Firewall-and-NAT Action Configuration Mode Commands

The Firewall-and-NAT Action Configuration Mode enables configuring Stateful Firewall (FW) and Network Address Translation (NAT) actions.

IMPORTANT:

This configuration mode is only available in release 11.0 and later releases. This configuration mode must be used to configure Action-based Stateful Firewall and NAT features.

IMPORTANT:

The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).

end

Exits the current configuration mode and returns to the Exec mode.

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
end

Usage:

Use this command to return to the Exec mode.

exit

Exits the current mode and returns to the parent configuration mode.

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
exit

Usage:

Use this command to return to the parent configuration mode.

flow check-point

This command checkpoints all the flows matching the Firewall-and NAT action.

Platform:

ASR 5000

Product:

NAT


Privilege:

Security Administrator, Administrator


Syntax
flow check-point [ data-usage data_usage [ and | or ] | time-duration duration [ and | or ] ]{ default | no } flow
check-point
default

Configures the default Firewall action.

no

Deletes the Firewall action configuration.

data-usage data_usage

Specifies the data usage in bytes.

data_usage must be an integer from 1 through 4294967295.

The maximum limit for data-usage is 4 GB.

time-duration duration

Specifies the time duration in seconds.

duration must be an integer from 1 through 86400.

The maximum limit for time-duration is 24 hours.

and | or

This option allows to configure only data-usage or time-duration, or a combination of data-usage and time-duration.


Usage:

Use this command to enable/disable the check-pointing of NATed flows and control the type of flows need to be check pointed based on specified criteria. Check pointing is done only for TCP and UDP flows.


Example:
The following command configures Stateful Firewall to drop packets with data-usage 5000:
flow check-point data-usage 5000