Important: The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).
Important: This command is only available in StarOS 8.1, and must be used to configure the Policy-based Stateful Firewall and NAT features.
ruledef_name must be a string of 1 through 63 characters in length, and can contain punctuation characters.
Important: An access ruledef can be referenced by multiple firewall rulebases.
Important: The access ruledefs are different from the ACS ruledefs.
The following command creates an access ruledef named ruledef1, and enters the Firewall Ruledef Configuration Mode:
policy_name and must be an alpha and/or numeric string of 1 through 63 characters in length.
The following command creates a bandwidth policy named test73, and enters the Bandwidth Policy Configuration mode:
number must be an integer from 1 through 255.
number must be an integer from 1 through 255.
Important: A maximum of 2048 charging actions can be configured in an Active Charging Service.
charging_action_name must be an alpha and/or numeric string of 1 through 63 characters in length, and can contain punctuation characters.
Important: A maximum of 64 Content Filtering Category Policies can be configured in an Active Charging Service.
cf_policy_id must be an integer from 1 through 4,294,967,295.
description [ description_string ]
description_string must be an alpha and/or numeric string of 1 through 31 characters in length.
Note that both description and
description_string are optional.
“description description_string” saves
description_string as the new description.
“description” removes the previously specified description.
This description is displayed in the output of the “show content-filtering category policy-id id id” and “
show active-charging service name service_name” commands.
Important: The
group keyword is only available in StarOS 8.1 and later releases.
group_name must be an alpha and/or numeric string of 1 through 63 characters in length.
Description This command has been obsoleted, and is replaced by the
credit-control command.
name must be a string of 1 through 63 characters in length.
queue_size must be an integer from 1 through 2500.
deact-margin deactivate_margin
deactivate_margin is a percentage value, and must be an integer from 1 through 100.
usage_threshold is a percentage value, and must be an integer from 1 through 100.
Important: In StarOS 8.1 and later, for Rulebase-based Stateful Firewall this command is available in the Rulebase Configuration Mode, and for Policy-based Stateful Firewall in the Firewall-and-NAT Policy Configuration Mode. In StarOS 8.3, this command is available in the Rulebase Configuration Mode.
•
|
icmp: Enables protection against ICMP Flood attack
|
•
|
tcp-syn: Enables protection against TCP Syn Flood attack
|
•
|
udp: Enables protection against UDP Flood attack
|
Important: In StarOS 8.1 and later, for Rulebase-based Stateful Firewall this command is available in the Rulebase Configuration Mode, and for Policy-based Stateful Firewall in the Firewall-and-NAT Policy Configuration Mode. In StarOS 8.3, this command is available in the Rulebase Configuration Mode.
•
|
icmp: Configuration for ICMP protocol.
|
•
|
tcp-syn: Configuration for TCP-SYN packet limit.
|
•
|
udp: Configuration for UDP protocol.
|
packets is the maximum number of packets allowed during a sampling interval, and must be an integer from 1 through 4294967295.
interval must be an integer from 1 through 60.
downlink: Enables flow recovery for packets from downlink direction.
uplink: Enable flow recovery for packets from uplink direction.
timeout must be an integer from 1 through 86400.
Important: NAT flows will not be recovered.
Important: In StarOS 8.1 and later, for Rulebase-based Stateful Firewall this command is available in the Rulebase Configuration Mode, and for Policy-based Stateful Firewall in the Firewall-and-NAT Policy Configuration Mode. In StarOS 8.3, this command is available in the Rulebase Configuration Mode.
Important: In StarOS 8.1 and later, for Rulebase-based Stateful Firewall this command is available in the Rulebase Configuration Mode, and for Policy-based Stateful Firewall in the Firewall-and-NAT Policy Configuration Mode. In StarOS 8.3, this command is available in the Rulebase Configuration Mode.
packet_size must be an integer from 30000 through 65535.
•
|
icmp: Configuration for ICMP protocol.
|
•
|
non-icmp: Configuration for protocols other than ICMP.
|
Important: In StarOS 8.1 and later, for Rulebase-based Stateful Firewall this command is available in the Rulebase Configuration Mode, and for Policy-based Stateful Firewall in the Firewall-and-NAT Policy Configuration Mode. In StarOS 8.3, this command is available in the Rulebase Configuration Mode.
max_limit must be an integer from 1 through 256.
max_size must be an integer from 1 through 8192.
