Cisco Cisco Expressway Maintenance Manual
Field
Description
Usage tips
Action
The action to take against
any IP traffic that matches
the rule.
any IP traffic that matches
the rule.
Allow: Accept the traffic.
Drop: Drop the traffic
without any response to the
sender.
without any response to the
sender.
Reject: Reject the traffic
with an 'unreachable'
response.
with an 'unreachable'
response.
Dropping the traffic means that potential attackers are not provided
with information as to which device is filtering the packets or why.
with information as to which device is filtering the packets or why.
For deployments in a secure environment, you may want to configure
a set of low priority rules (for example, priority 50000) that deny
access to all services and then configure higher priority rules (for
example, priority 20) that selectively allow access for specific IP
addresses.
a set of low priority rules (for example, priority 50000) that deny
access to all services and then configure higher priority rules (for
example, priority 20) that selectively allow access for specific IP
addresses.
Description An optional free-form
description of the firewall
rule.
rule.
If you have a lot of rules you can use the Filter by description options
to find related sets of rules.
to find related sets of rules.
Current Active Firewall Rules
The Current active firewall rules page (System > Protection > Firewall rules > Current active rules) shows the user-
configured firewall rules that are currently in place on the system. There is also a set of built-in rules that are not
shown in this list.
configured firewall rules that are currently in place on the system. There is also a set of built-in rules that are not
shown in this list.
If you want to change the rules you must go to the Firewall rules configuration page from where you can set up and
activate a new set of rules.
activate a new set of rules.
Configuring Automated Intrusion Protection
The automated protection service can be used to detect and block malicious traffic and to help protect the
Expressway from dictionary-based attempts to breach login security.
Expressway from dictionary-based attempts to breach login security.
It works by parsing the system log files to detect repeated failures to access specific service categories, such as SIP,
SSH and web/HTTPS access. When the number of failures within a specified time window reaches the configured
threshold, the source host address (the intruder) and destination port are blocked for a specified period of time. The
host address is automatically unblocked after that time period so as not to lock out any genuine hosts that may have
been temporarily misconfigured.
SSH and web/HTTPS access. When the number of failures within a specified time window reaches the configured
threshold, the source host address (the intruder) and destination port are blocked for a specified period of time. The
host address is automatically unblocked after that time period so as not to lock out any genuine hosts that may have
been temporarily misconfigured.
dynamically detect and temporarily block specific threats, and use firewall rules to permanently block a range of
known host addresses.
known host addresses.
About protection categories
The set of available protection categories on your Expressway are pre-configured according to the software version
that is running. You can enable, disable or configure each category, but you cannot add additional categories.
that is running. You can enable, disable or configure each category, but you cannot add additional categories.
The rules by which specific log file messages are associated with each category are also pre-configured and cannot
be altered. You can view example log file entries that would be treated as an access failure/intrusion within a
particular category by going to System > Protection > Automated detection > Configuration and clicking on the
name of the category. The examples are displayed above the Status section at the bottom of the page.
be altered. You can view example log file entries that would be treated as an access failure/intrusion within a
particular category by going to System > Protection > Automated detection > Configuration and clicking on the
name of the category. The examples are displayed above the Status section at the bottom of the page.
23
Cisco Expressway Administrator Guide