Cisco Cisco Expressway Maintenance Manual
Field
Description
Usage tips
Start and
end port
end port
The port range to which the
rule applies.
rule applies.
Only applies if specifying a UDP or TCP Custom service.
Action
The action to take against
any IP traffic that matches
the rule.
any IP traffic that matches
the rule.
Allow: Accept the traffic.
Drop: Drop the traffic
without any response to the
sender.
without any response to the
sender.
Reject: Reject the traffic
with an 'unreachable'
response.
with an 'unreachable'
response.
Dropping the traffic means that potential attackers are not provided
with information as to which device is filtering the packets or why.
with information as to which device is filtering the packets or why.
For deployments in a secure environment, you may want to
configure a set of low priority rules (for example, priority 50000) that
deny access to all services and then configure higher priority rules
(for example, priority 20) that selectively allow access for specific IP
addresses.
configure a set of low priority rules (for example, priority 50000) that
deny access to all services and then configure higher priority rules
(for example, priority 20) that selectively allow access for specific IP
addresses.
Description An optional free-form
description of the firewall
rule.
rule.
If you have a lot of rules you can use the Filter by description options
to find related sets of rules.
to find related sets of rules.
Current active firewall rules
The
Current active firewall rules
page (
System > Protection > Firewall rules > Current active rules
)
shows the user-configured firewall rules that are currently in place on the system. There is also a set of built-
in rules that are not shown in this list.
in rules that are not shown in this list.
If you want to change the rules you must go to the
Firewall rules configuration
page from where you can
set up and activate a new set of rules.
Configuring automated intrusion protection
The automated protection service can be used to detect and block malicious traffic and to help protect the
Expressway from dictionary-based attempts to breach login security.
Expressway from dictionary-based attempts to breach login security.
It works by parsing the system log files to detect repeated failures to access specific service categories,
such as SIP, SSH and web/HTTPS access. When the number of failures within a specified time window
reaches the configured threshold, the source host address (the intruder) and destination port are blocked for a
specified period of time. The host address is automatically unblocked after that time period so as not to lock
out any genuine hosts that may have been temporarily misconfigured.
such as SIP, SSH and web/HTTPS access. When the number of failures within a specified time window
reaches the configured threshold, the source host address (the intruder) and destination port are blocked for a
specified period of time. The host address is automatically unblocked after that time period so as not to lock
out any genuine hosts that may have been temporarily misconfigured.
below).
feature - use automated protection
to dynamically detect and temporarily block specific threats, and use firewall rules to permanently block a
range of known host addresses.
range of known host addresses.
About protection categories
The set of available protection categories on your Expressway are pre-configured according to the software
version that is running. You can enable, disable or configure each category, but you cannot add additional
categories.
version that is running. You can enable, disable or configure each category, but you cannot add additional
categories.
Cisco Expressway Administrator Guide (X8.5.2)
Page 31 of 403
Network and system settings
Intrusion protection