Active Charging Service Configuration Mode Commands


Active Charging Service Configuration Mode Commands
 
 
The Active Charging Service (ACS) Configuration Mode is used to manage active charging service configurations. ACS provides flexible, differentiated, and detailed billing to subscribers through Layer 3 through Layer 7 packet inspection and the ability to integrate with back-end billing mediation systems.
 
Important: The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).
 
access-ruledef
This command enables creating/configuring/deleting access ruledefs.
Important: This command is only available in StarOS 8.1, and must be used to configure the Policy-based Stateful Firewall and NAT features.
Product
FW
Privilege
Security Administrator, Administrator
Syntax
access-ruledef ruledef_name [ -noconfirm ]
no access-ruledef ruledef_name
no
Removes the specified access ruledef.
ruledef_name
Specifies the access ruledef name.
ruledef_name must be a string of 1 through 63 characters in length, and can contain punctuation characters.
If the named access ruledef does not exist, it is created, and the CLI mode changes to the Firewall Ruledef Configuration Mode wherein the ruledef can be configured.
If the named access ruledef already exists, the CLI mode changes to the Firewall Ruledef Configuration Mode wherein the ruledef can be configured.
-noconfirm
Specifies that the command must execute without prompting for confirmation.
Usage
Use this command to create/configure/delete an access ruledef. A ruledef contains different conditions/criteria to permit, drop, or reject a packet/connection/traffic based on one or more parameters. The ruledef name must be unique within the service. Host pool, port map, IMSI pool, and firewall, routing, and charging ruledefs must have unique names.
Important: An access ruledef can be referenced by multiple firewall rulebases.
Important: The access ruledefs are different from the ACS ruledefs.
Example
The following command creates an access ruledef named ruledef1, and enters the Firewall Ruledef Configuration Mode:
firewall ruledef ruledef1
 
bandwidth-policy
This command enables creating/configuring/deleting a bandwidth policy.
Product
ECS
Privilege
Security Administrator, Administrator
Syntax
bandwidth-policy policy_name [ -noconfirm ]
no bandwidth-policy policy_name
no
Removes the specified bandwidth policy.
policy_name
Specifies the bandwidth policy name.
policy_name and must be an alpha and/or numeric string of 1 through 63 characters in length.
If the named bandwidth policy does not exist, it is created, and the CLI mode changes to the Bandwidth Policy Configuration Mode wherein the bandwidth policy can be configured.
If the named bandwidth policy already exists, the CLI mode changes to the Bandwidth Policy Configuration Mode wherein the bandwidth policy can be configured.
-noconfirm
Specifies that the command must execute without prompting for confirmation.
Usage
Use this command to create/configure/delete a bandwidth policy.
Example
The following command creates a bandwidth policy named test73, and enters the Bandwidth Policy Configuration mode:
bandwidth-policy test73
 
buffering-limit
This command sets the flow- or session-based packet buffering configuration.
Product
ECS
Privilege
Security Administrator, Administrator
Syntax
buffering-limit { flow-max-packets number | subscriber-max-packets number }
{ default | no } buffering-limit { flow-max-packets | subscriber-max-packets }
default
Sets the default value for the specified buffering limit configuration.
Default: no limit, other than the maximum amount of available memory
no
Removes the specified buffering limit configuration.
flow-max-packets number
Specifies the maximum number of packets that can be buffered per flow.
number must be an integer from 1 through 255.
subscriber-max-packets number
Specifies the maximum number of packets that can be buffered per subscriber.
number must be an integer from 1 through 255.
Usage
Use this command to configure the limits for buffering packets sent by a subscriber, while it is waiting for a response from the Diameter server. Packets need to be buffered for various reasons, such as, waiting for Credit Control Authorization or waiting for the result of a content filtering rating request.
Example
The following command sets the buffering limit per flow to 55:
buffering-limit flow-max-packets 55
 
charging-action
This command enables creating/configuring/deleting a charging action in the current Active Charging Service.
 
Important: A maximum of 2048 charging actions can be configured in an Active Charging Service.
Product
ECS
Privilege
Security Administrator, Administrator
Syntax
[ no ] charging-action charging_action_name [ -noconfirm ]
no
Removes the specified charging action.
charging_action_name
Specifies the charging action name.
charging_action_name must be an alpha and/or numeric string of 1 through 63 characters in length, and can contain punctuation characters.
If the named charging action does not exist, it is created, and the CLI mode changes to the Charging Action Configuration Mode wherein the charging action can be configured.
If the named charging action already exists, the CLI mode changes to the Charging Action Configuration mode wherein the charging action can be configured.
The charging action name must be unique for a given Active Charging Service. Up to 2048 charging actions can be configured in a system across all Active Charging services.
-noconfirm
Specifies that the command must execute without prompting for confirmation.
Usage
Use this command to create/configure/delete a charging action in the current Active Charging Service.
A charging action represents actions to be taken when a configured rule is matched. Actions could range from generating an accounting record (e.g., an EDR) to dropping the IP packet, etc. The charging action will also determine the metering principle—whether to count retransmitted packets and which protocol field to use for billing (L3/L4/L7 etc).
Example
The following command creates a charging action named action123:
charging-action action123
 
content-filtering category match-method
This command sets the match method to look up URLs in the Category-based Content Filtering database.
Product
CF
Privilege
Security Administrator, Administrator
Syntax
content-filtering category match-method { exact | generic }
default content-filtering category match-method
default
Sets the default match method.
Default: Generic
exact
Specifies the exact-match method, wherein URLs are rated only on exact match with URLs present in the Category-based Content Filtering database.
generic
Specifies the generic-match method, wherein normalization, multi-lookups, rollback algorithms are applied to URLs during look up, and URLs are rated on generic match with URLs present in the Category-based Content Filtering database.
Usage
Use this command to set the match method to look up URLs in the Category-based Content Filtering database.
Example
The following command sets the exact-match method to look up URLs in the Category-based Content Filtering database:
content-filtering category match-method exact
 
content-filtering category policy-id
This command enables creating/configuring/deleting Content Filtering Category Policies for Category-based Content Filtering support.
Important: A maximum of 64 Content Filtering Category Policies can be configured in an Active Charging Service.
Product
CF
Privilege
Security Administrator, Administrator
Syntax
content-filtering category policy-id cf_policy_id [ description [ description_string ] ] [ -noconfirm ]
no content-filtering category policy-id cf_policy_id
no
Deletes the specified Content Filtering Category Policy.
category policy-id cf_policy_id
Specifies the Content Filtering Category Policy ID.
cf_policy_id must be an integer from 1 through 4,294,967,295.
If the specified policy ID does not exist, it is created and the CLI mode changes to the Content Filtering Policy Configuration mode, wherein the policy can be configured.
If the specified policy ID already exists, the CLI mode changes to the Content Filtering Policy Configuration mode, wherein the policy can be configured.
description [ description_string ]
Specifies a description for the Content Filtering Category Policy.
description_string must be an alpha and/or numeric string of 1 through 31 characters in length.
Note that both description and description_string are optional.
description description_string” saves description_string as the new description.
description” removes the previously specified description.
This description is displayed in the output of the “show content-filtering category policy-id id id” and “show active-charging service name service_name” commands.
-noconfirm
Specifies that the command must execute without prompting for confirmation.
Usage
Use this command to create/configure/delete a Content Filtering Category Policy.
Example
The following command creates a Content Filtering Policy with the ID 101, and enters the Content Filtering Policy Configuration mode:
content-filtering category policy-id 101
 
credit-control
This command enables/disables Prepaid Credit Control Configuration mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ no ] credit-control [ group group_name ]
no
Disables Prepaid Credit Control Application configuration.
group group_name
Important: The group keyword is only available in StarOS 8.1 and later releases.
Specifies the credit control group name.
group_name must be an alpha and/or numeric string of 1 through 63 characters in length.
If the named credit control group does not exist, it is created, and the CLI mode changes to the Credit Control Configuration mode, wherein the credit control group can be configured.
If the named credit control group already exists, the CLI mode changes to the Credit Control Configuration mode, wherein the credit control group can be configured.
Creating different credit control groups enables applying different credit control configurations (DCCA dictionary, failure-handling, session-failover, Diameter endpoint selection, etc.) to different subscribers on the same system.
Without credit control groups, only one credit control configuration is possible on a system. All the subscribers in the system will have to use the same configuration.
Usage
Use this command to enable/disable Prepaid Credit Control Configuration for RADIUS/Diameter charging mode.
Example
The following command enables prepaid credit control accounting to use RADIUS and/or Diameter interface mode.
credit-control
 
diameter credit-control
 
Description This command has been obsoleted, and is replaced by the credit-control command.
 
