Cisco Cisco Packet Data Gateway (PDG) Documentation Roadmaps
Personal Stateful Firewall Overview
Supported Features ▀
Cisco ASR 5000 Series Product Overview ▄
OL-22938-01
Host Pool Support
Host pools allow operators to group a set of host or IP addresses that share similar characteristics together. Access rule
definitions (ruledefs) can be configured with host pools. Up to 10 sets of IP addresses can be configured in each host
pool. Host pools are configured in the ACS Host Pool Configuration Mode.
definitions (ruledefs) can be configured with host pools. Up to 10 sets of IP addresses can be configured in each host
pool. Host pools are configured in the ACS Host Pool Configuration Mode.
IMSI Pool Support
IMSI pools allow the operator to group a set of International Mobile Station Identifier (IMSI) numbers together. Up to
10 sets of IMSI numbers can be configured in each IMSI pool. IMSI pools are configured in the ACS IMSI Pool
Configuration Mode.
10 sets of IMSI numbers can be configured in each IMSI pool. IMSI pools are configured in the ACS IMSI Pool
Configuration Mode.
Port Map Support
Port maps allow the operator to group a set of port numbers together. Access ruledefs can be configured with port maps.
Up to 10 sets of ports can be configured in each port map. Port maps are configured in the ACS Port Map Configuration
Mode.
Up to 10 sets of ports can be configured in each port map. Port maps are configured in the ACS Port Map Configuration
Mode.
The Personal Stateful Firewall uses standard application ports to trigger ALG functionality. The operator can modify the
existing set to remove/add new port numbers.
existing set to remove/add new port numbers.
Flow Recovery Support
Stateful Firewall supports call recovery during session failover. Flows associated with the calls are recovered.
A recovery-timeout parameter is configurable for uplink and downlink directions. If the value is set to zero, firewall
flow recovery is disabled. If the value is non-zero, then firewall will be bypassed for packets from MS/Internet until the
time configured (uplink/downlink). Once the manager recovers, the recovery-timeout timer is started. During this time:
flow recovery is disabled. If the value is non-zero, then firewall will be bypassed for packets from MS/Internet until the
time configured (uplink/downlink). Once the manager recovers, the recovery-timeout timer is started. During this time:
If any ongoing traffic arrives from the subscriber and no association is found, and flow recovery is enabled, basic
checks like header processing, attacks, etc. are done (stateful checks of packet is not done), and if all is okay,
an association is created and the packet is allowed to pass through.
an association is created and the packet is allowed to pass through.
If any ongoing traffic arrives from the Internet to MS and no association is found, and flow recovery is not
enabled, it is dropped. No RESET is sent. Else, basic checks like header processing, flooding attack check are
done (stateful checks are not done), and if all is okay, an association is created and the packet is allowed to pass
through.
done (stateful checks are not done), and if all is okay, an association is created and the packet is allowed to pass
through.
In case flow recovered from ongoing traffic arrives from Internet to MS, and MS sends a NACK, the Unwanted
Traffic Suppression feature is triggered, i.e. upon repeatedly receiving NACK from MS for a 5-tuple, further
traffic to the 5-tuple is blocked for some duration and not sent to MS.
traffic to the 5-tuple is blocked for some duration and not sent to MS.
If any new traffic (3-way handshake) comes, whether it is a new flow or a new flow due to pin-hole, based on
the direction of packet and flow-recovery is enabled, basic checks like header processing, attacks, etc. are done