IMPORTANT:
IMPORTANT:
IMPORTANT:
IMPORTANT:
Enabling the ECS Subsystem and Creating the ECS Service
Configuring Port Maps
configure
active-charging service <ecs_service_name>
port-map <port_map_name> [ -noconfirm ]
port { <port_number> | range <start_port> to <end_port> }
end
Configuring Host Pools
configure
active-charging service <ecs_service_name>
host-pool <host_pool_name> [ -noconfirm ]
ip { <ip_address> | <ip_address/mask> | range <start_ip_address> to <end_ip_address> }
end
Configuring IMSI Pools
configure
active-charging service <ecs_service_name>
imsi-pool <imsi_pool_name> [ -noconfirm ]
imsi { <imsi_number> | range <start_imsi> to <end_imsi> }
end
Configuring Access Ruledefs
configure
active-charging service <ecs_service_name>
access-ruledef <access_ruledef_name> [ -noconfirm ]
bearer apn [ case-sensitive ] <operator> <value>
bearer imsi { <operator> <msid> | { !range | range } imsi-pool <imsi_pool_name> }
bearer username [ case-sensitive ] <operator> <user_name>
icmp { any-match <operator> <condition> | code <operator> <code> | type <operator> <type> }
ip { { { any-match | downlink | uplink } <operator> <condition> } | { { dst-address | src-address } { { <operator> { <ip_address> | <ip_address/mask> } } | { !range | range } host-pool <host_pool_name> } | protocol { { <operator> { <protocol> | <protocol_assignment> } } | { <operator> <protocol_assignment> } }
tcp { any-match <operator> <condition> | { { dst-port | either-port | src-port } { { <operator> <port_number> } | { !range | range } { <start_range> to <end_range> | port-map <port_map_name> } } }
udp { any-match <operator> <condition> | { dst-port | either-port | src-port } { <operator> <port_number> | { !range | range } { <start_range> to <end_range> | port-map <port_map_name> } } }
create-log-record
end
Configuring Firewall-and-NAT Policies
configure
active-charging service <ecs_service_name>
fw-and-nat policy <fw_nat_policy_name> [ -noconfirm ]
firewall policy { ipv4-only | ipv4-and-ipv6 | ipv6-only }
access-rule priority <priority> { [ dynamic-only | static-and-dynamic ] access-ruledef <access_ruledef_name> { deny [ charging-action <charging_action_name> ] | permit [ trigger
open-port { <port_number> | range <start_port> to <end_port> } direction { both | reverse | same } ] }
access-rule no-ruledef-matches { downlink | uplink } action { deny [ charging-action <charging_action_name> ] | permit }
end
Configuring Protection from DoS and Other Attacks
configure
active-charging service <ecs_service_name>
firewall port-scan { connection-attempt-success-percentage { non-scanner | scanner } <percentage> | inactivity-timeout <inactivity_timeout> | protocol { tcp | udp } response-timeout <response_timeout> | scanner-policy { block
inactivity-timeout <inactivity_timeout> | log-only } }
idle-timeout { icmp | tcp | udp } <idle_timeout>
rulebase <rulebase_name>
flow limit-across-applications { <limit> | non-tcp <limit> | tcp <limit> }
icmp req-threshold <req_threshold>
exit
fw-and-nat policy <fw_nat_policy_name>
firewall dos-protection { all | flooding { icmp | tcp-syn | udp } | ftp-bounce | ip-unaligned-timestamp | ipv6-dst-options [ invalid-options | unknown-options ] | ipv6-extension-hdrs [ limit extension_limit | ipv6-frag-hdr
nested-fragmentation | ipv6-hop-by-hop [ invalid-options | jumbo-payload | router-alert | unknown-options ] mime-flood | port-scan | source-router | tcp-window-containment | teardrop | winnuke }
firewall flooding { { protocol { icmp | tcp-syn | udp } packet
limit <packets> } | { sampling-interval <sampling_interval> } }
firewall icmp-checksum-error { drop | permit }
firewall icmp-destination-unreachable-message-threshold <messages> then-block-server
firewall icmp-echo-id-zero { drop | permit }
firewall icmp-fsm
firewall ip-reassembly-failure { drop | permit }
firewall malformed-packets { drop | permit }
firewall max-ip-packet-size <max_packet_size> protocol { icmp | non-icmp }
firewall mime-flood { http-headers-limit <max_limit> | max-http-header-field-size <max_size> }
firewall tcp-checksum-error { drop | permit }
firewall tcp-fsm [ first-packet-non-syn { drop | permit | send-reset } ]
firewall tcp-idle-timeout-action { drop | reset }
firewall tcp-options-error { drop | permit }
firewall tcp-partial-connection-timeout timeout
firewall tcp-reset-message-threshold <messages> then-block-server
firewall tcp-syn-flood-intercept { mode { none | watch [ aggressive ] } | watch-timeout <intercept_watch_timeout> }
firewall tcp-syn-with-ecn-cwr { drop | permit }
firewall udp-checksum-error { drop | permit }
firewall validate-ip-options
end
Configuring Maximum Number of Servers to Track for DoS Attacks
Configuring Action on Packets Dropped by Stateful Firewall
configure
active-charging service <ecs_service_name>
rulebase <rulebase_name>
flow any-error charging-action <charging_action_name>
end
Configuring Dynamic Pinholes/ALGs
Creating Routing Ruledefs
Configuring Routing Ruledefs in the Rulebase
Enabling Stateful Firewall Support for APN/Subscribers
Enabling Stateful Firewall for APN
Enabling Stateful Firewall for Subscribers
Configuring Default Firewall-and-NAT Policy
Configuring Stateful Firewall Thresholds
Configuring Threshold Poll Interval
Configuring Bulk Statistics Schema
configure
bulkstats mode
context schema <schema_name> format <format_string>
end
Changing Stateful Firewall Policy in Mid-session
update active-charging { switch-to-fw-and-nat-policy <fw_nat_policy_name> | switch-to-rulebase <rulebase_name> } { all | callid <call_id> | fw-and-nat-policy <fw_nat_policy_name> | imsi <imsi> | ip-address <ipv4_address> | msid <msid> | rulebase <rulebase_name> | username <user_name> } [ -noconfirm ]
Configuring Stateless Firewall
configure
active-charging service <ecs_service_name>
fw-and-nat policy <fw_nat_policy_name>
no firewall icmp-fsm
no firewall tcp-fsm
end
Gathering Stateful Firewall Statistics
Statistics | Command | Information to Look For |
---|---|---|
Firewall-and-NAT Policy statistics
|
show active-charging
fw-and-nat policy statistics all
|
The output displays
statistics for all Firewall-and-NAT policies.
