Important: The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).action priority action_priority { [ dynamic-only | static-and-dynamic | timedef timedef_name ] { group-of-ruledefs ruledefs_group_name | ruledef ruledef_name } charging-action charging_action_name [ monitoring-key monitoring_key ] [ description description ] }
no action priority action_priority
priority action_priority
action_priority must be an integer from 1 through 65535.
Important: When R7 Gx is enabled, “static-and-dynamic” rules behave exactly like “dynamic-only” rules. I.e. they must be activated explicitly by the PCRF. When Gx is not enabled, “static-and-dynamic” rules behave exactly like static rules.timedef timedef_name
Important: This keyword is only available in StarOS 8.1 and StarOS 9.0 and later releases.timedef_name must be the name of a timedef, and must be an alpha and/or numeric string of 1 through 63 characters in length.
Important: The time considered for timedef matching is the system’s local time.ruledef ruledef_name
ruledef_name must be the name of an existing ruledef, and must be an alpha and/or numeric string of 1 through 63 characters in length.
Important: If the ruledef specified here is deleted or is not configured, the system accepts it without applying any ruledef under current rulebase for this action priority.group-of-ruledefs ruledefs_group_name
ruledefs_group_name must be the name of an existing group-of-ruledefs, and must be an alpha and/or numeric string of 1 through 63 characters in length.
Important: If the group-of-ruledefs specified here is deleted or is not configured, the system accepts it without applying any ruledefs under current rulebase for this action priority.charging-action charging_action_name
charging_action_name must be the name of an existing charging action, and must be an alpha and/or numeric string of 1 through 63 characters in length.
Important: If the charging action specified here is deleted or not configured, the system accepts it without applying any charging action under current rulebase for this action priority.monitoring-key monitoring_key
monitoring_key must be an integer from 1 through 4000000000.
description description
description must be an alpha and/or numeric string of 1 through 63 characters in length.
The following command assigns a rule and action with the action priority of 23, a ruledef named test, and a charging action named test1 to the current rulebase:
bandwidth default-policy bandwidth_policy_name
bandwidth_policy_name must be an alpha and/or numeric string of 1 through 63 characters in length.
For subscribers using this rulebase, the default bandwidth policy will be used if in the APN/subscriber profile the default active-charging bandwidth-policy command is configured, or no bandwidth policy is configured.
The following command configures a bandwidth policy named standard for the rulebase:
bandwidth default-policy standard
Important: In the GGSN, if in the APN configuration the “accounting-mode” is set to “none”, the system continues to send ACS-generated RADIUS accounting messages. In the PDSN, if in the subscriber default configuration the “accounting-mode” is set to “none”, the system does not send any RADIUS accounting messages (including ACS accounting messages).udr udr-format udr_format_name
udr_format_name must be the name of an existing UDR format, and must be a string of 1 through 63 characters in length.
Use this command to generate enhanced G-CDRs (eG-CDRs), RADIUS CDRs and/or UDRs for billing records. The format of eG-CDRs for the default GTPP group is controlled by the inspector command in the Context Configuration Mode.
billing-records udr udr-format udr_format1
cca diameter requested-service-unit sub-avp { time cc-time duration | units cc-service-specific-units charging_unit | volume { cc-input-octets bytes | cc-output-octets bytes | cc-total-octets bytes } + }
time cc-time duration
duration specifies charging time in seconds and must be an integer from 1 through 4,294,967,295.
units cc-service-specific-units charging_unit
charging_unit specifies service-specific charging unit and must be an integer from 1 through 4,000,000,000.
|
•
|
cc-input-octets: Specifies input charging octets.
|
|
•
|
cc-output-octets: Specifies output charging octets.
|
|
•
|
cc-total-octets: Specifies total charging octets.
|
|
•
|
bytes: Specifies volume in bytes, and must be an integer from 1 through 4,000,000,000.
|
+: Indicates that more than one of the above keywords can be entered within a single command.
cca quota { holding-time holding_time content-id content_id | retry-time retry_time [ max-retries retries ] }
holding-time holding_time
holding_time must be an integer from 1 through 4000000000.
After holding_time seconds has passed without user traffic, the quota is reported back and the charging stops until new traffic starts.
content-id content_id
content_id is the content ID specified for credit control service in ACS, and must be an integer from 0 through 4,294,967,295.
retry_time must be an integer from 0 through 86400. To disable this assign 0.
max-retries retries option configures the maximum number of retries allowed for blacklisted categories. This option has default value of maximum retries of 65535 retries.
retries must be an integer from 1 through 65535. To disable this assign 0.
cca quota retry time allows operator to set the amount of time that the ACS waits before it retries the prepaid server for a content id for which quota was exausted earlier.
no cca quota holding-time content-id content_id
default cca quota holding-time content-id content_id
The following command sets the prepaid credit control request retry time to 60 seconds and maximum numbers of retries to 65535:
cca quota time-duration algorithm { consumed-time seconds [ plus-idle ] | continuous-time-periods seconds | parking-meter seconds } [ content-id content_id ]
no cca quota time-duration algorithm { consumed-time | continuous-time-periods | parking-meter } [ content-id content_id ]
consumed-time seconds
seconds must be an integer from 1 through 4,294,967,295.
When used along with consumed-time it indicates the active usage + idle time, when no traffic flow occurs.
continuous-time-periods seconds
seconds must be an integer from 1 through 4294967295.
parking-meter seconds
seconds must be an integer from 1 through 4294967295.
content-id content_id
content_id is the content ID specified for credit control service in ACS, and must be an integer from 1 through 65535.
The following command sets time duration to 400 seconds for prepaid credit control time duration algorithm:
interval interval
interval must be an integer from 0 through 3600.
