Important: In StarOS 8.x, Stateful Firewall for CDMA and early UMTS releases used rulebase-based configurations, whereas in later UMTS releases Stateful Firewall used policy-based configurations. In StarOS 9.0, Stateful Firewall for UMTS and CDMA releases both use policy-based configurations. For more information, please contact your local service representative.
Step 1 Configure the required core network service on the system as described in the System Administration Guide.
Step 2
Step 3 Proceed to the Configuring the System section.Important: In StarOS 8.x, Stateful Firewall for CDMA and early UMTS releases used rulebase-based configurations, whereas later UMTS releases used policy-based configurations. In StarOS 9.0, Stateful Firewall for UMTS and CDMA releases both use policy-based configurations. For more information, please contact your local service representative.
Step 1
Step 2Important: In StarOS 8.x, Stateful Firewall for CDMA and early UMTS releases used rulebase-based configurations, whereas later UMTS releases used policy-based configurations. In StarOS 9.0, Stateful Firewall for UMTS and CDMA releases both use policy-based configurations. For more information, please contact your local service representative.
Step 1
Step 2 Optional: Configure application-port maps for TCP and UDP protocols as described in the Configuring Port Maps section.
Step 3 Optional: Configure host pools as described in the Configuring Host Pools section.
Step 4 Optional: Configure IMSI pools as described in the Configuring IMSI Pools section.
Step 6
Step 7
Step 8
Step 9
Step 10 Optional: Configure the default Firewall-and-NAT policy as described in the Configuring Default Firewall-and-NAT Policy section.
Step 11
Step 12
Step 13Important: Commands used in the configuration examples in this section provide base functionality to the extent that the most common or likely commands and/or keyword options are presented. In many cases, other optional commands and/or keyword options are available. Refer to the Command Line Interface Reference for complete information regarding all commands.
active-charging service <ecs_service_name> [ -noconfirm ]active-charging service <ecs_service_name>port-map <port_map_name> [ -noconfirm ]active-charging service <ecs_service_name>host-pool <host_pool_name> [ -noconfirm ]active-charging service <ecs_service_name>imsi-pool <imsi_pool_name> [ -noconfirm ]active-charging service <ecs_service_name>access-ruledef <access_ruledef_name> [ -noconfirm ]ip { { { any-match | downlink | uplink } <operator> <condition> } | { { dst-address | src-address } { { <operator> { <ip_address> | <ip_address/mask> } } | { !range | range } host-pool <host_pool_name> } | protocol { { <operator> { <protocol> | <protocol_assignment> } } | { <operator> <protocol_assignment> } }tcp { any-match <operator> <condition> | { { dst-port | either-port | src-port } { { <operator> <port_number> } | { !range | range } { <start_range> to <end_range> | port-map <port_map_name> } } }udp { any-match <operator> <condition> | { dst-port | either-port | src-port } { <operator> <port_number> | { !range | range } { <start_range> to <end_range> | port-map <port_map_name> } } }
• Configuring access ruledefs involves the creation of several ruledefs with different sets of rules and parameters. When an access ruledef is created, the CLI mode changes to the Firewall Ruledef Configuration Mode. For more information, see the Firewall Ruledef Configuration Mode Commands chapter of the Command Line Interface Reference.active-charging service <ecs_service_name>fw-and-nat policy <fw_nat_policy_name> [ -noconfirm ]access-rule priority <priority> { [ dynamic-only | static-and-dynamic ] access-ruledef <access_ruledef_name> { deny [ charging-action <charging_action_name> ] | permit [ trigger open-port { <port_number> | range <start_port> to <end_port> } direction { both | reverse | same } ] }access-rule no-ruledef-matches { downlink | uplink } action { deny [ charging-action <charging_action_name> ] | permit }
• The access-rule no-ruledef-matches CLI command configures the default action on packets with no access ruledef matches. Rule matching is done for the first packet of a flow. Only when no rules match, the access-rule no-ruledef-matches configuration is considered. The default settings for uplink direction is “permit”, and for downlink direction “deny”.active-charging service <ecs_service_name>firewall port-scan { connection-attempt-success-percentage { non-scanner | scanner } <percentage> | inactivity-timeout <inactivity_timeout> | protocol { tcp | udp } response-timeout <response_timeout> | scanner-policy { block inactivity-timeout <inactivity_timeout> | log-only } }idle-timeout { icmp | tcp | udp } <idle_timeout>rulebase <rulebase_name>icmp req-threshold <req_threshold>fw-and-nat policy <fw_nat_policy_name>firewall flooding { { protocol { icmp | tcp-syn | udp } packet limit <packets> } | { sampling-interval <sampling_interval> } }firewall icmp-destination-unreachable-message-threshold <messages> then-block-serverfirewall max-ip-packet-size <max_packet_size> protocol { icmp | non-icmp }firewall tcp-reset-message-threshold <messages> then-block-serverfirewall tcp-syn-flood-intercept { mode { none | watch [ aggressive ] } | watch-timeout <intercept_watch_timeout> }
• The firewall port-scan CLI command in the Active Charging Service Configuration Mode configures protection from port scanning.