edr-format
This command enables creating/configuring/deleting an EDR format specification for the current Active Charging Service.
Product
All
Privilege
Security Administrator, Administrator
Syntax
edr-format name [ -noconfirm ]
no edr-format name
no
Removes the specified EDR format from the current Active Charging Service.
name
Specifies the EDR format name.
name must be a string of 1 through 63 characters in length.
If the named EDR format does not exist, it is created, and the CLI mode changes to the EDR Format Configuration Mode wherein the EDR format can be configured.
If the named EDR format already exists, the CLI mode changes to the EDR Format Configuration mode wherein the EDR format can be configured.
The EDR format name must be unique for a given Active Charging Service. Up to 256 combined total EDR plus UDR formats can be configured in a system across all Active Charging Services.
-noconfirm
Specifies that the command must execute without prompting for confirmation.
Usage
Use this command to create/configure/delete an EDR format for a specified Active Charging Service.
Example
The following command creates an EDR format named edr_format1:
edr-format edr_format1
 
edr-udr-flow-control
This command enables Flow Control between Session Managers and the CDRMOD process.
Product
All
Privilege
Security Administrator, Administrator
Syntax
edr-udr-flow-control [ unsent-queue-size queue_size ]
{ default | no } edr-udr-flow-control
no
Disables Flow Control.
default
Configures the default setting.
Default: Flow Control is enabled; unsent-queue-size is set to 375
unsent-queue-size queue_size
Specifies the Flow Control unsent queue size at sessmgr level.
queue_size must be an integer from 1 through 2500.
Usage
Use this command to enable Flow Control between Session Managers and the CDRMOD process, and configure the unsent queue size.
Example
The following command enable Flow Control between Session Managers and the CDRMOD process, and configure the unsent queue size to 1000:
edr-udr-flow-control unsent-queue-size 1000
 
end
This command returns the CLI prompt to the Exec mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
end
Usage
Use this command to change to the Exec mode.
 
exit
This command exits the Active Charging Service Configuration mode and returns to the Global Configuration mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
exit
Usage
Use this command to return to the Global Configuration mode.
 
fair-usage
This command enables Fair Usage feature configuration.
Product
ECS, CF, FW, NAT, P2P
Privilege
Security Administrator, Administrator
Syntax
fair-usage [ deact-margin deactivate_margin | threshold-percent usage_threshold ]
default fair-usage [ deact-margin | threshold-percent ]
default
Configures the default Fair Usage monitoring settings.
Default:
deact-margin: 5 percent
threshold-percent: 50 percent
deact-margin deactivate_margin
Specifies that Fair Usage monitoring must be disabled when the instance-level credit usage goes deactivate_margin percentage below usage_threshold.
deactivate_margin is a percentage value, and must be an integer from 1 through 100.
threshold-percent usage_threshold
Specifies the threshold to start Fair Usage monitoring. Till the credit usage hits this threshold, all session resource allocation is allowed. On crossing this threshold, any new resource allocation request is evaluated and allowed or failed.
usage_threshold is a percentage value, and must be an integer from 1 through 100.
Usage
Use this command to enable the Fair Usage feature, which enables to perform SessMgr instance-level load balancing for in-line service features, and resource usage control for subscribers. For information, refer to the feature description in the Enhanced Charging Service Administration Guide.
Example
The following command enables the Fair Usage feature, and configures the session resource usage threshold to start Fair Usage monitoring to 75%:
fair-usage threshold-percent 75
The following command configures the deactivate margin to disable Fair Usage monitoring to 10% below the session resource usage threshold (65%):
fair-usage deact-margin 10
 
firewall dos-protection
This command configures Stateful Firewall protection for subscribers from Denial-of-Service (DoS) attacks.
Important: In StarOS 8.1 and later, for Rulebase-based Stateful Firewall this command is available in the Rulebase Configuration Mode, and for Policy-based Stateful Firewall in the Firewall-and-NAT Policy Configuration Mode. In StarOS 8.3, this command is available in the Rulebase Configuration Mode.
Product
FW
Privilege
Security Administrator, Administrator
Syntax
[ no ] firewall dos-protection { all | flooding { icmp | tcp-syn | udp } | ftp-bounce | ip-unaligned-timestamp | mime-flood | seq-number-out-of-range | seq-number-prediction | source-router | teardrop | winnuke }
default firewall dos-protection
no
Disables protection for subscribers from the specified DoS attack(s).
default
Sets Stateful Firewall DOS protection to the default setting.
all
Enables protection against all DoS attacks supported by Stateful Firewall.
flooding { icmp | tcp-syn | udp }
Enables protection against specified flooding attacks:
icmp: Enables protection against ICMP Flood attack
tcp-syn: Enables protection against TCP Syn Flood attack
udp: Enables protection against UDP Flood attack
ftp-bounce
Enables protection against FTP bounce attacks.
ip-unaligned-timestamp
Enables protection against IP unaligned timestamp attacks.
mime-flood
Enables protection against Multiple Internet Mail Extension (MIME) header flooding attacks.
seq-number-out-of-range
Enables protection against an out of range sequence attacks.
seq-number-prediction
Enables protection against TCP sequence prediction attacks.
source-router
Enables protection against attacks caused by loose source routing.
teardrop
Enables protection against Teardrop attacks.
winnuke
Enables protection against WIN-NUKE attacks.
Usage
Use this command to enable the Stateful Firewall protection from different types of DoS attacks. This command can be used multiple times for different DoS attacks.
Example
The following command enables protection from all DoS attacks supported by the Stateful Firewall:
firewall dos-protection all
 
firewall flooding
This command configures Stateful Firewall protection from packet flooding attacks.
Important: In StarOS 8.1 and later, for Rulebase-based Stateful Firewall this command is available in the Rulebase Configuration Mode, and for Policy-based Stateful Firewall in the Firewall-and-NAT Policy Configuration Mode. In StarOS 8.3, this command is available in the Rulebase Configuration Mode.
Product
FW
Privilege
Security Administrator, Administrator
Syntax
firewall flooding { { protocol { icmp | tcp-syn | udp } packet limit packets } | { sampling-interval interval } }
default firewall flooding { { protocol { icmp | tcp-syn | udp } packet limit } | { sampling-interval } }
default
Sets the specified firewall flooding configuration to the default value.
protocol { icmp | tcp-syn | udp }
Specifies the transport protocol:
icmp: Configuration for ICMP protocol.
tcp-syn: Configuration for TCP-SYN packet limit.
udp: Configuration for UDP protocol.
packet limit packets
Specifies the maximum number of specified packets a subscriber can receive during a sampling interval.
packets is the maximum number of packets allowed during a sampling interval, and must be an integer from 1 through 4294967295.
Default: 1000 packets per sampling-interval.
sampling-interval interval
Specifies the flooding sampling interval in seconds.
interval must be an integer from 1 through 60.
Default: 1 second
The maximum sampling-interval configurable is 60 seconds.
Usage
Use this command to configure the maximum number of ICMP, TCP-SYN, / UDP packets allowed to prevent the packet flooding attacks to the host.
Example
The following command ensures a subscriber will not receive more that 1000 ICMP packets per sampling interval:
firewall flooding protocol icmp packet limit 1000
The following command ensures a subscriber will not receive more than 1000 UDP packets per sampling interval on different 5-tuples. That is, if an attacker is sending lot of UDP packets on different ports or using different spoofed IPs, those packets will be limited to 1000 packets per sampling interval. This way only “suspected” malicious packets are limited and not “legitimate” packets.
firewall flooding protocol udp packet limit 1000
The following command ensures a subscriber will not receive more than 1000 TCP-Syn packets per sampling interval.
firewall flooding protocol tcp-syn packet limit 1000
The following command specifies a flooding sampling interval of 1 second:
firewall flooding sampling-interval 1
 
