Stateful Firewall
Thresholds
Thresholds generate
alerts or alarms based on either the total number of Stateful Firewall
calls setup by the system during the specified polling interval,
or on the number of currently active calls only.
Syntax
Alerts or alarms are
triggered for call setups based on the following rules:
- Enter condition: Actual
number of call setups > or = High Threshold
- Clear condition: Actual
number of call setups < Low Threshold.
If a trigger condition
occurs within the polling interval, the alert or alarm will not
be generated until the end of the polling interval.
Default value is 0,
which means there will be no monitoring.
The polling interval
is in seconds and it is an integer between 30 and 60000. Entries
will be rounded up to the nearest 30 seconds.
Configuring Stateful
Firewall Thresholds
This section
describes how to enable and configure Stateful Firewall thresholds.
Enabling Thresholds
To enable thresholds
use the following configuration:
configure
threshold monitoring firewall
end
Configuring Threshold
Polling Intervals
To configure
threshold poll interval use the following configuration:
configure
threshold poll fw-deny-rule interval <interval>
threshold poll fw-dos-attack interval <interval>
threshold poll fw-drop-packet
interval <interval>
threshold poll fw-no-rule interval <interval>
end
Configuring Thresholds
Limits
To configure
threshold limits use the following configuration:
configure
threshold fw-deny-rule <high_thresh> [ clear <low_thresh> ]
threshold fw-dos-attack <high_thresh> [ clear <low_thresh> ]
threshold fw-drop-packet <high_thresh> [ clear <low_thresh> ]
threshold fw-no-rule <high_thresh> [ clear <low_thresh> ]
end
Saving Your Configuration
When you configure
thresholds they are not permanent unless you save the changes. When you
have completed configuring thresholds, save your configuration to
flash memory, an external memory device, and/or a network
location using the Exec mode command save configuration.
For additional information on how to verify and save configuration
files, refer to the System Administration Guide and the Command
Line Interface Reference.