The following command defines RADIUS accounting interval of 20 seconds for RADIUS prepaid service in the rulebase:
context vpn_context
vpn_context must be an alpha and/or numeric string of 1 through 63 characters in length.
group group_name
group_name must be an alpha and/or numeric string of 1 through 63 characters in length.
The following command defines RADIUS charging context prepaid_rad1 for RADIUS prepaid charging in the rulebase:
cca radius charging context prepaid_rad1
[ encrypted ] password password
Specifies the password to use for the user being given privileges for prepaid services within the current rulebase. The encrypted keyword specifies that the password uses encryption.
password specifies the password. Without encryption password must be an alpha and/or numeric string of 1 through 63 characters in length. With encryption password must be alpha and/or numeric string of 1 through 127 characters in length.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.
The following command defines the user password user_123 without encryption for a prepaid service subscriber with RADIUS charging in the rulebase.
cca radius user-password password user_123
This command specifies the internal optimization level to use, for improved performance, when evaluating each instance of the action CLI command.
|
•
|
Important: In 11.0 and later releases, this option is not supported. The medium keyword is deprecated.Use this command to specify the level of internal optimization for improved performance when evaluating each instance of the action CLI command.
Both the high and medium options cause re-organization of the entire memory structure whenever any change is made, for example, addition of an action CLI command.
constituent-policies { bandwidth-policy bandwidth_policy | cbb-policy cbb_policy | firewall-policy fw_policy | fw-and-nat-policy fw_nat_policy_name } +
bandwidth-policy bandwidth_policy
bandwidth_policy must be a string of 1 through 63 characters in length.
cbb-policy cbb_policy
cbb_policy must be a string of 1 through 63 characters in length.
firewall-policy fw_policy
Important: This keyword is customer-specific.fw_policy must be an alpha and/or numeric string of 1 through 63 characters in length.
fw-and-nat-policy fw_nat_policy_name
Important: This keyword is customer specific, and is only available in StarOS 8.1.fw_nat_policy_name must be a string of 1 through 63 characters in length.
content-filtering category policy-id cf_policy_id
category policy-id cf_policy_id
cf_policy_id must be the ID of an existing Content Filtering Category Policy, and must be an integer from 1 through 4294967295.
Important: In case the specified Content Filtering Category Policy does not exist, all packets will be passed regardless of the categories/actions determined for such packets.
Important: The category policy ID configured using the category policy-id cf_policy_id command in the APN/Subscriber Configuration Mode prevails over this configuration.The following command configures the policy ID 101 in the rulebase:
Default: permit
All the denied packets will be accounted by discarded-flow-content-id configuration in the Content Filtering Policy Configuration Mode. I.e. this very content ID will be used to generate UDRs for the denied packets in case of content filtering.
content-filtering mode { category { static-only | static-and-dynamic } | server-group cf_server_group }
|
•
|
static-only: Configures Content Filtering mode as Static only. Compares all URLs against internal database to determine the category or categories of the requested content.
|
Using category-based content filtering support requires configuration of the require active-charging content-filtering category CLI command in the Global Configuration Mode.
|
•
|
static-and-dynamic: Configures Content Filtering mode as Static-and-Dynamic, wherein first static rating of the URL is performed, and only if the static rating fails to find a match dynamic rating of the content that the server returns is performed.
|
Important: Before enabling static-and-dynamic rating in the rulebase, it must be enabled at the global level as the resources required for dynamic rating are allocated at the global level. To enable static-and-dynamic rating at the global level, in the Global Configuration Mode, use the require active-charging content-filtering category static-and-dynamic CLI command.server-group cf_server_group
cf_server_group must be the name of a CFSG, and must be unique, and must be an alpha and/or numeric string of 1 through 63 characters in length.
The following command enables the content filtering mode for external content filtering server group CF_Server1 in the rulebase:
content-filtering mode server-group CF_Server1
|
•
|
always-first: If this option is configured, all the dynamic rules are matched against the flow prior to any static rule.
|
|
•
|
first-if-tied: If this option is configured, rules are matched against the flow based on their priority with condition that dynamic rules match before a static rule of the same priority.
|
The following specifies to include units retransmitted by ECS in the sn-charge-volume EDR attribute:
Default: no edr suppress-zero-byte-records
Important: This command is available only in StarOS 8.1 and StarOS 9.0 and later releases.edr transaction-complete http edr-format edr_format_name
edr transaction-complete http [ charging-edr charging_edr_frmat_name | edr-format edr_format_name | reporting-edr reporting_edr_format_name ]
Default: no edr transaction-complete
edr-format edr_format_name
Important: This option is available only in 12.1 and earlier releases. In 12.2 and later releases, this option is deprecated and is replaced by the charging-edr option.edr_format_name must be an alpha and/or numeric string of 1 through 63 characters in length.
charging-edr charging_edr_format_name
Important: This option is available only in 12.2 and later releases.charging_edr_format_name must be an alpha and/or numeric string of 1 through 63 characters in length.
reporting-edr reporting_edr_format_name
Important: This option is available only in 12.2 and later releases.reporting_edr_format_name must be an alpha and/or numeric string of 1 through 63 characters in length.
edr voip-call-end edr-format edr_format_name
edr voip-call-end { charging-edr charging_edr_format_name | edr-format edr_format_name | reporting-edr reporting_edr_format_name }+
Default: no edr voip-call-end
edr-format edr_format_name
Important: This option is available only in 12.1 and earlier releases. In 12.2 and later releases, it has been deprecated and is replaced by the charging-edr option.edr_format_name must be an existing EDR format’s name, and must be a string of 1 through 63 characters in length.
charging-edr charging_edr_format_name
Important: This option is available only in 12.2 and later releases.charging_edr_format_name must be an existing charging EDR format’s name, and must be a string of 1 through 63 characters in length.
reporting-edr reporting_edr_format_name
Important: This option is available only in 12.2 and later releases.reporting_edr_format_name must be an existing reporting EDR format’s name, and must be a string of 1 through 63 characters in length.
edr voip-call-end edr-format test13
Description This command is obsolete. It is included in the CLI for backward compatibility with older configuration files. When executed performs no function. Use egcdr threshold interval interval [ regardless-of-other-triggers ] command for this functionality.