firewall flow-recovery
This command configures Stateful Firewall Flow Recovery settings.
Product
FW
Privilege
Security Administrator, Administrator
Syntax
firewall flow-recovery { { downlink [ [ timeout timeout ] [ no-flow-creation ] + ] } | { uplink [ timeout timeout ] } }
{ default | no } firewall flow-recovery { downlink | uplink }
default
Configures the default setting.
Default: downlink and uplink recovery is enabled, 300 seconds
no
Disables the previous configuration.
downlink | uplink
Specifies the packets:
downlink: Enables flow recovery for packets from downlink direction.
uplink: Enable flow recovery for packets from uplink direction.
timeout timeout
Specifies the Stateful Firewall Flow Recovery Timeout setting, in seconds.
timeout must be an integer from 1 through 86400.
Default: 300 seconds
no-flow-creation
Specifies not to create data session/flow-related information for downlink-initiated packets (from the Internet to the subscriber) while the firewall downlink flow-recovery timer is running, but send to subscriber.
Usage
Use this command to configure Stateful Firewall Flow Recovery.
Important: NAT flows will not be recovered.
Example
The following command configures Stateful Firewall Flow Recovery for packets in downlink direction with a timeout of 600 seconds:
firewall flow-recovery downlink timeout 600
 
firewall icmp-destination-unreachable-message-threshold
This command configures a threshold on the number of ICMP error messages sent by the subscriber for a particular data flow.
Important: In StarOS 8.1 and later, for Rulebase-based Stateful Firewall this command is available in the Rulebase Configuration Mode, and for Policy-based Stateful Firewall in the Firewall-and-NAT Policy Configuration Mode. In StarOS 8.3, this command is available in the Rulebase Configuration Mode.
Product
FW
Privilege
Security Administrator, Administrator
Syntax
firewall icmp-destination-unreachable-message-threshold messages then-block-server
{ default | no } firewall icmp-destination-unreachable-message-threshold
default
Sets the threshold to the default value.
Default: No limit
no
Disables the threshold.
messages
Specifies the number of ICMP error messages sent by the subscriber for a particular data flow. messages must be an integer value from 1 through100.
Usage
Use this command to configure a threshold on the number of ICMP error messages sent by the subscriber for a particular data flow. After the threshold is reached, it is assumed that the server is not reacting properly to the error messages, and further downlink traffic to the subscriber on the unwanted flow is blocked.
Some servers that run QChat ignore the ICMP error messages (Destination Port Unreachable and Host Unreachable) from the mobiles. So the mobiles continue to receive the unwanted UDP traffic from the QChat servers, and their batteries get exhausted quickly.
Example
The following command configures a threshold of 10 ICMP error messages:
firewall icmp-destination-unreachable-message-threshold 10 then-block-server
 
firewall max-ip-packet-size
This command configures the maximum IP packet size allowed over Stateful Firewall.
Important: In StarOS 8.1 and later, for Rulebase-based Stateful Firewall this command is available in the Rulebase Configuration Mode, and for Policy-based Stateful Firewall in the Firewall-and-NAT Policy Configuration Mode. In StarOS 8.3, this command is available in the Rulebase Configuration Mode.
Product
FW
Privilege
Security Administrator, Administrator
Syntax
firewall max-ip-packet-size packet_size protocol { icmp | non-icmp }
default firewall max-ip-packet-size protocol { icmp | non-icmp }
default
Sets the maximum IP packet size configuration to the default value.
Default: 65535 bytes (for both ICMP and non-ICMP)
packet_size
Specifies the maximum packet size.
packet_size must be an integer from 30000 through 65535.
protocol { icmp | non-icmp }
Specifies the transport protocol:
icmp: Configuration for ICMP protocol.
non-icmp: Configuration for protocols other than ICMP.
Usage
Use this command to configure the maximum IP packet size allowed for ICMP and non-ICMP packets to prevent packet flooding attacks to the host. Packets exceeding the configured size will be dropped for “Jolt Attack” and “Ping-Of-Death Attack”.
Example
The following command allows a maximum packet size of 60000 for ICMP protocol:
firewall max-ip-packet-size 60000 protocol icmp
 
firewall mime-flood
This command configures Stateful Firewall protection from mime-flood attacks.
Important: In StarOS 8.1 and later, for Rulebase-based Stateful Firewall this command is available in the Rulebase Configuration Mode, and for Policy-based Stateful Firewall in the Firewall-and-NAT Policy Configuration Mode. In StarOS 8.3, this command is available in the Rulebase Configuration Mode.
Product
FW
Privilege
Security Administrator, Administrator
Syntax
firewall mime-flood { http-headers-limit max_limit | max-http-header-field-size max_size }
default firewall mime-flood { http-headers-limit | max-http-header-field-size }
default
Sets the specified firewall mime flood configuration to the default value.
http-headers-limit max_limit
Specifies the maximum number of headers allowed in an HTTP packet. If the number of HTTP headers in a page received is more than the specified limit, the request will be denied.
max_limit must be an integer from 1 through 256.
Default: 16
max-http-header-field-size max_size
Specifies the maximum header field size allowed in the HTTP header, in bytes. If the size of HTTP header in the received page is more than the specified number of bytes, the request will be denied.
max_size must be an integer from 1 through 8192.
Default: 4096 bytes
Usage
Use this command to configure the maximum number of headers allowed in an HTTP packet, and the maximum header field size allowed in the HTTP header to prevent the mime flooding attacks.
Example
The following command sets the maximum number of headers allowed in an HTTP packet to 100:
firewall mime-flood http-headers-limit 100
The following command sets the maximum header field size allowed in the HTTP header to 1000 bytes:
firewall mime-flood max-http-header-field-size 1000
 
firewall nat-alg
This command enables/disables NAT Application Level Gateways (ALGs).
Product
NAT
Privilege
Security Administrator, Administrator
Syntax
[ default | no ] firewall nat-alg { all | ftp | pptp | rtsp | sip }
default
Configures the default setting.
Default:
ftp: enabled
pptp: disabled
rtsp: disabled
sip: disabled
no
Disables all/specified NAT ALG configuration. When disabled, the ALG(s) would not do any payload translation for NATd calls.
all | ftp | pptp | rtsp | sip
Specifies the NAT ALG to enable/disable.
all: Enables/disables all of the following NAT ALGs.
ftp: Enables/disables File Transfer Protocol (FTP) NAT ALG.
pptp: Enables/disables Point-to-Point Tunneling Protocol (PPTP) NAT ALG.
rtsp: Enables/disables Real Time Streaming Protocol (RTSP) ALG.
sip: Enables/disables Session Initiation Protocol (SIP) NAT ALG.
Usage
Use this command to enable/disable NAT ALGs.
To enable NAT ALG processing, in addition to this configuration, ensure that the routing rule for that particular protocol is added in the rulebase.
Example
The following command enables FTP NAT ALG:
firewall nat-alg ftp
The following command disables FTP NAT ALG:
no firewall nat-alg ftp
The following command enables FTP NAT ALG, and disables PPTP, RTSP, SIP NAT ALGs:
default firewall nat-alg all
 
firewall no-ruledef-matches
This command configures the default action for packets when no firewall ruledef matches.
Important: In StarOS 8.1 and later releases, this command is available in the Rulebase Configuration Mode.
Product
FW
Privilege
Security Administrator, Administrator
Syntax
firewall no-ruledef-matches { downlink | uplink } action { deny [ charging-action charging_action ] | permit }
default firewall no-ruledef-matches { downlink | uplink } action
default
Configures the default action for packets with no firewall ruledef match.
Default: uplink direction: permit, downlink direction: deny
downlink | uplink
Specifies the packet type:
downlink: Downlink packets with no firewall ruledef match.
uplink: Uplink packets with no firewall ruledef match.
action { deny [ charging-action charging_action ] | permit }
Specifies the default action for packets with no firewall ruledef match.
permit: Permit specified packets.
deny [ charging-action charging_action ]: Deny specified packets.
Optionally, a charging action can be specified. charging_action must be the name of a charging action, and must be a string of 1 through 63 characters in length.
Usage
Use this command to configure the default action to be taken on packets with no firewall ruledef matches.
If, for deny action, the optional charging action is configured, the action taken depends on what is configured in the charging action. For the firewall rule, the “flow action”, “billing action”, and “content ID” of the charging action will be used to take action. If flow exists, flow statistics are updated.
Example
The following command sets Stateful Firewall to permit downlink packets with no ruledef matches:
firewall no-ruledef-matches downlink action permit
 