•
|
all: Enables/disables all of the following NAT ALGs.
|
•
|
ftp: Enables/disables File Transfer Protocol (FTP) NAT ALG.
|
•
|
pptp: Enables/disables Point-to-Point Tunneling Protocol (PPTP) NAT ALG.
|
•
|
rtsp: Enables/disables Real Time Streaming Protocol (RTSP) ALG.
|
•
|
sip: Enables/disables Session Initiation Protocol (SIP) NAT ALG.
|
Important: In StarOS 8.1 and later releases, this command is available in the Rulebase Configuration Mode.
downlink: Downlink packets with no firewall ruledef match.
uplink: Uplink packets with no firewall ruledef match.
permit: Permit specified packets.
deny [ charging-action charging_action ]: Deny specified packets.
Optionally, a charging action can be specified. charging_action must be the name of a charging action, and must be a string of 1 through 63 characters in length.
non-scanner: Specifies the connection attempt success percentage for a non-scanner.
percentage must be an integer from 60 through 99.
scanner: Specifies the connection attempt success percentage for a scanner.
percentage must be an integer from 1 through 40.
inactivity-timeout inactivity_timeout
inactivity_timeout must be an integer from 60 through 1800.
tcp: Specifies response timeout for TCP.
response_timeout must be an integer from 3 through 30.
udp: Specifies response timeout for UDP.
response_timeout must be an integer from 3 through 60.
block inactivity-timeout inactivity_timeout: Specifies blocking any subsequent traffic from the scanner. If the scanner is found to be inactive for the inactivity-timeout period, then the scanner is no longer blocked, and traffic is allowed.
inactivity_timeout specifies the scanner inactivity timeout period, in seconds, and must be an integer from 1 through 4294967295.
log-only: Specifies logging scanner information without blocking scanner traffic.
Important: This command is only available in StarOS 8.1, and is customer-specific. This command must be used to configure the Rulebase-based Stateful Firewall and NAT features.
ruledef_name must be a string of 1 through 63 characters in length, and can contain punctuation characters.
Important: A firewall ruledef can be referenced by multiple firewall rulebases.
Important: The firewall ruledefs are different from the Active Charging Ruledefs.
The following command creates a firewall ruledef named fw_ruledef1, and enters the Firewall Ruledef Configuration Mode:
Important: In StarOS 8.1 and later, for Rulebase-based Stateful Firewall this command is available in the Rulebase Configuration Mode, and for Policy-based Stateful Firewall in the Firewall-and-NAT Policy Configuration Mode. In StarOS 8.3, this command is available in the Rulebase Configuration Mode.
max-attempts max_attempts
max_attempts specifies the maximum number of attempts for sending proxy SYN to the target after the timeout duration, and must be an integer from 1 through 5.
•
|
intercept: Configures TCP SYN flood intercept feature in intercept mode.
|
•
|
none: Disables TCP SYN flood intercept feature.
|
•
|
watch: Configures TCP SYN flood intercept feature in watch mode. The Stateful Firewall passively watches to see if TCP connections become established within a configurable interval. If connections are not established within the timeout period, the Stateful Firewall clears the half-open connections by sending RST to TCP client and server. The default watch-timeout for connection establishment is 30 seconds.
|
•
|
aggressive: Configures TCP SYN flood Intercept or Watch feature for aggressive behavior. Each new connection request causes the oldest incomplete connection to be deleted. When operating in watch mode, the watch timeout is reduced by half. If the watch-timeout is 30 seconds, under aggressive conditions it becomes 15 seconds. When operating in intercept mode, the retransmit timeout is reduced by half (i.e. if the timeout is 60 seconds, it is reduced to 30 seconds). Thus, the amount of time waiting for connections to be established is reduced by half (i.e. it is reduced to 150 seconds from 300 seconds under aggressive conditions).
|
retransmit-timeout retransmit_timeout
retransmit_timeout specifies the duration in seconds the system waits before sending proxy SYN, and must be an integer from 15 through 60.
watch-timeout intercept_watch_timeout
intercept_watch_timeout specifies the TCP intercept watch timeout in seconds, and must be an integer from 5 through 30.
Important: This variant is only available in StarOS 8.3 and later releases.
no_of_servers specifies the number of servers to track, and must be an integer from 1 through 100.
Important: This command is only available in StarOS 8.1 and StarOS 9.0 and later releases. This command must be used to configure the Policy-based Stateful Firewall and NAT features.
Important: When a Firewall-and-NAT policy is deleted, for all subscribers using the policy, Stateful Firewall and NAT processing is disabled, also ECS sessions for the subscribers are dropped. In case of session recovery, the calls are recovered but with Stateful Firewall and NAT disabled.
policy_name must be an alpha and/or numeric string of 1 through 63 characters in length.
The following command creates a Firewall-and-NAT policy named test321, and changes to the Firewall-and-NAT Policy Configuration Mode:
Important: This command is customer specific. For more information, please contact your local sales representative.
Important: A maximum of 64 group-of-prefixed-URL groups can be configured in the Active Charging Service.
group_name must be an alpha and/or numeric string of 1 through 63 characters in length.