Default: asn.1
delimiter { colon | comma | pipe }: Specifies the delimiter character to use in eG-CDR in ASCII format.
|
•
|
colon: Specifies to use “:”, the colon character, as delimiter in eG-CDR.
|
|
•
|
comma: Specifies to use “,”, the comma character, as delimiter in eG-CDR.
|
|
•
|
pipe: Specifies to use “|”, the pipe character, as delimiter in eG-CDR.
|
Default: pipe
minute minute
minute must be an integer from 0 through 59.
hour hour
hour must be an integer from 0 through 23.
egcdr threshold { interval interval [ regardless-of-other-triggers ] | volume { downlink | total | uplink } bytes }
interval must be an integer from 60 through 40000000.
regardless-of-other-triggers: This option enables the eG-CDR generation at the fixed time interval irrespective of any other eG-CDR triggers that may have happened in between.
|
•
|
downlink bytes: Specifies the limit for the number of downlink octets after which the eG-CDR is closed.
|
bytes must be an integer from 100,000 through 4,000,000,000.
|
•
|
total bytes: Specifies the limit for the total number of octets (uplink+downlink) after which the eG-CDR is closed.
|
bytes must be an integer from 100,000 through 4,000,000,000.
|
•
|
uplink bytes: Specifies the limit for the number of uplink octets after which the eG-CDR is closed.
|
bytes must be an integer from 100,000 through 4,000,000,000.
egcdr time-duration algorithm { consumed-time consumed_time [ plus-idle ] | continuous-time-periods ctp_seconds | parking-meter seconds }
consumed_time must be an integer from 1 through 4,294,967,295.
plus-idle: Specifies the idle time between arrival of two packets to include in time usage record in eG-CDR.
When used along with consumed-time it indicates the active usage + idle time, when no traffic flow occurs.
continuous-time-periods ctp_time
ctp_time sets the audition, in seconds, to start a counter on arrival of first packet and there after include only that period in charging in which one or more packets arrived. The period where no packets arrived or traffic detected no usage will be computed.
ctp_time must be an integer from 1 through 4294967295.
parking-meter seconds
seconds must be an integer from 1 through 4294967295.
consumed-time in above scenario calculates the time duration as (T2 – T1) + (T4 – T3) where consumed-time with plus-idle calculates the time duration as (T2-T1)+I + (T4 – T3)+I or (T4-T1).
The following command sets consumed time duration to 400 seconds:
Default: no extract-host-from-uri
Important: Applying the extract-host-from-uri command a second time will overwrite the previous configuration. For example, if you apply the command extract-host-from-uri http wsp http, and then apply the command extract-host-from-uri http wsp, extraction of host from URI will happen only for WSP analyzer.fair-usage session-waiver-percent waiver_percent
session-waiver-percent waiver_percent
waiver_percent must be an integer from 0 through 1000.
Important: In StarOS 8.0, this command is available in the ACS Configuration Mode. In StarOS 8.1 and StarOS 8.3, use this command for Rulebase-based Firewall-and-NAT configuration. In StarOS 8.1 and StarOS 9.0 and later releases, for Policy-based Firewall-and-NAT configuration, this command is available in the Firewall-and-NAT Policy Configuration Mode.|
•
|
icmp: Enables protection against ICMP Flood attacks
|
|
•
|
tcp-syn: Enables protection against TCP Syn Flood attacks
|
|
•
|
udp: Enables protection against UDP Flood attacks
|
Important: The DoS attacks are detected only in the downlink direction.
Important: In StarOS 8.0, this command is available in the ACS Configuration Mode. In StarOS 8.1 and StarOS 8.3, use this command for Rulebase-based Firewall-and-NAT configuration. In StarOS 8.1 and StarOS 9.0 and later releases, for Policy-based Firewall-and-NAT configuration, this command is available in the Firewall-and-NAT Policy Configuration Mode.firewall flooding { { protocol { icmp | tcp-syn | udp } packet limit packets } | { sampling-interval interval } }
|
•
|
icmp: Configuration for ICMP protocol.
|
|
•
|
tcp-syn: Configuration for TCP-SYN packet limit.
|
|
•
|
udp: Configuration for UDP protocol.
|
packet limit packets
packets must be an integer from 1 through 4294967295.
sampling-interval interval
interval must be an integer from 1 through 60.
Important: In StarOS 8.0, this command is available in the ACS Configuration Mode. In StarOS 8.1 and StarOS 8.3, use this command for Rulebase-based Firewall-and-NAT configuration. In StarOS 8.1 and StarOS 9.0 and later releases, for Policy-based Firewall-and-NAT configuration, this command is available in the Firewall-and-NAT Policy Configuration Mode.messages must be an integer from 1 through 100.