firewall port-scan
This command configures the Port Scan Detection algorithm.
Product
FW
Privilege
Security Administrator, Administrator
Syntax
firewall port-scan { connection-attempt-success-percentage { non-scanner | scanner } percentage | inactivity-timeout inactivity_timeout | protocol { tcp | udp } response-timeout response_timeout | scanner-policy { block inactivity-timeout inactivity_timeout | log-only } }
default firewall port-scan { connection-attempt-success- percentage { non-scanner | scanner } | inactivity-timeout | protocol { tcp | udp } response-timeout | scanner-policy }
default
Configures default parameters for port-scan detection.
connection-attempt-success-percentage { non-scanner | scanner } percentage
Specifies the connection attempt success percentage:
non-scanner: Specifies the connection attempt success percentage for a non-scanner. percentage must be an integer from 60 through 99.
Default: 70%
scanner: Specifies the connection attempt success percentage for a scanner. percentage must be an integer from 1 through 40.
Default: 30%
inactivity-timeout inactivity_timeout
Specifies the port scan inactivity timeout period, in seconds.
inactivity_timeout must be an integer from 60 through 1800.
Default: 300 seconds
protocol { tcp | udp } response-timeout response_timeout
Specifies transport protocol specific response timeout period:
tcp: Specifies response timeout for TCP. response_timeout must be an integer from 3 through 30.
udp: Specifies response timeout for UDP. response_timeout must be an integer from 3 through 60.
Default: 3 seconds
scanner-policy { block inactivity-timeout inactivity_timeout | log-only }
Specifies the scanner policy.
Default: Log only
block inactivity-timeout inactivity_timeout: Specifies blocking any subsequent traffic from the scanner. If the scanner is found to be inactive for the inactivity-timeout period, then the scanner is no longer blocked, and traffic is allowed.
inactivity_timeout specifies the scanner inactivity timeout period, in seconds, and must be an integer from 1 through 4294967295.
log-only: Specifies logging scanner information without blocking scanner traffic.
Usage
Use this command to configure the Port Scan Detection algorithm.
Example
The following command configures the Stateful Firewall Port Scan inactivity timeout period to 900 seconds:
firewall port-scan inactivity-timeout 900
 
firewall ruledef
This command enables creating/configuring/deleting firewall ruledefs.
Important: This command is only available in StarOS 8.1, and is customer-specific. This command must be used to configure the Rulebase-based Stateful Firewall and NAT features.
Product
FW
Privilege
Security Administrator, Administrator
Syntax
firewall ruledef ruledef_name [ -noconfirm ]
no firewall ruledef ruledef_name
no
Removes the specified firewall ruledef.
ruledef_name
Specifies the firewall ruledef name.
ruledef_name must be a string of 1 through 63 characters in length, and can contain punctuation characters.
If the named firewall ruledef does not exist, it is created, and the CLI mode changes to the Firewall Ruledef Configuration Mode wherein the ruledef can be configured.
If the named firewall ruledef already exists, the CLI mode changes to the Firewall Ruledef Configuration Mode wherein the ruledef can be configured.
-noconfirm
Specifies that the command must execute without prompting for confirmation.
Usage
Use this command to create/configure/delete a firewall ruledef. A firewall ruledef contains different conditions/criteria to permit, drop, or reject a packet/connection/traffic based on one or more parameters. The ruledef name must be unique with in the service. Host pool, port map, IMSI pool, and firewall, routing, and charging ruledefs must have unique names.
Important: A firewall ruledef can be referenced by multiple firewall rulebases.
Important: The firewall ruledefs are different from the Active Charging Ruledefs.
Example
The following command creates a firewall ruledef named fw_ruledef1, and enters the Firewall Ruledef Configuration Mode:
firewall ruledef fw_ruledef1
 
firewall tcp-syn-flood-intercept
This command enables and configures the TCP intercept parameters to prevent TCP-SYN flooding attacks by intercepting and validating TCP connection requests for DoS protection mechanism configured with the dos-protection command.
Important: In StarOS 8.1 and later, for Rulebase-based Stateful Firewall this command is available in the Rulebase Configuration Mode, and for Policy-based Stateful Firewall in the Firewall-and-NAT Policy Configuration Mode. In StarOS 8.3, this command is available in the Rulebase Configuration Mode.
Product
FW
Privilege
Security Administrator, Administrator
Syntax
firewall tcp-syn-flood-intercept { max-attempts max_attempts | mode { none | { intercept | watch } [ aggressive ] } | retransmit-timeout retransmit_timeout | watch-timeout intercept_watch_timeout }
default firewall tcp-syn-flood-intercept { max-attempts | mode | retransmit-timeout | watch-timeout }
default
Sets the default values of TCP intercept parameters for SYN Flood DoS protection.
max-attempts max_attempts
Default: 5
Specifies the maximum number of attempts for sending proxy SYN to the target. This keyword works in conjunction with the retransmit-timeout keyword.
max_attempts specifies the maximum number of attempts for sending proxy SYN to the target after the timeout duration, and must be an integer from 1 through 5.
mode { none | { intercept | watch } [ aggressive ]
Default: none
Specifies TCP SYN flood intercept mode:
intercept: Configures TCP SYN flood intercept feature in intercept mode.
none: Disables TCP SYN flood intercept feature.
watch: Configures TCP SYN flood intercept feature in watch mode. The Stateful Firewall passively watches to see if TCP connections become established within a configurable interval. If connections are not established within the timeout period, the Stateful Firewall clears the half-open connections by sending RST to TCP client and server. The default watch-timeout for connection establishment is 30 seconds.
aggressive: Configures TCP SYN flood Intercept or Watch feature for aggressive behavior. Each new connection request causes the oldest incomplete connection to be deleted. When operating in watch mode, the watch timeout is reduced by half. If the watch-timeout is 30 seconds, under aggressive conditions it becomes 15 seconds. When operating in intercept mode, the retransmit timeout is reduced by half (i.e. if the timeout is 60 seconds, it is reduced to 30 seconds). Thus, the amount of time waiting for connections to be established is reduced by half (i.e. it is reduced to 150 seconds from 300 seconds under aggressive conditions).
retransmit-timeout retransmit_timeout
Default: 60
Specifies the SYN-Proxy retransmit timeout in seconds. System waits for this period before sending proxy SYN to the target. This keyword works in conjunction with max-attempts keyword.
retransmit_timeout specifies the duration in seconds the system waits before sending proxy SYN, and must be an integer from 15 through 60.
watch-timeout intercept_watch_timeout
Default: 30
intercept_watch_timeout specifies the TCP intercept watch timeout in seconds, and must be an integer from 5 through 30.
Usage
This TCP intercept functionality provides protection against TCP SYN Flooding attacks.
The system captures TCP SYN requests and responds with TCP SYN-ACKs. If a connection initiator completes the handshake with a TCP ACK, the TCP connection request is considered as valid by system and system forwards the initial TCP SYN to the valid target which triggers the target to send a TCP SYN-ACK. Now system intercepts with TCP SYN-ACK and sends the TCP ACK to complete the TCP handshake. Any TCP packet received before the handshake completion will be discarded.
Example
The following command sets the maximum number of attempts for sending proxy SYN to the target to 5:
firewall tcp-syn-flood-intercept max-attempts 5
 
firewall track-list
This command configures the maximum number of server IPs to be tracked that are involved in any kind of DOS attacks.
Product
FW
Privilege
Security Administrator, Administrator
Syntax
firewall track-list attacking-servers no_of_servers
{ default | no } firewall track-list attacking-servers
default
Sets the default configuration.
Default: 10
no
Important: This variant is only available in StarOS 8.3 and later releases.
Removes the previous configuration.
attacking-servers no_of_servers
Specifies to track the attacking servers.
no_of_servers specifies the number of servers to track, and must be an integer from 1 through 100.
Usage
Use this command to configure the maximum number of server IPs to be tracked that are involved in any kind of DOS attacks.
Example
The following command configures the maximum number of server IPs to be tracked that are involved in any kind of DOS attacks to 20:
firewall track-list attacking-servers 20
 
