id priority 45 attribute sn-volume-amt ip bytes uplink priority 50 attribute sn-volume-amt ip bytes downlink priority 55 attribute sn-volume-amt ip pkts uplink priority 60 attribute sn-volume-amt ip pkts downlink priority 65 attribute sn-volume-amt tcp pkts downlink priority 66 attribute sn-volume-amt tcp pkts uplink priority 67 attribute sn-volume-amt tcp bytes downlink priority 68 attribute sn-volume-amt tcp bytes uplink priority 69 rule-variable ip protocol priority 70 attribute sn-app-protocol priority 75 attribute radius-user-name priority 80 attribute radius-calling-station-id priority 85 attribute sn-direction priority 90 attribute sn-volume-dropped-amt ip bytes uplink priority 100 attribute sn-volume-dropped-amt ip bytes downlink priority 110 attribute sn-volume-dropped-amt ip packts uplink priority 115 attribute sn-volume-dropped-amt ip packts downlink priority 120 attribute sn-volume-dropped-amt tcp bytes uplink priority 130 attribute sn-volume-dropped-amt tcp bytes downlink priority 140 attribute sn-volume-dropped-amt tcp packts uplink priority 155 attribute sn-volume-dropped-amt tcp packts downlink priority 160 exit udr-format udr_format attribute sn-start-time format MM/DD/YYYY-HH:MM:SS localtime priority 1 attribute sn-end-time format MM/DD/YYYY-HH:MM:SS localtime priority 2 attribute sn-correlation-id priority 4 attribute sn-content-vol bytes uplink priority 6 attribute sn-content-vol bytes downlink priority 7 attribute sn-fa-correlation-id priority 8 attribute radius-fa-nas-ip-address priority 9 attribute radius-fa-nas-identifier priority 10 attribute radius-user-name priority 11 attribute sn-content-vol pkts uplink priority 12 attribute sn-content-vol pkts downlink priority 13 attribute sn-group-id priority 14 attribute sn-content-id priority 15 exit xheader-format header insert Stpid-1 variable bearer sn-rulebase insert Stpid-2 variable bearer subscriber-ip-address exit charging-action ca_nothing content-id 20 exit bandwidth-policy bw1 exit bandwidth-policy bw2 exit rulebase base_1 tcp packets-out-of-order timeout 30000 tcp packets-out-of-order transmit after-reordering billing-records udr udr-format udr_format action priority 1 ruledef ip_any charging-action ca_nothing route priority 1 ruledef rt_ftp analyzer ftp-control route priority 10 ruledef rt_ftp_data analyzer ftp-data route priority 20 ruledef rt_rtsp analyzer rtsp route priority 30 ruledef rt_rtp analyzer rtp route priority 40 ruledef rt_http analyzer http rtp dynamic-flow-detection bandwidth default-policy bw1 fw-and-nat default-policy base_1 exit rulebase base_2 action priority 1 ruledef ip_any charging-action ca_nothing route priority 1 ruledef rt_ftp analyzer ftp-control route priority 10 ruledef rt_ftp_data analyzer ftp-data route priority 40 ruledef rt_http analyzer http bandwidth default-policy bw2 fw-and-nat default-policy base_2 exit rulebase default exit fw-and-nat policy base_1 access-rule priority 1 access-ruledef fw_tcp permit access-rule priority 2 access-ruledef fw_udp permit firewall dos-protection source-router firewall dos-protection winnuke firewall dos-protection mime-flood firewall dos-protection ftp-bounce firewall dos-protection ip-unaligned-timestamp firewall dos-protection tcp-window-containment firewall dos-protection teardrop firewall dos-protection flooding udp firewall dos-protection flooding icmp firewall dos-protection flooding tcp-syn firewall dos-protection port-scan firewall tcp-first-packet-non-syn reset firewall policy firewall-required exit fw-and-nat policy base_2 access-rule priority 5 access-ruledef fw_tcp_port_3000 permit trigger open-port 5000 direction reverse access-rule priority 10 access-ruledef fw_tcp permit access-rule priority 20 access-ruledef fw_udp permit access-rule priority 30 access-ruledef