Cisco Cisco Packet Data Interworking Function (PDIF) Notas De La Versión
Firewall Changes in Release 15.0
▀ Firewall Enhancements for September 30, 2013
▄ Cisco ASR 5x00 Release Change Reference
194
Firewall Enhancements for September 30, 2013
Firewall Feature Changes as of September 30, 2013
This section provides information on Firewall feature changes in release 15.0.
Important:
For more information regarding features in this section, refer to the Personal Stateful Firewall
Administration Guide for this release.
New Firewall Features
This section identifies new Firewall features available in release 15.0.
Flooding Protection Support for Uplink flows
Firewall flooding and port-scan protection is now supported for uplink-initiated flows in addition to downlink-initiated
flows. This allows users to safeguard their own servers and hosts. Support to selectively enable this protection for
specific servers is also provided. The
flows. This allows users to safeguard their own servers and hosts. Support to selectively enable this protection for
specific servers is also provided. The
Service Configuration Mode in support of this feature.
Server IP Address in Access Rule Definitions
Access Rule Definitions now support Server IP address to avoid configuring multiple rule options as part of Firewall
rules. With this release, the
rules. With this release, the
is specified as the server IP address, this address in the uplink direction will be treated as the destination address, and in
downlink direction will be treated as the source address.
downlink direction will be treated as the source address.
Modified Firewall Features
This section identifies Firewall features modified in release 15.0.
SIP ALG Behavior
As part of this feature, SIP ALG is made compatible with user-to-user authentication and processing 4xx responses as
described in RFC 3261. A new command,
described in RFC 3261. A new command,
enable SIP ALG to maintain the same tag parameters (from and to tag) for Authorization or Proxy Authentication
requests.
requests.
Previous Behavior: SIP ALG forwarded a re-invite request with credentials (sent by the client after the server
responded with a 401 to the initial Invite request) with a new “From Tag” which is different from the “From Tag” added
by SIP ALG for the initial Invite request. This was implemented as per section 19.3 of RFC 3261. As some SIP servers
have strict policy implementations, calls are terminated due to this default behavior of SIP ALG.
responded with a 401 to the initial Invite request) with a new “From Tag” which is different from the “From Tag” added
by SIP ALG for the initial Invite request. This was implemented as per section 19.3 of RFC 3261. As some SIP servers
have strict policy implementations, calls are terminated due to this default behavior of SIP ALG.
New Behavior: In this release, the re-invite to 401 is sent with the same “From Tag” as the initial Invite request as
defined in sections 8.1.3.5 and 22.2 of RFC 3261.
defined in sections 8.1.3.5 and 22.2 of RFC 3261.