901-00-0060m_psf_admin
DESCRIPTION
data manualTRANSCRIPT
Starent Networks Multimedia Core PlatformsPersonal Stateful Firewall Administration GuideVersion 9.012-23-2009P/N: 901-00-0060 Rev MNOTICE OF COPYRIGHTThe material contained in this document is for informational purposes only and is subject to change without notice.No part of this document may be reproduced, transmitted, transcribed, or stored in a retrieval system in any form or by any means, mechanical, magnetic, optical, chemical, or otherwise without the written permission of Starent Networks, Corp.Starent, the Starent logo, ST16, and ST40 are registered trademarks of Starent Networks, Corp. How Wireless Connects and StarOS are trademarks of Starent Networks, Corp.VA Linux is a registered trademark of VA Linux Systems, Inc. Microsoft and Microsoft Windows are registered trademarks of Microsoft Corporation. Sun, Solaris, and Netra are registered trademarks of Sun Microsystems. Linux is a registered trademark of Linus Torvalds. Adobe, Acrobat, Acrobat Reader are registered trademarks of Adobe Systems, Inc. CompactFlash is a trademark of SanDisk Corporation. Panduit is a registered trademark or Panduit Corporation. HyperTerminal is a registered trademark of Hilgraeve Inc. MOLEX is a registered trademark of Molex, Inc. Red Hat is a registered trademark of Red Hat, Inc. Intel is a registered trademark of Intel Corporation. Any trademarks, trade names, service marks, or service names owned or registered by any other company and used in this documentation are the property of their respective companies.Copyright 2009 by Starent Networks, Corp.30 International PlaceTewksbury, MA 01876978.851.1100All Rights ReservedVisit us at http://www.starentnetworks.comTABLE OF CONTENTSAbout This GuideConventions Used ............................................................................................................................ vContacting Starent Networks .......................................................................................................... viContacting Starent Networks Customer Support ......................................................................viiProviding Documentation Feedback........................................................................................viiSection I: OverviewChapter 1: Personal Stateful Firewall OverviewSupported Platforms and Products...............................................................................................1-2Licenses ........................................................................................................................................1-3Overview......................................................................................................................................1-4Stateful Inspection ...................................................................................................................1-4In-line Services ........................................................................................................................1-5Supported Features .......................................................................................................................1-6Protection against DoS Attacks ...............................................................................................1-6Type of Denial of Service (DoS) Attacks ...........................................................................1-6Distributed Denial-of-Service (DDoS) Attacks ..................................................................1-8Protection against Port Scanning ........................................................................................1-8Application-level Gateway (ALG) Support............................................................................1-8Stateful Packet Filtering and Inspection Support....................................................................1-9Host Pool, IMSI Pool, and Port Map Support .........................................................................1-9Host Pool Support ...............................................................................................................1-9IMSI Pool Support ..............................................................................................................1-9Port Map Support ................................................................................................................1-9Flow Recovery Support .........................................................................................................1-10SNMP Thresholding Support................................................................................................1-10Logging Support ....................................................................................................................1-11How Personal Stateful Firewall Works ......................................................................................1-12Disabling Firewall Policy.................................................................................................1-12Mid-session Firewall Policy Update .................................................................................1-13How it Works .........................................................................................................................1-14Understanding Firewall Rules with Stateful Inspection .............................................................1-16Connection State and State Table in Personal Stateful Firewall...........................................1-17Transport and Network Protocols and States ....................................................................1-17Application-Level Traffic and States ................................................................................1-1812-23-2009iiSection II: ConfigurationChapter 2: Personal Stateful Firewall ConfigurationBefore You Begin........................................................................................................................ 2-2Configuring the System............................................................................................................... 2-3Stateful Firewall Configuration................................................................................................... 2-4Enabling the ACS Subsystem in Optimized Mode ................................................................. 2-5Creating the Active Charging Service ..................................................................................... 2-5Configuring ACS Port Maps ................................................................................................... 2-5Configuring ACS Host Pools .................................................................................................. 2-6Configuring ACS IMSI Pools................................................................................................. 2-6Configuring Access Ruledefs .................................................................................................. 2-6Configuring Firewall-and-NAT Policy ................................................................................... 2-7Configuring Action on Packets with No Access Ruledef Match ............................................ 2-7Configuring Protection from DoS Attacks .............................................................................. 