• The idle-timeout { icmp | tcp | udp } <idle_timeout_duration> CLI command in the Active Charging Service Configuration Mode configures Stateful Firewall idle timeout settings.
• The flow limit-across-applications { <limit> | non-tcp <limit> | tcp <limit> } CLI command in the Rulebase Configuration Mode configures the maximum number of simultaneous flows per subscriber/APN sent to a rulebase regardless of the flow type, or limits flows based on the protocol type.
• The icmp req-threshold <req_threshold> CLI command Rulebase Configuration Mode configures the maximum number of outstanding ICMP requests to store for ICMP reply matching. Stateful Firewall will drop the ICMP replies if it does not have any information about ICMP requests.
• The firewall dos-protection CLI command configures Stateful Firewall protection for subscribers from Denial-of-Service (DoS) attacks. Note that the following DoS attacks are only detected in the downlink direction: flooding, ftp-bounce, ip-unaligned-timestamp, mime-flood, port-scan, source-router, tcp-window-containment, teardrop, winnuke.
• The firewall flooding CLI command configures Stateful Firewall protection from packet flooding attacks.
• The firewall icmp-checksum-error { drop | permit } CLI command configures Stateful Firewall action on packets with ICMP Checksum errors.
• The firewall icmp-destination-unreachable-message-threshold <messages> then-block-server CLI command configures the threshold on the number of ICMP error messages sent by subscribers for a particular data flow.
• The firewall icmp-fsm CLI command enables Stateful Firewall’s ICMP Finite State Machine (FSM).
• The firewall ip-reassembly-failure { drop | permit } CLI command configures Stateful Firewall action on packets involved in IP Reassembly Failure scenarios.
• The firewall malformed-packets { drop | permit } CLI command configures Stateful Firewall action on malformed packets.
• The firewall max-ip-packet-size <packet_size> protocol { icmp | non-icmp } CLI command configures the maximum IP packet size (after IP reassembly) that Stateful Firewall will permit to prevent packet flooding attacks.
• The firewall mime-flood CLI command configures the maximum number of headers allowed in an HTTP packet, and the maximum header field size allowed in the HTTP header to prevent MIME flooding attacks. This command is only effective if DoS protection for MIME flood attacks has been enabled using the firewall dos-protection mime-flood command, and the route command has been configured to send HTTP packets to the HTTP analyzer.
• The firewall tcp-checksum-error { drop | permit } CLI command configures Stateful Firewall action on packets with TCP Checksum errors.
• The firewall tcp-fsm [ first-packet-non-syn { drop | permit | send-reset } ] CLI command enables Stateful Firewall’s TCP Finite State Machine (FSM).
• The firewall tcp-idle-timeout-action { drop | reset } CLI command configures action to take on TCP idle timeout expiry.
• The firewall tcp-options-error { drop | permit } CLI command configures Stateful Firewall action on packets with TCP Option errors.
• The firewall tcp-reset-message-threshold <messages> then-block-server CLI command configures the threshold on the number of TCP reset messages sent by the subscriber for a particular data flow.
• The firewall tcp-syn-flood-intercept CLI command configures the TCP intercept parameters to prevent TCP-SYN flooding attacks by intercepting and validating TCP connection requests for DoS protection mechanism configured with the firewall dos-protection command.