Important: In StarOS 8.0, this command is available in the ACS Configuration Mode. In StarOS 8.1 and StarOS 8.3, use this command for Rulebase-based Firewall-and-NAT configuration. In StarOS 8.1 and StarOS 9.0 and later releases, for Policy-based Firewall-and-NAT configuration, this command is available in the Firewall-and-NAT Policy Configuration Mode.packet_size must be an integer from 30000 through 65535.
|
•
|
icmp: Configuration for ICMP protocol.
|
|
•
|
non-icmp: Configuration for protocols other than ICMP.
|
The following command allows a maximum packet size of 60000 for ICMP protocol:
Important: In StarOS 8.0, this command is available in the ACS Configuration Mode. In StarOS 8.1 and StarOS 8.3, use this command for Rulebase-based Firewall-and-NAT configuration. In StarOS 8.1 and StarOS 9.0 and later releases, for Policy-based Firewall-and-NAT configuration, this command is available in the Firewall-and-NAT Policy Configuration Mode.http-headers-limit max_limit
max_limit must be an integer from 1 through 256.
max-http-header-field-size max_size
max_size must be an integer from 1 through 8192.
Important: In StarOS 8.0, this command is available in the ACS Configuration Mode. In StarOS 8.1 and StarOS 8.3, use this command for Rulebase-based Firewall-and-NAT configuration. In StarOS 8.1 and StarOS 9.0 and later releases, for Policy-based Firewall-and-NAT configuration, use the access-rule no-ruledef-matches command available in the Firewall-and-NAT Policy Configuration Mode.firewall no-ruledef-matches { downlink | uplink } action { deny [ charging-action charging_action_name ] | permit [ bypass-nat | nat-realm nat_realm_name ] }
|
•
|
downlink: Downlink packets with no Stateful Firewall ruledef match.
|
Default: deny
|
•
|
uplink: Uplink packets with no Stateful Firewall ruledef match.
|
Default: permit
action { deny [ charging-action charging_action_name ] | permit [ bypass-nat | nat-realm nat_realm_name ] }
Important: The bypass-nat keyword is only available in StarOS 8.3 and later releases.|
•
|
bypass-nat: Specifies to bypass Network Address Translation (NAT).
|
|
•
|
nat-realm nat_realm_name: Specifies a NAT realm to be used for performing NAT on subscriber packets.
|
nat_realm_name must be an alpha and/or numeric string of 1 through 31 characters in length.
Important: If neither bypass-nat or nat-realm are configured, NAT is performed if the nat policy nat-required CLI command is configured with the default-nat-realm option.charging_action_name must be the name of a charging action, and must be a string of 1 through 63 characters in length.
|
•
|
Stateful Firewall ruledef matching is done. If a rule matches, the packet is allowed or dropped as per the firewall priority configuration.
|
|
•
|
If no Stateful Firewall ruledef matches, the packet is allowed or dropped as per the no-ruledef-matches configuration.
|
For a packet dropped due to Stateful Firewall ruledef match or no match (first packet of a flow), the charging action applied is the one configured in the firewall priority or the firewall no-ruledef-matches command respectively.
In StarOS 8.1, in the case of Policy-based Stateful Firewall, the charging action applied is the one configured in the access-rule priority or the access-rule no-ruledef-matches command respectively.
For action on packets dropped due to any error condition after data session is created, the charging action must be configured in the flow any-error charging-action command.
Important: In StarOS 8.0, this command is available in the APN/Subscriber Configuration Mode. In StarOS 8.1 and StarOS 8.3, use this command for Rulebase-based Firewall-and-NAT configuration. In StarOS 8.1 and StarOS 9.0 and later releases, for Policy-based Firewall-and-NAT configuration, this command is available in the Firewall-and-NAT Policy Configuration Mode.
Important: In StarOS 8.1 and StarOS 9.0 and later releases, for Policy-based Firewall-and-NAT configuration, use the access-rule priority command available in the Firewall-and-NAT Policy Configuration Mode.firewall priority priority [ dynamic-only | static-and-dynamic ] firewall-ruledef firewall_ruledef_name { { deny [ charging-action charging_action_name ] } | { permit [ nat-realm nat_realm_name | [ trigger open-port { aux_port_number | range start_port_number to end_port_number } direction { both | reverse | same } ] ] } }
no firewall priority priority
priority must be unique, and must be an integer from 1 through 65535.
[ dynamic-only | static-and-dynamic ] firewall-ruledef firewall_ruledef_name
|
•
|
dynamic-only: Firewall Dynamic Ruledef—Predefined ruledef that can be enabled/disabled by the policy server, and is disabled by default.
|
|
•
|
static-and-dynamic: Firewall Static and Dynamic Ruledef—Predefined ruledef that can be disabled/enabled by the policy server, and is enabled by default.
|
|
•
|
firewall_ruledef_name must be the name of a predefined Stateful Firewall ruledef, and must be a string of 1 through 63 characters in length.
|
charging_action_name must be a string of 1 through 63 characters in length.
permit [ nat-realm nat_realm_name | [ bypass-nat ] [ trigger open-port { aux_port_number | range start_port_number to end_port_number } ] ]
|
•
|
nat-realm nat_realm_name: Specifies the NAT realm to be used for performing NAT on subscriber packets matching the Stateful Firewall ruledef.
|
nat_realm_name specifies the NAT realm name, and must be a string of 1 through 31 characters in length.
|
•
|
bypass-nat: Specifies that packets bypass NAT.
|
Important: If the nat-realm is not configured, NAT is performed if the nat policy nat-required CLI command is configured with the default-nat-realm option.|
•
|
trigger open-port { aux_port_number | range start_port_number to end_port_number }: Permits packets if the rule is matched, and allows the creation of data flows for Stateful Firewall. Optionally a port trigger can be specified to be used for this rule to limit the range of auxiliary data connections (a single or range of port numbers) for protocols having control and data connections (like FTP). The trigger port will be the destination port of an association which matches a rule.
|
|
•
|
aux_port_number: Specifies the number of auxiliary ports to open for traffic, and must be an integer from 1 through 65535.
