Дорожная карта для Cisco Cisco Packet Data Gateway (PDG)
Personal Stateful Firewall Overview
How Personal Stateful Firewall Works ▀
Cisco ASR 5000 Series Product Overview ▄
OL-22937-01
How Personal Stateful Firewall Works
This section describes how Personal Stateful Firewall works.
Important:
In StarOS 8.x, Stateful Firewall for CDMA and early UMTS releases used rulebase-based
configurations, whereas later UMTS releases used policy-based configurations. In StarOS 9.0, Stateful Firewall for
UMTS and CDMA releases both use policy-based configurations. For more information, please contact your local
service representative.
UMTS and CDMA releases both use policy-based configurations. For more information, please contact your local
service representative.
Firewall-and-NAT policies are configured in the Firewall-and-NAT Policy Configuration Mode. Each policy contains a
set of access ruledefs and the firewall configurations. Multiple such policies can be configured, however, only one
policy is applied to a subscriber at any point of time.
set of access ruledefs and the firewall configurations. Multiple such policies can be configured, however, only one
policy is applied to a subscriber at any point of time.
The policy used for a subscriber can be changed either from the CLI, or by dynamic update of policy name in Diameter
and RADIUS messages.
and RADIUS messages.
The Firewall-and-NAT policy to be used for a subscriber can be configured in:
ACS Rulebase: The default Firewall-and-NAT policy configured in the ACS rulebase has the least priority. If
there is no policy configured in the APN/subscriber template, and/or no policy to use is received from the
AAA/OCS, only then the default policy configured in the ACS rulebase is used.
AAA/OCS, only then the default policy configured in the ACS rulebase is used.
APN/Subscriber Template: The Firewall-and-NAT policy configured in the APN/subscriber template overrides
the default policy configured in the ACS rulebase. To use the default policy configured in the ACS rulebase, in
the APN/subscriber configuration, the command to use the default rulebase policy must be configured.
the APN/subscriber configuration, the command to use the default rulebase policy must be configured.
AAA/OCS: The Firewall-and-NAT policy to be used can come from the AAA server or the OCS. If the policy
comes from the AAA/OCS, it will override the policy configured in the APN/subscriber template and/or the
ACS rulebase.
ACS rulebase.
Important:
The Firewall-and-NAT policy received from the AAA and OCS have the same priority. Whichever
comes latest, either from AAA/OCS, is applied.
The Firewall-and-NAT policy to use can be received from RADIUS during authentication.
Disabling Firewall Policy
Important:
By default, Stateful Firewall processing for subscribers is disabled.
Stateful Firewall processing is disabled for subscribers in the following cases:
If Stateful Firewall is explicitly disabled in the APN/subscriber template configuration.