|
. |
show active-charging
fw-and-nat policy statistics name <fw_nat_policy_name>
|
The output displays
statistics for the specified Firewall-and-NAT policy.
|
Firewall-and-NAT Policy information
|
show active-charging
fw-and-nat policy all
|
The output displays information
for all Firewall-and-NAT policies.
|
. |
show active-charging
fw-and-nat policy name <fw_nat_policy_name>
|
The output displays information
for the specified Firewall-and-NAT policy.
|
Flow related statistics
on a chassis
|
show active-charging
flows all
|
The output displays
statistics for all flows for subscriber session in a system/service.
|
Detailed disconnect
reasons for session flow
|
show session disconnect-reasons [ verbose ]
|
The output of this command displays
the disconnect reasons for flows of a subscriber session in a system/service.
|
Detailed statistics
of Stateful Firewall service
|
show active-charging
firewall statistics [ verbose ]
|
The output displays
detailed Stateful Firewall statistics.
|
Detailed statistics
of rulebases
|
show active-charging
rulebase statistics
|
The output displays
detailed statistics of rulebases in a service.
|
Detailed statistics
of all ruledefs
|
show active-charging
ruledef statistics
|
The output displays
detailed statistics of all ruledefs configured in the ECS service.
|
Detailed statistics
of all charging ruledefs
|
show active-charging
ruledef statistics all charging
|
The output displays
detailed statistics of all charging ruledefs configured in the ECS
service.
|
Detailed statistics
of all access ruledefs
|
show active-charging
ruledef statistics all firewall [ wide ]
|
The output displays
detailed statistics of all access ruledefs configured in the ECS
service.
|
Managing Your Configuration
To do this: | Enter this command: |
---|---|
View Administrative
Information
|
|
View current administrative
user access
|
|
View a list of all administrative
users currently logged on to the system
|
show administrators
|
View the context in
which the administrative user is working, the IP address from which
the administrative user is accessing the CLI, and a system generated
ID number
|
show administrators session
id
|
View information pertaining
to local-user administrative accounts configured for the system
|
show local-user verbose
|
View statistics for
local-user administrative accounts
|
show local-user statistics verbose
|
View information pertaining
to your CLI session
|
show cli
|
Determining the System’s
Uptime
|
|
View the system’s
uptime (time since last reboot)
|
show system uptime
|
View Status of Configured
NTP Servers
|
|
View status of the configured
NTP servers
|
show ntp status
|
View System Alarm Status
|
|
View the status of the
system’s outstanding alarms
|
show alarm outstanding all
|
View detailed information
about all currently outstanding alarms
|
show alarm outstanding
all verbose
|
View system alarm statistics
|
show alarm statistics
|
View Subscriber Configuration
Information
|
|
View locally configured
subscriber profile settings (must be in context where subscriber resides)
|
show subscribers configuration
username <user_name>
|
View Subscriber Information
|
|
View a list of subscribers
currently accessing the system
|
show subscribers all
|
View information for
a specific subscriber
|
show subscribers full username <user_name>
|
View Personal Stateful
Firewall Related Information
|
|
View System Configuration
|
|
View the configuration
of a context
|
show configuration
context <context_name>
|
View configuration errors
for Active Charging Service/Stateful Firewall Service
|
show configuration
errors section active-charging [ verbose ] [ | { grep <grep_options> | more } ]
show configuration errors verbose
|
View Personal Stateful
Firewall Configuration
|
|
View Personal Stateful
Firewall configurations
|
show configuration | grep Firewall
|
View access policy association
with subscriber
|
show subscribers all | grep
Firewall
show apn all | grep Firewall
|
View Stateful Firewall
policy status for specific subscriber/APN
|
show subscribers configuration
username <user_name> | grep Firewall
show apn name <apn_name> | grep Firewall
|
View all access ruledefs
|
show active-charging ruledef
firewall
|
View specific access
ruledef
|
show active-charging ruledef
name <access_rule_name>
|
View which DoS attack
prevention is enabled
|
show configuration
verbose | grep dos
|
View attack statistics
|
show active-charging firewall
statistics verbose
|
View ruledef action
properties, checksum verification status, etc
|
show active-charging rulebase
name <rulebase_name>
|
View session disconnect
reasons
|
show session disconnect-reasons [ verbose ]
|
View information of
sessions with Stateful Firewall processing required or not required
as specified.
|
show active-charging sessions
firewall { not-required | required }
|
View information of
subscribers for whom Stateful Firewall processing is required or
not required as specified.
|
show subscribers firewall { not-required | required }
|
View the list of servers
being tracked for involvement in any DoS attacks.
|
show active-charging firewall
track-list attacking-servers
|