|
|
•
|
range start_port_number to end_port_number: Specifies the range of ports to open for subscriber traffic.
|
|
•
|
start_port_number must be an integer from 1 through 65535. This is the start of the port range and must be less than end_port_number.
|
|
•
|
end_port_number must be an integer from 1 through 65535. This is the end of the port range and must be greater than start_port_number.
|
|
•
|
both: Provides the trigger to open port for traffic in either direction of the control connection.
|
|
•
|
reverse: Provides the trigger to open port for traffic in the reverse direction of the control connection (from where the connection is initiated).
|
|
•
|
same: Provides the trigger to open port for traffic in the same direction of the control connection (from where the connection is initiated).
|
Important: For Stateful Firewall ruledefs, only the terminate-flow action is applicable if configured in the specified charging action.For a packet dropped due to Stateful Firewall ruledef match or no match (first packet of a flow), the charging action applied is the one configured in the firewall priority or the firewall no-ruledef-matches command respectively.
In StarOS 8.1, in the case of Policy-based Firewall, the charging action applied is the one configured in the access-rule priority or the access-rule no-ruledef-matches command respectively.
For action on packets dropped due to any error condition after data session is created, the charging action must be configured in the flow any-error charging-action command.
The following command assigns a priority of 10 to the Stateful Firewall ruledef fw_rule1, adds it to the rulebase, and permits port trigger to be used for the rule to open ports in the range of 100 to 200 in either direction of the control connection:
firewall priority 10 firewall-ruledef fw_rule1 permit trigger open-port range 100 to 200 direction both
The following command configures the Stateful Firewall ruledef fw_rule2 as a dynamic ruledef:
Important: In StarOS 8.1 and StarOS 8.3, use this command for Rulebase-based Firewall-and-NAT configuration. In StarOS 8.1 and StarOS 9.0 and later releases, for Policy-based Firewall-and-NAT configuration, this command is available in the Firewall-and-NAT Policy Configuration Mode.Default: drop
|
•
|
drop: Drops the packet or session
|
|
•
|
reset: Sends reset
|
Important: In StarOS 8.1 and StarOS 8.3, use this command for Rulebase-based Firewall-and-NAT configuration. In StarOS 8.1 and StarOS 9.0 and later releases, for Policy-based Firewall-and-NAT configuration, this command is available in the Firewall-and-NAT Policy Configuration Mode.Default: reset
|
•
|
drop: Drops the packet or session
|
|
•
|
reset: Sends reset
|
Important: This command is only available in StarOS 8.3 and later releases. In StarOS 8.3, use this command for Rulebase-based Firewall-and-NAT configuration. In StarOS 9.0 and later releases, for Policy-based Firewall-and-NAT configuration, this command is available in the Firewall-and-NAT Policy Configuration Mode.Default: no firewall tcp-reset-message-threshold
messages must be an integer from 1 through 100.
This command enables and configures the TCP intercept parameters to prevent TCP SYN flooding attacks by intercepting and validating TCP connection requests for DoS protection mechanism configured with the dos-protection command.
Important: In StarOS 8.0, this command is available in the ACS Configuration Mode. In StarOS 8.1 and StarOS 8.3, use this command for Rulebase-based Firewall-and-NAT configuration. In StarOS 8.1 and StarOS 9.0 and later releases, for Policy-based Firewall-and-NAT configuration, this command is available in the Firewall-and-NAT Policy Configuration Mode.firewall tcp-syn-flood-intercept { mode { none | watch [ aggressive ] } | watch-timeout intercept_watch_timeout }
|
•
|
none: Disables TCP SYN flood intercept feature.
|
|
•
|
watch: Configures TCP SYN flood intercept feature in watch mode. Stateful Firewall passively watches to see if TCP connections become established within a configurable interval. If connections are not established within the timeout period, Stateful Firewall clears the half-open connections by sending RST to TCP client and server. The default watch-timeout for connection establishment is 30 seconds.
|
|
•
|
aggressive: Configures TCP SYN flood Intercept or Watch feature for aggressive behavior. Each new connection request causes the oldest incomplete connection to be deleted. When operating in watch mode, the watch timeout is reduced by half. If the watch-timeout is 30 seconds, under aggressive conditions it becomes 15 seconds. When operating in intercept mode, the retransmit timeout is reduced by half (i.e. if the timeout is 60 seconds, it is reduced to 30 seconds). Thus the amount of time waiting for connections to be established is reduced by half (i.e. it is reduced to 150 seconds from 300 seconds under aggressive conditions).
|
Default: none
watch-timeout intercept_watch_timeout
intercept_watch_timeout must be an integer from 5 through 30.
flow any-error charging-action charging_action_name
charging-action charging_action_name
Important: The charging action specified here should preferably not be used for action on packets dropped due to Stateful Firewall ruledef match or no-match (in the firewall priority and firewall no-ruledef-matches commands) and the content ID within the charging action must be unique so that dropped counts will not interfere with other content IDs.charging_action_name must be the name of a charging action, and must be a string of 1 through 63 characters in length.
For a packet dropped due to Stateful Firewall ruledef match or no match (first packet of a flow), the charging action applied is the one configured in the firewall priority or the firewall no-ruledef-matches command respectively.
In StarOS 8.1, in the case of Policy-based Firewall, the charging action applied is the one configured in the access-rule priority or the access-rule no-ruledef-matches command respectively.
For a packet dropped due to any error condition after data session is created, the charging action used is the one configured in the flow any-error charging-action command.
If the charging action applied on a packet is the one specified in the flow any-error charging-action command, flow statistics are updated and action is taken as configured in the charging action:
The following command specifies the charging action test2 for accounting action on packets dropped/discarded by Stateful Firewall due to any error:
In this command, the optional keyword charge-to-application is deprecated and has no effect.
