Cisco Cisco ASR 5000
ACS Rulebase Configuration Mode Commands
▀ firewall priority
▄ Command Line Interface Reference, StarOS Release 18
722
Usage
Use this command to add Stateful Firewall ruledefs to the rulebase and configure the priority, type, and port
triggers. Port trigger configuration is optional. Port trigger can be configured only if a rule action is permit.
The rulebase specifies the Stateful Firewall rules to be applied on the calls. The ruledefs within a rulebase
have priorities, based on which priority matching is done. Once a rule is matched and the rule action is
permit, if the trigger is configured, the appropriate check is made. The trigger port will be the destination port
of an association which matches the rule.
Multiple triggers can be defined for the same port number to permit multiple auxiliary ports for subscriber
traffic.
Once a rule is matched and if the rule action is deny, the action taken depends on what is configured in the
specified charging action. If the flow exists, flow statistics are updated and action is taken as configured in
the charging action:
triggers. Port trigger configuration is optional. Port trigger can be configured only if a rule action is permit.
The rulebase specifies the Stateful Firewall rules to be applied on the calls. The ruledefs within a rulebase
have priorities, based on which priority matching is done. Once a rule is matched and the rule action is
permit, if the trigger is configured, the appropriate check is made. The trigger port will be the destination port
of an association which matches the rule.
Multiple triggers can be defined for the same port number to permit multiple auxiliary ports for subscriber
traffic.
Once a rule is matched and if the rule action is deny, the action taken depends on what is configured in the
specified charging action. If the flow exists, flow statistics are updated and action is taken as configured in
the charging action:
If the billing action is configured as EDR enabled, an EDR is generated.
If the content ID is configured, UDR information is updated.
If the flow action is configured as “terminate-flow”, the flow is terminated instead of just discarding the
packet.
If the billing action, content ID, and flow action are not configured, no action is taken on the dropped packets.
Important:
For Stateful Firewall ruledefs, only the terminate-flow action is applicable if configured in the
specified charging action.
For a packet dropped due to Stateful Firewall ruledef match or no match (first packet of a flow), the charging
action applied is the one configured in the
action applied is the one configured in the
firewall priority
or the
firewall no-ruledef-matches
command respectively.
In StarOS 8.1, in the case of Policy-based Firewall, the charging action applied is the one configured in the
In StarOS 8.1, in the case of Policy-based Firewall, the charging action applied is the one configured in the
access-rule priority
or the
access-rule no-ruledef-matches
command respectively.
For action on packets dropped due to any error condition after data session is created, the charging action
must be configured in the
must be configured in the
flow any-error charging-action
command.
The GGSN can dynamically activate/deactivate dynamic Stateful Firewall ruledefs for a subscriber based on
the rule name received from a policy server. At rule match, if a rule in the rulebase is a dynamic rule, and if
the rule is enabled for the particular subscriber, rule matching is done for the rule. If the rule is disabled for
the particular subscriber, rule matching is not done for the rule.
the rule name received from a policy server. At rule match, if a rule in the rulebase is a dynamic rule, and if
the rule is enabled for the particular subscriber, rule matching is done for the rule. If the rule is disabled for
the particular subscriber, rule matching is not done for the rule.
Example
The following command assigns a priority of
10
to the Stateful Firewall ruledef
fw_rule1
, adds it to the
rulebase, and permits port trigger to be used for the rule to open ports in the range of
100
to
200
in either
direction of the control connection:
firewall priority 10 firewall-ruledef fw_rule1 permit trigger open-port
range 100 to 200 direction both
range 100 to 200 direction both
The following command configures the Stateful Firewall ruledef
fw_rule2
as a dynamic ruledef:
firewall priority 7 dynamic-only firewall-ruledef fw_rule2 deny