fw-and-nat policy
This command enables creating/configuring/deleting a Firewall-and-NAT policy.
Important: This command is only available in StarOS 8.1 and StarOS 9.0 and later releases. This command must be used to configure the Policy-based Stateful Firewall and NAT features.
Product
FW, NAT
Privilege
Security Administrator, Administrator
Syntax
fw-and-nat policy policy_name [ -noconfirm ]
no fw-and-nat policy policy_name
no
Deletes the specified Firewall-and-NAT policy.
Important: When a Firewall-and-NAT policy is deleted, for all subscribers using the policy, Stateful Firewall and NAT processing is disabled, also ECS sessions for the subscribers are dropped. In case of session recovery, the calls are recovered but with Stateful Firewall and NAT disabled.
policy_name
Specifies the Firewall-and-NAT policy name.
policy_name must be an alpha and/or numeric string of 1 through 63 characters in length.
If the named Firewall-and-NAT policy does not exist, it is created and the CLI mode changes to the Firewall-and-NAT Policy Configuration mode, wherein the policy can be configured.
If the named Firewall-and-NAT policy already exists, the CLI mode changes to the Firewall-and-NAT Policy Configuration mode, wherein the named policy can be configured.
-noconfirm
Specifies that the command must execute without prompting for confirmation.
Usage
Use this command to create/configure/delete a Firewall-and-NAT policy.
Example
The following command creates a Firewall-and-NAT policy named test321, and changes to the Firewall-and-NAT Policy Configuration Mode:
fw-and-nat policy test321
 
group-of-prefixed-urls
This command enables creating/configuring/deleting a group-of-prefixed-URLs.
Important: This command is customer specific. For more information, please contact your local sales representative.
Important: A maximum of 64 group-of-prefixed-URL groups can be configured in the Active Charging Service.
Product
ECS
Privilege
Security Administrator, Administrator
Syntax
group-of-prefixed-urls group_name [ -noconfirm ]
no group-of-prefixed-urls group_name
no
Deletes the specified group-of-prefixed-urls.
group_name
Specifies the group-of-prefixed-urls name.
group_name must be an alpha and/or numeric string of 1 through 63 characters in length.
If the named group-of-prefixed-urls does not exist, it is created, and the CLI mode changes to the ACS Group of Prefixed URLs Configuration Mode wherein the group can be configured.
If the named group-of-prefixed-urls already exists, the CLI mode changes to the ACS Group of Prefixed URLs Configuration Mode wherein the group can be configured.
-noconfirm
Specifies that the command must execute without prompting for confirmation.
Usage
Use this command to create/configure/delete a group of prefixed URLs.
Example
The following command creates group-of-prefixed-urls named test5, and enters the ACS Group of Prefixed URLs Configuration Mode:
group-of-prefixed-urls test5
 
group-of-ruledefs
This command enables creating/configuring/deleting a group-of-ruledefs.
 
Important: A maximum of 64 groups-of-ruledefs can be configured in an Active Charging Service.
Product
ECS
Privilege
Security Administrator, Administrator
Syntax
group-of-ruledefs ruledef_group [ -noconfirm ]
no group-of-ruledefs ruledef_group
no
Removes the specified group-of-ruledefs, if previously configured.
ruledef_group
ruledef_group specifies the group name. The group name must be unique within the Active Charging Service, and must be a string of 1 through 63 characters in length. Up 64 groups may be configured.
If the named group-of-ruledefs does not exist, it is created, and the CLI mode changes to the Group-of-Ruledefs Configuration Mode wherein the group can be configured.
If the named group-of-ruledefs already exists, the CLI mode changes to the Group-of-Ruledefs Configuration Mode wherein the group can be configured.
-noconfirm
Specifies that the command must execute without prompting for confirmation.
Usage
Use this command to create/configure/delete a group-of-ruledefs.
A group-of-ruledefs is a collection of rule definitions to use in access policy creation. The group-of-ruledefs name must be unique within the service.
Example
The following command creates a group-of-ruledefs named group1, and enters the Group-of-Ruledefs Configuration Mode:
group-of-ruledefs group1
 
host-pool
This command enables creating/configuring/deleting a host pool.
Product
All
Privilege
Security Administrator, Administrator
Syntax
host-pool host_pool [ -noconfirm ]
no host-pool host_pool
no
Removes the specified host pool.
host_pool
Specifies the host pool name.
host_pool must be a string of 1 through 63 characters in length, and can contain punctuation characters.
If the named host pool does not exist, it is created, and the CLI mode changes to the ACS Host Pool Configuration Mode wherein the host pool can be configured.
If the named host pool already exists, the CLI mode changes to the ACS Host Pool Configuration Mode wherein the host pool can be configured.
-noconfirm
Specifies that the command must execute without prompting for confirmation.
Usage
Use this command to create/configure/delete ACS host pools.
A host pool is a collection of hosts and IP addresses to use in access policy creation. The host pool name must be unique with in the service. Host pool, port map, IMSI pool, and firewall, routing, and charging ruledefs must have unique names. A maximum of the 256 host pools can be created.
Important: Host pools in use in other ruledefs cannot be deleted.
Example
The following command creates a host pool named hostpool1, and enters the ACS Host Pool Configuration Mode:
host-pool hostpool1
 
idle-timeout
This command configures the maximum duration a flow can remain idle, in seconds, after which the system automatically terminates the flow.
Product
ECS, NAT, FW
Privilege
Security Administrator, Administrator
Syntax
idle-timeout { alg-media | icmp | tcp | udp } idle_timeout
{ default | no } idle-timeout { alg-media | icmp | tcp | udp }
default
Configures the default idle-timeout setting for the specified flow.
Default:alg-media: 120 seconds; icmp, tcp, udp: 300 seconds
no
Disables the idle-timeout configuration for the specified flow.
alg-media | icmp | tcp | udp
Configures/disables the idle-timeout setting for the specified flow.
idle_timeout
Specifies the timeout duration, in seconds, and must be an integer from 0 through 86400.
For alg-media specifies the media inactivity timeout. The idle_timeout value gets applied on RTP and RTCP media flows that are created for SIP/H.323 calls. The timeout is applied only on those flows that actually match the RTP and RTCP media pinholes that are created by the SIP/H.323 ALG.
A value of 0 disables the idle-timeout setting.
Usage
Use this command to configure the maximum duration a flow can remain idle, in seconds, after which the system automatically terminates the flow.
Setting the value to 0 will cause the idle-timeout setting to be disabled.
For flows other than TCP, UDP, and ICMP timeout will always be 300 seconds. (Unless configured in the charging-action). Charging action’s flow idle-timeout will have precedence over ACS idle-timeout. If charging action’s flow idle-timeout is default, then flows will have the value configured in the ACS service.
Example
The following command configures the maximum duration a TCP flow can remain idle to 3000 seconds, after which the system automatically terminates the flow:
idle-timeout tcp 3000
 
imsi-pool
This command enables creating/configuring/deleting an IMSI pool.
Product
All
Privilege
Security Administrator, Administrator
Syntax
imsi-pool imsi_pool [ -noconfirm ]
no imsi-pool imsi_pool
no
Removes the specified IMSI pool.
imsi_pool
Specifies the IMSI pool name.
imsi_pool must be a string of 1 through 63 characters in length, and can contain punctuation characters.
If the named IMSI pool does not exist, it is created, and the CLI mode changes to the ACS IMSI Pool Configuration Mode wherein the IMSI pool can be configured.
If the named IMSI pool already exists, the CLI mode changes to the ACS IMSI Pool Configuration Mode wherein the IMSI pool can be configured.
-noconfirm
Specifies that the command must execute without prompting for confirmation.
Usage
Use this command to create/configure/delete pools of International Mobile Subscriber Identifier (IMSI) numbers having group of single or range of IMSI numbers to use in access policy creation. The IMSI pool name must be unique with in the service. Host pool, port map, IMSI pool, and firewall, routing, and charging ruledefs must have unique names. A maximum of the 256 IMSI pools can be created.
Important: IMSI pools in use in other ruledefs cannot be deleted.
Example
The following command creates an IMSI pool named imsipool1, and enters ACS IMSI Pool Configuration mode:
imsi-pool imsipool1
 