Default: no flow control-handshaking
flow end-condition { content-filtering | hagr | handoff | normal-end-signaling | session-end | url-blacklisting | timeout } [ flow-overflow ] + { charging-edr charging_edr_format_name | reporting-edr reporting_edr_format_name }
Important: This keyword is only available in StarOS 8.3 and later releases. And, is only applicable when used with the hagr, handoff, and session-end keywords.edr edr_format_name
Important: This option is available only in 12.1 and earlier releases. In 12.2 and later releases, this option is deprecated and is replaced by the charging-edr option.edr_format_name is a pre-configured format, and must be a unique alpha and/or numeric string 1 through 63 characters in length.
charging-edr charging_edr_format_name
Important: This option is available only in 12.2 and later releases.charging_edr_format_name must be a unique alpha and/or numeric string 1 through 63 characters in length.
reporting-edr reporing_edr_format_name
Important: This option is available only in 12.2 and later releases.reporting_edr_format_name must be a unique alpha and/or numeric string 1 through 63 characters in length.
flow end-condition handoff edr-format EDR_format1
flow end-condition handoff charging-edr EDR_format1
limit must be an integer from 1 through 4000000000.
non-tcp limit
limit must be an integer from 1 through 4000000000.
tcp limit
limit must be an integer from 1 through 4000000000.
|
•
|
Exempted flows: System exempts all the other flows specified with the flow limit-for-flow-type command in the ACS Charging Action Configuration Mode set to no.
|
The following command defines the maximum number of 200000 flows for the rulebase:
Important: This command is only available in StarOS 8.1 and StarOS 9.0 and later releases. This command must be used to configure the Policy-based Firewall-and-NAT feature.fw-and-nat default-policy fw_nat_policy_name
fw_nat_policy_name must be an alpha and/or numeric string of 1 through 63 characters in length.
For subscribers using this rulebase, the default Firewall-and-NAT policy will be used if in the APN/subscriber profile the default fw-and-nat policy command is configured, and a policy to use is not received from the AAA/OCS.
For more information, see the Personal Stateful Firewall Administration Guide.
The following command configures a Firewall-and-NAT policy named standard to the rulebase:
fw-and-nat default-policy standard
ip reassembly-timeout timeout_duration
timeout_duration must be an integer from 100 through 30000.
The following command sets the timeout timer to 15000 milliseconds:
ip reassembly-timeout 15000
Important: This command is only available in StarOS 8.3. In StarOS 9.0 this command is available in the Firewall-and-NAT Policy Configuration Mode.Default: port-chunk-release
edr-format edr_format
edr_format must be an alpha and/or numeric string of 1 through 63 characters in length.
The following command configures an EDR format named test123 and specifies generating NBR when a port chunk is allocated, and when a port chunk is released:
Important: In StarOS 8.1 and StarOS 9.0 and later releases, for Policy-based Firewall-and-NAT, this command is available in the Firewall-and-NAT Policy Configuration Mode.
Important: Before enabling NAT processing for a subscriber, Stateful Firewall must be enabled for the subscriber. See the firewall policy CLI command.default-nat-realm nat_realm_name
Important: This keyword is only available in StarOS 8.3 and later releases.nat_realm_name must be an alpha and/or numeric string of 1 through 31 characters in length.
Important: Including the default NAT realm, a maximum of three NAT realms are supported.Once NAT is enabled for a subscriber, the NAT IP address to be used is chosen from the NAT realms defined in the rule priority lines within the rulebase. See the firewall priority CLI command.
Important: This command is customer-specific. For more information please contact your local service representative. In StarOS 9.0, this command is available in the Firewall-and-NAT Policy Configuration Mode.post-processing dynamic { group-of-ruledefs ruledefs_group_name | ruledef ruledef_name } charging-action charging_action_name [ description description ]
group-of-ruledefs ruledefs_group_name
ruledefs_group_name must be an alpha and/or numeric string of 1 through 63 characters in length.
ruledef ruledef_name
ruledef_name must be an alpha and/or numeric string of 1 through 63 characters in length.
charging-action charging_action_name
charging_action_name must be an alpha and/or numeric string of 1 through 63 characters in length.
description description
description must be an alpha and/or numeric string of 1 through 31 characters in length.
The following command specifies the ruledef named test_rule as a dynamic post-processing ruledef configured with the charging action ca13 and a description of testing:
Default: not-for-dynamic-discard
Important: In existing deployments, this requires changes to configurations with quota-limit rules for certain features to work.
Important: This command is only available in StarOS 8.3 and later releases.post-processing priority priority { group-of-ruledefs ruledefs_group_name | ruledef ruledef_name } charging-action charging_action_name [ description description ]
no post-processing priority priority
priority priority
priority must be an integer from 1 through 65535, and must be unique.
group-of-ruledefs ruledefs_group_name
ruledefs_group_name must be the name of a group-of-ruledefs, and must be an alpha and/or numeric string of 1 through 63 characters in length.
Important: The group-of-ruledefs specified must be configured for post-processing. See the group-of-ruledefs-application CLI command in the ACS Group-of-Ruledefs Configuration Mode.ruledef ruledef_name
ruledef_name must be an alpha and/or numeric string of 1 through 63 characters in length.
Important: The ruledef specified must be configured for post-processing. See the rule-application CLI command in the ACS Ruledef Configuration Mode Commands chapter.charging-action charging_action_name
charging_action_name must be an alpha and/or numeric string of 1 through 63 characters in length.
description description
description must be an alpha and/or numeric string of 1 through 31 characters in length.