• The firewall tcp-syn-with-ecn-cwr { drop | permit } CLI command configures Stateful Firewall action on TCP SYN packets with either ECN or CWR flag set.
• The firewall udp-checksum-error { drop | permit } CLI command configures Stateful Firewall action on packets with UDP Checksum errors.
• The firewall validate-ip-options CLI command enables the Stateful Firewall validation of IP options for errors. When enabled, Stateful Firewall will drop packets with IP Option errors.active-charging service <ecs_service_name>firewall track-list attacking-servers <no_of_servers>active-charging service <ecs_service_name>rulebase <rulebase_name>flow any-error charging-action <charging_action_name>
• For a packet dropped due to any error condition after data session is created, the charging action applied is the one configured in the flow any-error charging-action command. Whereas, for a packet dropped due to access ruledef match or no match (first packet of a flow), the charging action applied is the one configured in the access-rule priority or in the access-rule no-ruledef-matches command respectively.active-charging service <ecs_service_name>ruledef <ruledef_name>tcp either-port <operator> <value>active-charging service <ecs_service_name>rulebase <rulebase_name>route priority <priority> ruledef <ruledef_name> analyzer { ftp-control | rtsp } [ description <description> ]
• For RTSP ALG to work, in the rulebase, the rtp dynamic-flow-detection command must be configured.Enabling Stateful Firewall Support for APN/Subscriberscontext <context_name>apn <apn_name>fw-and-nat policy <fw_nat_policy_name>
• context <context_name>fw-and-nat policy <fw_nat_policy_name>
• active-charging service <ecs_service_name>rulebase <rulebase_name>fw-and-nat default-policy <fw_nat_policy_name>threshold poll fw-deny-rule interval <poll_interval>threshold poll fw-dos-attack interval <poll_interval>threshold poll fw-drop-packet interval <poll_interval>threshold poll fw-no-rule interval <poll_interval>
• For more information on format_string variable, see the Bulk Statistics Configuration Mode Commands chapter of the Command Line Interface Reference.
• To configure the various parameters for bulk statistics collection prior to configuring the commands in this section, see the Configuring and Maintaining Bulk Statistics chapter of the System Administration Guide.active-charging service <ecs_service_name>update active-charging { switch-to-fw-and-nat-policy <fw_nat_policy_name> | switch-to-rulebase <rulebase_name> } { all | callid <call_id> | fw-and-nat-policy <fw_nat_policy_name> | imsi <imsi> | ip-address <ipv4_address> | msid <msid> | rulebase <rulebase_name> | username <user_name> } [ -noconfirm ]active-charging service <ecs_service_name>fw-and-nat policy <fw_nat_policy_name>
• The no firewall icmp-fsm CLI command disables Stateful Firewall’s ICMP Finite State Machine (FSM). When disabled, ICMP reply without corresponding requests, ICMP eror message without inner packet data session, and duplicate ICMP requests are allowed by the firewall.
• The no firewall tcp-fsm CLI command disables Stateful Firewall’s TCP Finite State Machine (FSM). When disabled, only packet header check is done; there will be no FSM checks, sequence number validations, or port scan checks done.To save changes made to the system configuration, see the Verifying and Saving Your Configuration chapter.Important: For more information on these commands, see the Exec Mode Commands chapter of the Command Line Interface Reference.
show active-charging fw-and-nat policy statistics name <fw_nat_policy_name> show active-charging fw-and-nat policy name <fw_nat_policy_name> This section explains how to review the Personal Stateful Firewall configurations after saving them in a .cfg file as described in the Verifying and Saving Your Configuration chapter, and also to retrieve errors and warnings with in an active configuration for a service.Output descriptions for most of these commands are available in the Command Line Interface Reference.
show subscribers configuration username <user_name> show subscribers full username <user_name> show configuration errors section active-charging [ verbose ] [ | { grep <grep_options> | more } ]show configuration errors verbose show subscribers configuration username <user_name> | grep Firewall show apn name <apn_name> | grep Firewall show active-charging ruledef name <access_rule_name> show active-charging rulebase name <rulebase_name>
![]() |
Cisco Systems Inc. |
Tel: 408-526-4000 |
Fax: 408-527-0883 |