ip max-fragments
This command limits the maximum number of IP fragments per fragment chain.
Product
All
Privilege
Security Administrator, Administrator
Syntax
ip max-fragments max_fragments
default ip max-fragments
default ip max-fragments
Sets the maximum number of IP fragments limit to the default value.
Default: 45
max_fragments
Specifies the maximum number of IP fragments per fragment chain.
max_fragments must be an integer from 1 through 300.
Usage
Use this command to limit the maximum number of IP fragments.
Example
The following command limits the maximum number of IP fragments to 100.
ip max-fragments 100
 
label
This command defines a text string label to specific content ID for UDRs/EDRs/eG-CDRs in an Active Charging Service.
Product
All
Privilege
Security Administrator, Administrator
Syntax
label content-id content_id text string
no label content-id content_id
no
Removes the previously configured rule definition from the Active Charging Service.
content-id content_id
Specifies the content ID to add a text string label for a description.
content_id must be an integer from 0 through 4,294,967,295.
text string
This keyword provides option to add descriptive text with each content Id for definition or user specific requirement.
string must be an alpha and/or numeric string of 1 through 64 characters in length.
Usage
Use this command to create a label string to attach to a specific content ID configured in the Charging Action Configuration Mode.
A maximum of 2048 labels can be configured within an Active Charging Service.
Example
The following command creates a label string test_charge1 for content-id 1378:
label content-id 1378 text test_charge1
 
nat allocation-failure
Configures action to take when NAT IP/Port allocation fails.
Important: This command is only available in StarOS 8.3 and later releases.
Product
NAT
Privilege
Security Administrator, Administrator
Syntax
nat allocation-failure send-icmp-dest-unreachable
{ default | no } nat allocation-failure
default
Sets the default configuration.
Default: Packets are dropped silently
no
Removes the previous NAT allocation failure configuration.
When set, packets are dropped silently.
send-icmp-dest-unreachable
Specifies sending ICMP Destination Unreachable message when NAT IP/Port allocation fails.
Usage
Use this command to configure the action to take when NAT IP/port allocation fails—to send or not to send an “ICMP destination unreachable message” when a NAT IP/port cannot be assigned to a flow in data-path.
Example
The following command configures sending ICMP Destination Unreachable message when NAT IP/Port allocation fails:
nat allocation-failure send-icmp-dest-unreachable
 
nat allocation-in-progress
Configures action to take on packets when NAT IP/NPU allocation is in progress.
Important: This command is only available in StarOS 8.3 and later releases.
Product
NAT
Privilege
Security Administrator, Administrator
Syntax
nat allocation-in-progress { buffer | drop }
default nat allocation-in-progress
default
Sets the default configuration.
buffer | drop
Specifies the action to take on packets when NAT IP/NPU allocation is in progress:
buffer: Specifies to buffer packets
drop: Specifies to drop packets
Default: buffer
Usage
In On-demand NAT IP allocation (wherein NAT IP address is allocated to the subscriber when a packet is being sent), if no free NAT IP address is available, a NAT-IP Alloc Request is sent to the VPNMgr to get NAT-IP. During that time packets are dropped. This command enables buffering the packets received when IP Alloc Request is sent to VPNMgr.
Example
The following command specifies to buffer packets when NAT IP/NPU allocation is in progress:
nat allocation-in-progress buffer
 
nat tcp-2msl-timeout
This command configures TCP 2msl timeout configuration for NAT.
Important: This command is only available in StarOS 8.3 and later releases.
Product
NAT
Privilege
Security Administrator, Administrator
Syntax
nat tcp-2msl-timeout timeout
default nat tcp-2msl-timeout
default
Sets the default configuration.
timeout
Specifies the TCP 2msl timeout in seconds, and must be an integer from 30 through 240.
Default: 60 seconds
Usage
Use this command to configure the TCP 2msl timeout configuration for NAT.
Example
The following command configures the TCP 2msl timeout for NAT to 120 seconds:
nat tcp-2msl-timeout 120
 
p2p-detection protocol
This command configures the detection of specific peer-to-peer (P2P) protocols.
Product
P2P
Privilege
Security Administrator, Administrator
Syntax
[ no ] p2p-detection protocol [ actsync | aimini | all | applejuice | ares | battlefd | bittorrent | ddlink | directconnect | edonkey | fasttrack | feidian | filetopia | freenet | fring | gadugadu | gnutella | gtalk | halflife2 | hamachivpn | iax | imesh | iptv | irc | iskoot | jabber | manolito | msn | mute | nimbuzz | oovoo | openft | orb | oscar | paltalk | pando | pandora | popo | pplive | ppstream | qq | qqgame | qqlive | quake | rdp | secondlife | skinny | skype | slingbox | sopcast | soulseek | steam | tvants | tvuplayer | uusee | vpnx | vtun | warcft3 | winmx | winny | wofwarcraft | xbox | yahoo | zattoo + ]
all
Configures the system to detect all of the P2P protocols. Specifying all is the same as configuring each protocol individually.
actsync
Configures the system to detect actsync protocols.
aimini
Configures the system to detect aimini protocols.
applejuice
Configures the system to detect applejuice protocols.
ares
Configures the system to detect ares protocols.
battlefld
Configures the system to detect battlefld protocols.
bittorrent
Configures the system to detect bittorrent protocols.
ddlink
Configures the system to detect ddlink protocols.
directconnect
Configures the system to detect directconnect protocols.
edonkey
Configures the system to detect edonkey protocols.
fasttrack
Configures the system to detect fasttrack protocols.
feidian
Configures the system to detect feidian protocols.
filetopia
Configures the system to detect filetopia protocols.
freenet
Configures the system to detect freent protocols.
fring
Configures the system to detect fring protocols.
gadugadu
Configures the system to detect gadugadu protocols.
gnutella
Configures the system to detect gnutella protocols.
gtalk
Configures the system to detect gtalk protocols.
halflife2
Configures the system to detect halflife2 protocols.
hamachivpn
Configures the system to detect hamachivpn protocols.
iax
Configures the system to detect iax protocols.
imesh
Configures the system to detect imesh protocols.
iptv
Configures the system to detect iptv protocols.
irc
Configures the system to detect irc protocols.
iskoot
Configures the system to detect iskoot protocols.
jabber
Configures the system to detect jabber protocols.
manolito
Configures the system to detect manolito protocols.
msn
Configures the system to detect msn protocols.
mute
Configures the system to detect mute protocols.
nimbuzz
Configures the system to detect nimbuzz protocols.
oovoo
Configures the system to detect oovoo protocols.
openft
Configures the system to detect openft protocols.
orb
Configures the system to detect orb protocols.
oscar
Configures the system to detect oscar protocols.
paltalk
Configures the system to detect paltalk protocols.
pando
Configures the system to detect pando protocols.
pandora
Configures the system to detect pandora protocols.
popo
Configures the system to detect popo protocols.
pplive
Configures the system to detect pplive protocols.
ppstream
Configures the system to detect ppstream protocols.
qq
Configures the system to detect qq protocols.
qqgame
Configures the system to detect qqgame protocols.
qqlive
Configures the system to detect qqlive protocols.
quake
Configures the system to detect quake protocols.
rdp
Configures the system to detect rdp protocols.
secondlife
Configures the system to detect secondlife protocols.
skinny
Configures the system to detect skinny protocols.
skype
Configures the system to detect skype protocols.
slingbox
Configures the system to detect slingbox protocols.
sopcast
Configures the system to detect sopcast protocols.
soulseek
Configures the system to detect soulseek protocols.
steam
Configures the system to detect steam protocols.
tvants
Configures the system to detect tvants protocols.
tvuplayer
Configures the system to detect tvuplayer protocols.
uusee
Configures the system to detect uusee protocols.
vpnx
Configures the system to detect vpnx protocols.
vtun
Configures the system to detect vtun protocols.
warcft3
Configures the system to detect warcft3 protocols.
winmx
Configures the system to detect winmx protocols.
winny
Configures the system to detect winny protocols.
wofwarcraft
Configures the system to detect wofwarcraft protocols.
xbox
Configures the system to detect xbox protocols.
yahoo
Configures the system to detect yahoo protocols.
zattoo
Configures the system to detect zatoo protocols.
+
More than one of the above keywords can be entered within a single command.
Usage
Use this command to configure the detection of specific P2P protocols. Multiple commands can be specified in the command.
Example
The following command enables detection of all P2P protocols:
p2p-detection protocol all
 