The following command configures the ruledef named test_ruledef with a priority of 10, and the charging action named test_ca for post processing:
Important: This command is controlled by the dynamic-qos-renegotiation license.qos-renegotiate timeout timeout
timeout timeout
timeout must be the timeout period, in seconds, and must be an integer from 0 through 4294967295.
interval interval
interval must be an integer from 60 through 40000000.
volume total volume
volume must be an integer from 100,000 through 4,000,000,000.
The following command defines a time threshold interval of 600 seconds for RADIUS CDRs:
route priority route_priority ruledef ruledef_name analyzer { dns | file-transfer | ftp-control | ftp-data | h323 | http | imap | mms | p2p | pop3 | pptp | rtcp | rtp | rtsp | sdp | secure-http | sip [ advanced | basic-and-advanced ] | smtp | tftp | wsp-connection-less | wsp-connection-oriented } [ description description ]
no route priority route_priority
priority route_priority
route_priority must be an integer from 1 through 65535.
ruledef ruledef_name
ruledef_name specifies the name of an existing ruledef configured for the route application using the rule-application command in the ACS Ruledef Configuration Mode.
|
•
|
dns: Route to DNS protocol analyzer.
|
|
•
|
file-transfer: Route to file analyzer.
|
|
•
|
ftp-control: Route to FTP control protocol analyzer.
|
|
•
|
ftp-data: Route to FTP data protocol analyzer.
|
|
•
|
h323: Route to H323 protocol analyzer.
|
|
•
|
http: Route to HTTP protocol analyzer.
|
|
•
|
imap: Route to IMAP protocol analyzer.
|
|
•
|
mms: Route to MMS protocol analyzer.
|
|
•
|
p2p: Route to the P2P protocol analyzer.
|
|
•
|
pop3: Route to POP3 protocol analyzer.
|
|
•
|
pptp: Route to PPTP protocol analyzer.
|
|
•
|
rtcp: Route to RTCP protocol analyzer.
|
|
•
|
rtp: Route to RTP protocol analyzer.
|
|
•
|
rtsp: Route to RTSP protocol analyzer.
|
|
•
|
sdp: Route to SDP protocol analyzer.
|
|
•
|
secure-http: Route to secure HTTP protocol analyzer.
|
|
•
|
sip [ advanced | basic-and-advanced ]: Route to SIP protocol analyzer.
|
|
•
|
advanced: For SIP calls to work with NAT/Stateful Firewall, a SIP ALG is required to do payload translation of SIP packets and pin-hole (dynamic flow) creation for media packets. A SIP routing rule must to be configured for routing the packets to the SIP ALG for processing. If the keyword advanced is configured, the packets matching the routing rule will be routed to SIP ALG for processing and not to ACS SIP analyzer. If not configured, then packets will not be routed to SIP ALG and will be routed to ACS SIP analyzer for processing.
|
Also, see firewall nat-alg CLI command in the ACS Configuration Mode.
|
•
|
basic-and-advanced: For SIP ALG to co-exist with SIP Analyer, the packets are routed through ACS SIP Analyzer and SIP ALG. The SIP packets can pass through ACS functionality (by ACS SIP Analyzer processing) and at the same time payload translation/pinhole-creation can happen successfully (by SIP ALG processing). If basic-and-advanced is configured, then the packets matching the routing rule will be routed through the SIP Analyzer and then through SIP ALG for processing.
|
|
•
|
tftp: Route to TFTP protocol analyzer.
|
|
•
|
smtp: Route to SMTP protocol analyzer.
|
|
•
|
wsp-connection-less: Route to WSP connection-less protocol analyzer.
|
|
•
|
wsp-connection-oriented: Route to WSP connection-oriented protocol analyzer.
|
Important: To route packets to the P2P analyzer, the ruledef should have rules to match all IP packets. Otherwise, the analyzer may not detect all P2P traffic.
Important: Use the show active-charging analyzer statistics command in the Exec Mode to see the list of supported analyzers.description description
Enables to add a description to the rule and action for later reference in saved configuration file.
description must be an alpha and/or numeric string of 1 through 63 characters in length.
|
TCP destination port or source port of the carrier-specific port number for WAP-2 (e.g. one carrier uses 8799); or, send all HTTP traffic to the wap2 analyzer if the carrier does not use a special port number.
|
|
|
WSP content type is application/vnd.wap.mms-message; or, WSP uri contains “mms”; or, HTTP content type is application/vnd.wap.mms-message; or, HTTP uri contains “mms”.
|
|
|
rtp and rtcp
|
|
|
Use the p2p dynamic-flow-detection CLI command to enable detection of the different P2P applications specified by the p2p application CLI command; that will cause every TCP or UDP packet to be automatically routed here
|
The following command assigns a route and rule action with the route priority of 23, a ruledef named test, and an analyzer test_analyzer with description as route_test1 to the current rulebase:
Default: no rtp dynamic-flow-detection
Use this command to enable the RTSP and SDP analyzer to detect the start/stop of RTP and RTCP flows. This command is used in conjunction with the route priority command.
Default: no ruledef-parsing ignore-port-numbers-embedded-in-application-headers analyzers { http rstp sip wsp }—not ignoring port numbers that are embedded in application headers
tcp 2msl-timeout seconds
seconds must be an integer from 1 through 20.
Important: This command is only available in StarOS 8.1 and later releases.tcp_mss must be an integer from 496 through 65535.