The following command creates group-of-prefixed-urls named test5, and enters the ACS Group of Prefixed URLs Configuration Mode:
Important: A maximum of 64 groups-of-ruledefs can be configured in an Active Charging Service.
ruledef_group specifies the group name. The group name must be unique within the Active Charging Service, and must be a string of 1 through 63 characters in length. Up 64 groups may be configured.
The following command creates a group-of-ruledefs named group1, and enters the Group-of-Ruledefs Configuration Mode:
host_pool must be a string of 1 through 63 characters in length, and can contain punctuation characters.
Important: Host pools in use in other ruledefs cannot be deleted.
The following command creates a host pool named hostpool1, and enters the ACS Host Pool Configuration Mode:
Default:alg-media: 120 seconds;
icmp,
tcp,
udp: 300 seconds
For alg-media specifies the media inactivity timeout. The
idle_timeout value gets applied on RTP and RTCP media flows that are created for SIP/H.323 calls. The timeout is applied only on those flows that actually match the RTP and RTCP media pinholes that are created by the SIP/H.323 ALG.
imsi_pool must be a string of 1 through 63 characters in length, and can contain punctuation characters.
Important: IMSI pools in use in other ruledefs cannot be deleted.
The following command creates an IMSI pool named imsipool1, and enters ACS IMSI Pool Configuration mode:
max_fragments must be an integer from 1 through 300.
content_id must be an integer from 0 through 4,294,967,295.
string must be an alpha and/or numeric string of 1 through 64 characters in length.
Important: This command is only available in StarOS 8.3 and later releases.
Important: This command is only available in StarOS 8.3 and later releases.
buffer: Specifies to buffer packets
drop: Specifies to drop packets
Important: This command is only available in StarOS 8.3 and later releases.
Important: This release supports dynamic updates of signatures (detection logic) only for the following protocols: Bittorrent, DirectConnect, eDonkey, Gnutella, Skype, and Yahoo.
p2p-dynamic-rules { file location [ force ] | protocol [ all | bittorrent | directconnect | edonkey | gnutella | skype | yahoo + ] }
location specifies the file’s location, and must be one of the following:
By default, when a signature file is loaded from a specified location file location, while loading, it is compared with the file at the default location. The newer file of the two files is loaded into memory. To override this behavior, use the
force keyword.
+ indicates that more than one of the keywords can be specified in the same command. Not applicable if the
all option is selected first.
filter_name must be the name of the packet filter, and must be a string of 1 through 63 characters in length.
The following command creates a packet filter named filter3, and enters the Packet Filter Configuration Mode:
duration must be an integer from 1 through 20.
bytes must be an integer from 1 through 4000000000.
Default: active-charging-group-of-ruledefs
When the ignore-when-removed option is configured, PCRF request for removal of Charging-Rule-Base-Name is ignored and no action is taken.
port_map must be a string of 1 through 63 characters in length, and can contain punctuation characters.
Important: Port maps in use in other ruledefs cannot be deleted.
The following command creates a port map named portmap1, and enters ACS Port Map Configuration mode:
user_agent_name must be an alpha and/or numeric string of 1 through 32 characters in length.
Following command specifies the redirect user agent user_rule1 for conditional redirection of traffic flow.
Important: A maximum of 512 rulebases can be configured in an Active Charging Service.
rulebase_name must be an alpha and/or numeric string of 1 through 63 characters in length, and can contain punctuation characters.
The following command creates a rulebase named test1, and enters the ACS Rulebase Configuration mode:
Important: A maximum of 2048 ruledefs can be configured in an Active Charging Service.
ruledef ruledef_name [ -noconfirm ]
ruledef_name must be an alpha and/or numeric string of 1 through 63 characters in length, and can contain punctuation characters.
ruledef_name must be unique with in the service. Host pool, port map, IMSI pool, and firewall, routing, and charging ruledefs must have unique names.
Important: This command is customer specific. For more information, please contact your local sales or service representative.
Default: no system-limit l4-flows
Important: This command is only available in StarOS 8.1 and StarOS 9.0 and later releases.
Important: A maximum of 10 timedefs can be configured in an Active Charging Service.
timedef timedef_name [ -noconfirm ]
timedef_name specifies name of the timedef, and must be an alpha and/or numeric string of 1 through 63 characters in length.
The following command creates a timedef named test1, and enters the ACS Timedef Configuration mode:
Important: This is a customer-specific command. For more information, please contact your local sales representative.
xheader_format_name must be an alpha and/or numeric string of 1 through 63 characters in length.
An x-header may be specified in a charging action to be inserted into HTTP GET and POST request packets. See xheader-insert CLI command in the
Charging Action Configuration Mode Commands, and
x-header Format Configuration Mode Commands chapter.