p2p-dynamic-rules
This command enables/disables the P2P Dynamic Signature Updates feature, and loads the P2P signature file from the default or specified location into memory, optionally signatures for specific protocol(s) can be specified to be loaded.
Important: This release supports dynamic updates of signatures (detection logic) only for the following protocols: Bittorrent, DirectConnect, eDonkey, Gnutella, Skype, and Yahoo.
Product
P2P
Privilege
Security Administrator, Administrator
Syntax
p2p-dynamic-rules { file location [ force ] | protocol [ all | bittorrent | directconnect | edonkey | gnutella | skype | yahoo + ] }
default p2p-dynamic-rules file
no p2p-dynamic-rules { file | protocol [ all | bittorrent | directconnect | edonkey | gnutella | skype | yahoo + ] }
default
Enables the P2P Dynamic Signature Updates feature, and if available, loads the P2P signature file from the default location: /usr/lib/p2p-rules.xml.
no
Disables the P2P Dynamic Signature Updates feature, also any/specified signature(s) already loaded in the memory is unloaded.
If there are any active sessions using the file, it changes the file status to inactive. And, when the sessions are cleared, the file is removed from the memory.
file location
Specifies that the P2P signature file at the specified location (other than the default location) be loaded into memory and applied.
location specifies the file’s location, and must be one of the following:
[file:]{/flash | /pcmcia1 | /hd-raid}[/directory]/<filename>
force
Specifies to force load the specified file into memory and apply it, even if it is obsolete.
By default, when a signature file is loaded from a specified location file location, while loading, it is compared with the file at the default location. The newer file of the two files is loaded into memory. To override this behavior, use the force keyword.
protocol [ all | bittorrent | directconnect | edonkey | gnutella | skype | yahoo + ]
Specifies the protocols for which signatures must be enabled for processing.
+ indicates that more than one of the keywords can be specified in the same command. Not applicable if the all option is selected first.
Usage
Use this command to enable/disable the P2P Dynamic Signature Updates feature, and load the P2P signature file from the default or specified location. Optionally the specific protocol(s) for which the signatures must be loaded can be specified.
Example
The following command enables the P2P Dynamic Signature Updates feature, and loads the signature file present in the default location:
default p2p-dynamic-rules file
 
packet-filter
This command enables creating/configuring/deleting an Active Charging Service packet filter.
Product
ECS
Privilege
Security Administrator, Administrator
Syntax
packet-filter filter_name [ -noconfirm ]
no packet-filter filter_name
no
Removes the specified packet filter, if configured previously.
filter_name
filter_name must be the name of the packet filter, and must be a string of 1 through 63 characters in length.
If the named packet filter does not exist, it is created, and the CLI mode changes to the Packet Filter Configuration Mode wherein the packet filter can be configured.
If the named packet filter already exists, the CLI mode changes to the Packet Filter Configuration Mode wherein the packet filter can be configured.
-noconfirm
Specifies that the command must execute without prompting for confirmation.
Usage
Use this command to create/configure/delete an ACS packet filter.
Example
The following command creates a packet filter named filter3, and enters the Packet Filter Configuration Mode:
packet-filter filter3
 
passive-mode
This command configures the Active Charging Service to operate in passive mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ default | no ] passive-mode
no
Specifies to disable passive mode.
default
Sets the default setting.
Default: Disabled
Usage
Use this command to put the Active Charging Service in/out of passive mode operation. Configures whether the Active Charging Service passively monitors copies of packets.
Example
The following command puts the Active Charging Service into passive mode operation:
passive-mode
 
policy-control burst-size
This command configures the burst size for bandwidth limiting per dynamic-rule or per bearer.
Product
All
Privilege
Security Administrator, Administrator
Syntax
policy-control burst-size { auto-readjust [ duration duration ] | bytes bytes }
{ default | no } policy-control burst-size
default | no
Sets the default configuration.
Default: 65535 bytes
auto-readjust
Configures the burst size equal to <seconds> of traffic.
Default: 10 seconds
duration duration
Specifies the seconds of traffic configured for burst size.
duration must be an integer from 1 through 20.
bytes bytes
Configures the burst size in bytes.
bytes must be an integer from 1 through 4000000000.
Usage
Use this command to configure the burst size for bandwidth limiting per dynamic-rule or per bearer.
Example
The following command configures the burst size for bandwidth limiting per dynamic-rule or per bearer equal to 10 seconds of traffic:
policy-control burst-size auto-readjust
 
policy-control charging-rule-base-name
This command configures interpretation of Charging-Rule-Base-Name AVP from PCRF either as active-charging rulebase or active charging group-of-ruledefs.
Product
ECS
Privilege
Security Administrator, Administrator
Syntax
policy-control charging-rule-base-name { active-charging-group-of-ruledefs | active-charging-rulebase [ ignore-when-removed ] }
default policy-control charging-rule-base-name
default
Sets the default configuration.
Default: active-charging-group-of-ruledefs
active-charging-group-of-ruledefs
Specifies interpreting Charging-Rule-Base-Name as active-charging group-of-ruledefs.
active-charging-rulebase [ ignore-when-removed ]
Specifies interpreting Charging-Rule-Base-Name as active-charging rulebase.
When Charging-Rule-Base-Name AVP is interpreted as active-charging rulebase, if PCRF requests the removal of a Charging-Rule-Base-Name, which is the same as the rulebase used for that PDP context, the PDP context is terminated. This is because after removal of the rulebase, the PDP context will have no rulebase. This is the default behavior.
When the ignore-when-removed option is configured, PCRF request for removal of Charging-Rule-Base-Name is ignored and no action is taken.
For each call, this interpretation is decided at call setup, and will not be changed during the life of that call. Change will only apply to new calls coming up after the change.
Usage
Use this command to configure interpretation of Charging-Rule-Base-Name AVP from PCRF either as active charging group-of-ruledefs or as active-charging rulebase.
Example
The following command configures interpreting of Charging-Rule-Base-Name AVP as active-charging rulebase:
policy-control charging-rule-base-name active-charging-rulebase
 
port-map
This command enables creating/configuring/deleting a port map.
Product
All
Privilege
Security Administrator, Administrator
Syntax
port-map port_map [ -noconfirm ]
no port-map port_map
no
Removes the specified port map.
port_map
Specifies the port map name.
port_map must be a string of 1 through 63 characters in length, and can contain punctuation characters.
If the named port map does not exist, it is created, and the CLI mode changes to the ACS Port Map Configuration Mode wherein the port map can be configured.
If the named port map already exists, the CLI mode changes to the ACS Port Map Configuration Mode wherein the port map can be configured.
-noconfirm
Specifies that the command must execute without prompting for confirmation.
Usage
Use this command to create/configure/delete a port map.
The port map name must be unique with in the service. Host pool, port map, IMSI pool, and firewall, routing, and charging ruledefs must have unique names. A maximum of the 256 port maps can be created.
Important: Port maps in use in other ruledefs cannot be deleted.
Example
The following command creates a port map named portmap1, and enters ACS Port Map Configuration mode:
port-map portmap1
 
redirect user-agent
This command specifies the user agent for conditional redirection of traffic flows.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ no ] redirect user-agent user_agent_name
no
Removes the specified user agent.
user_agent_name
Specifies the name of the user agent to be used for redirecting traffic flow.
user_agent_name must be an alpha and/or numeric string of 1 through 32 characters in length.
A maximum of 16 user-agents can be configured in an Active Charging Service.
Usage
Use this command to redirect the traffic flow with conditions based on configured user-agent name. This user agent is used with flow action command in the Charging Action Configuration Mode.
Example
Following command specifies the redirect user agent user_rule1 for conditional redirection of traffic flow.
redirect user-agent user_rule1
 
rulebase
This command enables creating/configuring/deleting an ACS rulebase.
 