The following command limits the TCP maximum segment size to 3000, and if not present adds it to the packets:
Description This command has been deprecated, and is replaced by the tcp packets-out-of-order command.
timeout duration_ms
duration_ms is the timeout period in milliseconds, and must be an integer from 100 through 30000.
|
•
|
after-reordering: Sends the TCP out-of-order segment after all packets are received and successfully reordered. If reordering is not successful due to a timeout, the received packets are forwarded without being passed through the protocol analyzers. If memory allocation fails or the received packet is partial retransmitted data, the packet will be forwarded immediately without being passed through the protocol analyzers, except for the IP analyzer.
|
|
•
|
immediately: Sends the TCP out-of-order segment immediately after buffering a copy. The packets are transmitted as they are received without any in-line services or charging action processing, but also a copy of each packet is held onto. When the missing packet is received, complete deep packet inspection of all the packets and all relevant in-line services is done, and then the last packet is forwarded.
|
Default: immediately
The following command sets the timeout timer to 10000 milliseconds:
tcp proxy-mode { dynamic { all | content-filtering | dcca | ip-readdressing | nexthop-readdressing | xheader-insert + } | static [ port [ port_number [ to port_number ] ] ] }
no tcp proxy-mode [ dynamic { content-filtering | dcca | ip-readdressing | nexthop-readdressing | xheader-insert + } | static [ port [ port_number [ to port_number ] ] ] ]
|
•
|
all: Specifies that subscriber-initiated TCP flows be proxied if all/any of the following conditions are satisfied.
|
|
•
|
content-filtering: Specifies that subscriber-initiated TCP flows be proxied if a URL is requested, and that URL is checked because Category-based Content Filtering is enabled in the rulebase.
|
|
•
|
dcca: Specifies that subscriber-initiated TCP flows be proxied if DCCA is enabled in the charging action.
|
|
•
|
ip-readdressing: Specifies that subscriber-initiated TCP flows be proxied if IP Readdressing feature is enabled in the charging action.
|
|
•
|
nexthop-readdressing: Specifies that subscriber-initiated TCP flows be proxied if Nexthop Readdressing feature is enabled in the charging action.
|
|
•
|
xheader-insert: Specifies that subscriber-initiated TCP flows be proxied if x-Header Insertion feature is enabled in the charging action.
|
port_number must be an integer from 1 through 65535.
Important: In release 11.0, TCP Proxy functions only in Static mode. Dynamic TCP Proxy mode is supported only in 12.0 and later releases.
Important: Regardless of this CLI command, TCP Proxy is enabled in the case of TPO, whenever a TPO profile is selected for the subscriber's flow(s).Default: round-off
tpo default-policy tpo_policy_name
tpo_policy_name must be an alpha and/or numeric string of 1 through 63 characters in length.
The following command configures a TPO policy named standard as default TPO policy for the rulebase:
tpo default-policy standard
Default: transport-layer-checksum verify-during-packet-inspection—to perform the checksum verification calculation on all TCP and UDP packets.
If the checksum is not verified, the packets will go through the TCP/UDP analyzers (and deeper analyzers, if so configured with the route CLI command) regardless of the value of the TCP/UDP checksum.
udr threshold { interval interval | volume { downlink bytes [ uplink bytes ] | total bytes | downlink bytes [ uplink bytes ] } }
interval interval
interval must be an integer from 60 through 40000000.
|
•
|
downlink bytes: Specifies the limit for the number of downlink octets after which the UDR is closed.
|
bytes must be an integer from 100,000 through 4,000,000,000.
|
•
|
total bytes: Specifies the limit for the total number of octets (uplink+downlink) after which the UDR is closed. bytes must be an integer from 100,000 through 4,000,000,000. By default, this configuration is disabled.
|
|
•
|
uplink bytes: Specifies the limit for the number of uplink octets after which the UDR is closed. bytes must be an integer from 100,000 through 4,000,000,000.
|
The following command specifies that UDR records should be generated every 10 minutes (600 seconds):
Important: This command is only available in StarOS 8.3 and later releases.url-blacklisting action { discard | redirect-url url | terminate-flow | www-reply-code-and-terminate-flow reply_code }
redirect-url url
url specifies the redirect URL/URI.
url must be a fully qualified URL/URI, and must be a string of 1 through 1023 characters in length.
www-reply-code-and-terminate-flow reply_code
reply_code specifies the reply code, and must be an integer from 100 through 599.
Important: This command is customer specific. For more information, please contact your local service representative.group_name must be an alpha and/or numeric string of 1 through 63 characters in length.
Description This command has been deprecated, and is replaced by the wtp packets-out-of-order command.
wtp packets-out-of-order { out-of-order-timeout timeout | transmit [ after-reordering | immediately ] }
out-of-order-timeout timeout
timeout is the timeout duration in milliseconds, and must be an integer from 100 through 30000.
|
•
|
after-reordering: Send WTP out-of-order segment after it becomes ordered
|
|
•
|
immediately: Send WTP out-of-order segment immediately after buffering a copy
|
Default: immediately
If after-reordering transmitting is specified, the packets are held onto and reordered. After successfully reordering the packets, they are processed in the proper order. If reordering is not successful due to timeout (wtp out-of-order-timeout), the received packets are forwarded without being passed through the protocol analyzers.
If immediately is specified, the packets are transmitted as they are received without any in-line services or Charging Action processing, however a copy of each packet is retained. When the missing packet is received, complete deep packet inspection of all the packets and all relevant in-line services is undertaken, and then the last packet is forward (unless otherwise configured by the in-line services or Charging Action).
The following command sets the timeout timer to 10000 milliseconds:
wtp out-of-order-timeout 10000
Important: This command is license dependent. For more information, please contact your local sales representative.certificate-name certificate_name
certificate_name must be the name of a certificate, and must be an alpha and/or numeric string of 1 through 63 characters in length.
re-encryption period
period specifies the re-encryption time period in minutes, and must be an integer from 1 through 10000.
The following command configures the X-Header Encryption feature to use the certificate named testcert:
xheader-encryption certificate-name testcert