fw_icmp deny firewall policy firewall-required exit nat tcp-2msl-timeout 120 exit context pdsn interface pdsn ip address 11.22.33.44 255.255.255.0 ip address 22.33.44.55 255.255.255.0 secondary exit ssh key 123abc456def789ghi123abc456def789ghi len 461 server sshd subsystem sftp exit subscriber default ip access-group css-1 in ip access-group css-1 out ip context-name isp mobile-ip send accounting-correlation-info active-charging rulebase base_1 exit aaa group default exit gtpp group default exit pdsn-service pdsn spi remote-address 1.1.1.1 spi-number 256 encrypted secret 5c4a38dc2ff61f72 timestamp-tolerance 0 spi remote-address 2.2.2.2 spi-number 256 encrypted secret 5c4a38dc2ff61f72 timestamp-tolerance 0 spi remote-address 3.3.3.3 spi-number 9999 encrypted secret 5c4a38dc2ff61f72 timestamp-tolerance 0 authentication pap 1 chap 2 allow-noauth bind address 4.4.4.4 exit edr-module active-charging-service file name NBR_nat current-prefix Record rotation time 45 headers edr-format-name exit exit context isp ip access-list css redirect css service service_1 ip any any exit ip pool pool1 5.5.5.5 255.255.0.0 public 0 interface isp ip address 6.6.6.6 255.255.255.0 exit subscriber default exit aaa group default exit gtpp group default exit ip route 0.0.0.0 0.0.0.0 7.7.7.7 isp exit context radius interface radius ip address 8.8.8.8 255.255.255.0 exit subscriber default exit subscriber name ABC7-sub ip access-group css in ip access-group css out ip context-name isp active-charging rulebase base_1 exit subscriber name ABC9-sub ip access-group css in ip access-group css out ip context-name isp1 active-charging rulebase base_2 exit domain ABC7.com default subscriber ABC7-sub domain ABC9.com default subscriber ABC9-sub radius change-authorize-nas-ip 77.77.77.77 encrypted key 123abc456def789ghi port 4000 aaa group default radius attribute nas-ip-address address 99.99.99.99 radius dictionary custom9 radius server 9.9.9.9 encrypted key 123abc456def789gh port 1645 radius accounting server 8.8.8.8 encrypted key 123abc port 1646 exit gtpp group default exit diameter endpoint acs-fire.star.com origin host acs-fire.star.com address 44.44.44.44 peer minid realm star.com address 55.55.55.55 exit exit bulkstats collection bulkstats mode sample-interval 1 transfer-interval 15 file 1 remotefile format /localdisk/ABCCH4.bulkstat receiver 66.66.66.66 primary mechanism ftp login root encrypted password 123abc456def789ghi context schema sfw-dir format "sfw-dir\nsfw-dnlnk-droppkts:%sfw-dnlnk-droppkts%\nsfw-dnlnk-dropbytes:%sfw-dnlnk-dropbytes%\nsfw-uplnk-droppkts:%sfw-uplnk-droppkts%\nsfw-uplnk-dropbytes:%sfw-uplnk-dropbytes%\nsfw-ip-discardpackets:%sfw-ip-discardpackets%\nsfw-ip-malpackets:%sfw-ip-malpackets%\nsfw-icmp-discardpackets:%sfw-icmp-discardpackets%\nsfw-icmp-malpackets:%sfw-icmp-malpackets%\nsfw-tcp-discardpackets:%sfw-tcp-discardpackets%\nsfw-tcp-malpackets:%sfw-tcp-malpackets%\nsfw-udp-discardpackets:%sfw-udp-discardpackets%\nsfw-udp-malpackets:%sfw-udp-malpackets%\n---------------------\n" context schema sfw-total format "sfw-total\nvpnname:%vpnname%\nvpnid:%vpnid%\nsfw-total-rxpackets:%sfw-total-rxpackets%\nsfw-total-rxbytes:%sfw-total-rxbytes%\nsfw-total-txpackets:%sfw-total-txpackets%\nsfw-total-txbytes:%sfw-total-txbytes%\nsfw-total-injectedpkts:%sfw-total-injectedpkts%\nsfw-total-injectedbytes:%sfw-total-injectedbytes%sfw-total-malpackets:%sfw-total-malpackets%\nsfw-total-dosattacks:%sfw-total-dosattacks%\nsfw-total-flows:%sfw-total-flows%\n---------------------\n" exit exit port ethernet 17/1 no shutdown bind interface pdsn pdsn exit port ethernet 17/2 no shutdown bind interface isp isp exit port ethernet 17/3 no shutdown bind interface radius radius exit port ethernet 17/4 no shutdown exit port ethernet 17/5 no shutdown exit end