Important: A maximum of 512 rulebases can be configured in an Active Charging Service.
Product
ECS
Privilege
Security Administrator, Administrator
Syntax
rulebase rulebase_name [ -noconfirm ]
no rulebase rulebase_name
no
Removes the specified rulebase from the current Active Charging Service.
rulebase_name
rulebase_name must be an alpha and/or numeric string of 1 through 63 characters in length, and can contain punctuation characters.
If the named rulebase does not exist, it is created, and the CLI mode changes to the ACS Rulebase Configuration Mode wherein the rulebase can be configured.
If the named rulebase already exists, the CLI mode changes to the ACS Rulebase Configuration Mode wherein the rulebase can be configured.
-noconfirm
Specifies that the command must execute without prompting for confirmation.
Usage
Use this command to create/configure/delete a an rulebase. A rulebase is a collection of protocol rules to match a flow and associated actions to be taken for matched flow. The rulebase_name must be unique for a given Active Charging Service.
The default rulebase is used when a subscriber/APN is not configured with a specific rulebase to use.
Example
The following command creates a rulebase named test1, and enters the ACS Rulebase Configuration mode:
rulebase test1
 
ruledef
This command enables creating/configuring/deleting a rule definition in an Active Charging Service.
 
Important: A maximum of 2048 ruledefs can be configured in an Active Charging Service.
Product
ECS
Privilege
Security Administrator, Administrator
Syntax
ruledef ruledef_name [ -noconfirm ]
no ruledef ruledef_name
no
Removes the specified ruledef from the current Active Charging Service.
ruledef_name
ruledef_name must be an alpha and/or numeric string of 1 through 63 characters in length, and can contain punctuation characters.
ruledef_name must be unique with in the service. Host pool, port map, IMSI pool, and firewall, routing, and charging ruledefs must have unique names.
If the named ruledef does not exist, it is created, and the CLI mode changes to the ACS Ruledef Configuration Mode wherein the ruledef can be configured.
If the named ruledef already exists, the CLI mode changes to the ACS Ruledef Configuration Mode wherein the ruledef can be configured.
-noconfirm
Specifies that the command must execute without prompting for confirmation.
Usage
Use this command to create/configure/delete an ACS ruledef.
A ruledef represents a set of matching conditions across multiple L3 – L7 protocol based on protocol fields and state information. Each ruledef can be used across multiple rulebases within the Active Charging Service.
Example
The following command creates a rule definition named test1, and enters ACS Ruledef Configuration mode
ruledef test1
 
system-limit
This command configures the system-wide Layer 4 flow limit.
Important: This command is customer specific. For more information, please contact your local sales or service representative.
Product
ECS
Privilege
Security Administrator, Administrator
Syntax
system-limit l4-flows limit
{ default | no } system-limit l4-flows
Default
Sets the default configuration.
Default: no system-limit l4-flows
no
Disables the limit checking.
limit
Specifies the Layer 4 flows limit, and must be an integer from 1 through 2147483647.
Usage
Use this command to configure the system-wide limit for Layer 4 flows.
The System-wide L4 Flow Limiting feature provides the capability to limit the number of TCP and UDP flow over the system. This limiting can be applied to all subscribers attaching to the system and to all APNs. This feature is compatible with the existing per-subscriber limiting (configured using the flow limit-for-flow-type charging action). Both limiting can be active in the same time.
System-wide flow limiting is implemented by comparing the “Effective Flows” periodically (~ every 10 seconds) against the configurable “System-wide Flow Limit”. Where “Effective Flows” is the number of active data sessions, each identified by 5 tuple key. If the “Effective Flows” exceeds the “System-wide Flow Limit”, the Resource Manager indicates it to the ECS service. Once ECS is aware of the “System-wide Flow Limit” being reached, no more data sessions are setup. The packets are discarded. While processing a successive flow-usage update from ECS service a change in behavior is indicated to ECS service to start accepting data sessions. As this relies on periodic reporting there is an inherent delay in the detection of “exceeding/returning once exceeded” to the flow limit.
Example
The following command sets the system limit for L4 flows to 100:
system-limit l4-flows 100
 
timedef
This command enables creating/configuring/deleting a Time Definition (timedef).
Important: This command is only available in StarOS 8.1 and StarOS 9.0 and later releases.
Important: A maximum of 10 timedefs can be configured in an Active Charging Service.
Product
ECS
Privilege
Security Administrator, Administrator
Syntax
timedef timedef_name [ -noconfirm ]
no timedef timedef_name
no
Deletes the specified timedef.
timedef_name
timedef_name specifies name of the timedef, and must be an alpha and/or numeric string of 1 through 63 characters in length.
If the named timedef does not exist, it is created, and the CLI mode changes to the Timedef Configuration Mode wherein timeslots for the timedef can be configured.
If the named timedef already exists, the CLI mode changes to the Timedef Configuration Mode wherein timeslots for the timedef can be configured.
-noconfirm
Specifies that the command must execute without prompting for confirmation.
Usage
Use this command to create/configure/delete ACS timedefs for the Time-of-Day Activation/Deactivation of Rules feature. Timedefs enable activation/deactivation of ruledefs/groups-of-ruledefs such that they are available for rule matching only when they are active.
Example
The following command creates a timedef named test1, and enters the ACS Timedef Configuration mode:
timedef test1
 
udr-format
This command creates/configures/deletes an UDR format specification.
Product
All
Privilege
Security Administrator, Administrator
Syntax
udr-format name [ -noconfirm ]
no udr-format name
no
Removes the specified UDR format in the current Active Charging Service.
name
Specifies UDR format name, and must be an alpha and/or numeric string of 1 through 63 characters in length.
If the named UDR format does not exist, it is created, and the CLI mode changes to the UDR Format Configuration Mode wherein the UDR format can be configured.
If the named UDR format already exists, the CLI mode changes to the UDR Format Configuration Mode wherein the UDR format can be configured.
Up to 256 UDR and/or EDR formats can be configured in a system across all Active Charging Services.
-noconfirm
Specifies that the command must execute without prompting for confirmation.
Usage
Use this command to create/configure/delete an UDR format for a specific Active Charging Service.
Example
The following command creates an UDR format named udr_fromat1:
udr-format udr_format1
 
url-blacklisting match-method
This command sets the match method to look up URLs in the URL Blacklisting database.
Product
CF
Privilege
Security Administrator, Administrator
Syntax
url-blacklisting match-method { exact | generic }
default url-blacklisting match-method
default
Default: exact
Sets the default match method.
exact
Specifies the exact-match method, wherein URL Blacklisting is performed only on exact match with URLs present in the URL Blacklisting database.
generic
Specifies the generic-match method, wherein URL Blacklisting is performed on generic match with URLs present in the URL Blacklisting database.
Usage
Use this command to set the match method to look up URLs in the URL Blacklisting database.
Example
The following command sets the exact-match method to look up URLs in the URL Blacklisting database:
url-blacklisting match-method exact
 
xheader-format
This command enables creating/configuring/deleting an extension-header (x-header) format specification for the current Active Charging Service.
Important: This is a customer-specific command. For more information, please contact your local sales representative.
Product
ECS
Privilege
Security Administrator, Administrator
Syntax
xheader-format xheader_format_name [ -noconfirm ]
no xheader-format xheader_format_name
no
Removes the specified x-header format for the current Active Charging Service.
xheader_format_name
Specifies the x-header format name.
xheader_format_name must be an alpha and/or numeric string of 1 through 63 characters in length.
If the named x-header format does not exist, it is created, and the CLI mode changes to the x-header Format Configuration Mode wherein the x-header format can be configured.
If the named x-header format already exists, the CLI mode changes to the x-header Format Configuration Mode wherein the x-header format can be configured.
-noconfirm
Specifies that the command must execute without prompting for confirmation.
Usage
Use this command to create/configure/delete an x-header format specification for a specific Active Charging Service.
An x-header may be specified in a charging action to be inserted into HTTP GET and POST request packets. See xheader-insert CLI command in the Charging Action Configuration Mode Commands, and x-header Format Configuration Mode Commands chapter.
Example
The following command creates an x-header format named test, and enters the x-header Format Configuration Mode:
xheader-format test
 
 

Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883