2-7Configuring Action on Packets Dropped by Firewall ............................................................. 2-8Configuring Maximum Limit of Flows ................................................................................... 2-8Configuring Protection from Port Scanning ............................................................................ 2-8Configuring Threshold on TCP Reset Messages.................................................................... 2-9Configuring Threshold on ICMP Error Messages.................................................................. 2-9Configuring Maximum IP Packet Size .................................................................................... 2-9Configuring Firewall Idle Timeout Settings........................................................................... 2-9Configuring Other Firewall Settings ..................................................................................... 2-10Configuring Dynamic Pinholes/ALGs .................................................................................. 2-10Creating Routing Ruledefs............................................................................................... 2-10Configuring Routing Ruledefs in the Rulebase ................................................................ 2-10Enabling Firewall for APN/Subscribers ................................................................................ 2-10Enabling Firewall for APN ............................................................................................... 2-11Enabling Firewall for Subscribers .................................................................................... 2-11Configuring Default Firewall-and-NAT Policy .................................................................... 2-11Configuring Firewall Thresholds.......................................................................................... 2-11Configuring Bulk Statistics Schema..................................................................................... 2-12Configuring Session Recovery .............................................................................................. 2-12Changing Firewall Policy in Mid-session ............................................................................. 2-12Saving the Configuration........................................................................................................... 2-13Gathering Stateful Firewall Statistics........................................................................................ 2-14Managing Your Configuration ................................................................................................... 2-15Chapter 3: Verifying and Saving Your ConfigurationVerifying the Configuration ......................................................................................................... 3-1Feature Configuration............................................................................................................. 3-1Service Configuration............................................................................................................. 3-2Context Configuration ............................................................................................................. 3-3System Configuration .............................................................................................................. 3-312-23-2009iiiFinding Configuration Errors..................................................................................................3-3Saving the Configuration ..............................................................................................................3-4Saving the Configuration on ST-series Platforms ...................................................................3-4Section III: AppendicesAppendix A: Sample Personal Stateful Firewall ConfigurationIndex 12-23-2009ivABOUT THIS GUIDEThis section contains an overview of the information contained within this document. This documentation provides information on Personal Stateful Firewall support.Topics covered in this document include: Personal Stateful Firewall Overview Configuration Procedures Sample Configuration FileIMPORTANTThe information and instructions in this document assume that the system hardware has been fully installed and the installation was verified according to the instructions found in the System Installation Guide.Conventions UsedThe following tables describe the conventions used throughout this documentation.Icon Notice Type DescriptionInformation noteProvides information about important features or instructions.CautionAlerts you of potential damage to a program, device, or system.WarningAlerts you of potential personal injury or fatality. May also alert you of potential electrical hazards.Electro-Static Discharge (ESD)Alerts you to take proper grounding precautions before handling a product.Typeface Conventions DescriptionText represented as a scr eendi spl ayThis typeface represents displays that appear on your terminal screen, for example:Logi n:12-23-2009 viContacting Starent NetworksStarent Networks, Corp. 30 International PlaceTewksbury, MA USA 01876Telephone: 978.851.1100 Facsimile: 978.640.6825 E-mail: [email protected] Visit us at: http://www.starentnetworks.com Text represented as commandsThis typeface represents commands that you enter, for example:show ip access-listThis document always gives the full form of a command in lowercase letters. Commands are not case sensitive.Text represented as a command variableThis typeface represents a variable that is part of a command, for example:show card slot_numberslot_number is a variable representing the desired chassis slot number.Text represented as menu or sub-menu namesThis typeface represents menus and sub-menus that you access within a software application, for example:Click the File menu, then click NewCommand Syntax Conventions Description{keyword or variable}Required keywords and variables are surrounded by grouped brackets. Required keywords and variables are those components that are required to be entered as part of the command syntax.[keyword or variable]Optional keywords or variables, or those that a user may or may not choose to use, are surrounded by square brackets.|With some commands there may be a group of variables from which the user chooses one. These are called alternative variables and are documented by separating each variable with a vertical bar (also known as a pipe filter).Pipe filters can be used in conjunction with required or optional keywords or variables. For example:{nonce | timestamp}OR[count number_of_packets | size number_of_bytes]Typeface Conventions Description12-23-2009viiContacting Starent Networks Customer SupportStarent Networks' customer support program is designed to provide innovative customer support and superior service delivery. Our support program is based on the belief that our customers expect their wireless communications equipment vendor to not be merely a part of the vendor community, but also their trusted partner. To that end, Starent team members are prepared to listen, participate with you in growing your successful business, and work beside you to resolve any issue that may arise.You can expect to receive fast, accurate, and professional care every time you contact us.E-mail us at [email protected] or visit us at https://support.starentnetworks.com/ (a valid user name and password is required to access this site).Our mailing address is:30 International PlaceTewksbury, MA USA 01876Our shipping address is:200 Ames Pond DriveTewksbury, MA USA 01876IMPORTANTFor warranty and repair information, please be sure to include the Return Material Authorization (RMA) tracking number on the outside of the package.Providing Documentation FeedbackAt Starent Networks, we take great pride in the overall quality of our user documentation. Our Technical Communication team has strived to ensure the accuracy, completeness, and general usability of our documentation.As part of our goal to ensure the highest level of quality in our documentation, we welcome customer feedback. Please e-mail us with any questions, comments, or suggestions at [email protected]. Should you find an error or omission in our documentation, a request for support can be opened from the Support area of our Internet site- https://support.starentnetworks.com/. (Note that a valid username and password is required in order to access this area.) When requesting support for documentation issues, please ensure that Documentation Request is selected as the request type and that you provide all relevant information including document title, part number, revision, document date (if available), and any relevant chapter or page numbers.We look forward to continually improving the quality of our documentation with your help.12-23-2009 viiiSECTION I OVERVIEW12-23-2009Chapter 1 Personal Stateful Firewall OverviewCHAPTER 1PERSONAL STATEFUL FIREWALL OVERVIEWThe Personal Stateful Firewall is an in-line service that performs both stateful inspection and access control of individual subscriber traffic sessions. Personal Stateful Firewall provides detection of Denial-of-Service (DoS) attacks and other protection applicable for 3GPP, 3GPP2, WiMAX, and subscribers of other core networks. This feature uses Deep Packet Inspection (DPI) and additional algorithms to provide stateful firewall functionalities for network subscriber sessions within the chassis.It is recommended that you select the configuration example that best meets your service model, and configure the required elements for that model as described in the System Administration Guide and the Enhanced Charging Services Administration Guide.This chapter covers the following topics: Supported Platforms and Products Licenses Overview Supported Features How Personal Stateful Firewall Works Understanding Firewall Rules with Stateful InspectionPersonal Stateful Firewall Overview 12-23-2009 1-2Supported Platforms and ProductsPersonal Stateful Firewall is an in-line service available for ST16 and ST40 Multimedia Core Platforms running core network services.IMPORTANTFor information on ST-series Multimedia Core Platforms, see the Product Overview Guide.12-23-2009 Licenses1-3LicensesPersonal Stateful Firewall is a licensed feature. For information on license requirements for these features, please contact your local sales representative.IMPORTANTFor information on obtaining and installing licenses, see the Managing License Keys chapter of the System Administration and Configuration Guide.Personal Stateful Firewall Overview 12-23-2009 1-4OverviewFirewalls are systems designed to prevent unauthorized access to or from a service network. The firewall is considered to be the first line of defense in protecting private networks from unauthorized users accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.There are several firewall techniques: Static Packet Filters: Packet filtering is the most basic type of firewall function that controls the flow of datagram across service provider network boundary based on the source IP address, source port, destination IP address, and destination port. It looks at each packet entering or leaving the network and accepts or rejects it based on user-defined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing.Packet filters have the following drawbacks: They are not easily implemented for applications requiring opening ports dynamically like Session Initiation Protocol (SIP) or active File Transfer Protocol (FTP) They allow external servers to access internal hosts directly because no masking or abstraction of the internal network addressing is performed, which would allow attackers to learn about the network They do not provide complete protection against Denial-of-Service (DoS) attacks since statefulness (previous connection states) is not maintained and filtering is based only on packet information in the current packet and administrator rules Application-level Gateway (ALG): Applies security mechanism to specific applications, such as FTP and Telnet servers. This is very effective, but can degrade performance since it involves analyzing packets beyond Layer-4. Circuit-level Gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets flow between the hosts without further checking. Proxy Server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses. Stateful Firewall: This provide all the features of static packet filters, application and circuit level gateway, and proxy based firewalls. Since it inspects the packets in a stateful manner, it analyzes the application and dynamically allows or denies port access. It also provides ALG support, preventing various DoS attacks, dynamic pinhole, etc.Stateful InspectionAlso referred to as dynamic packet filtering, Stateful Inspection is a firewall architecture that works at the network layer. Unlike static packet filtering, which examines a packet based on the information in its header, stateful inspection tracks each connection traversing all interfaces of the firewall and makes sure they are valid. 12-23-2009 Overview1-5Stateful firewall examines not only the header information, but also the contents of the packet up through the application layer in order to determine more about the packet than just information about its source and destination address/port and protocol. A stateful firewall also monitors the state of the connection and compiles the information in a state table. Because of this, filtering decisions are based not only on administrator-defined rules (as in static packet filtering) but also on the context that has been established by prior packets that have passed through the firewall. As an added security measure against port scanning, stateful inspection firewalls close off ports until connection to the specific port is requested. For more information, see the Protection against Port Scanning section.By implementing the Personal Stateful Firewall functionality within the chassis, the system easily decides on how to treat an outgoing and/or incoming packet of a subscriber session. Charging of packets can be managed by the operator. The operator can charge only for those packets that pass the firewall rules and the packets that are dropped by the firewall can be excluded. This flexibility is not possible in an external firewall solution where all the packets are chargeable whether they are allowed by the firewall or not.In-line ServicesAs described earlier, the Personal Stateful Firewall provides a mechanism of inspecting user traffic, while providing protection from different types of well-known attacks, for the purpose of applying stateful services to the users subsequent data flows.Active Charging Service (ACS) is the primary vehicle that performs the packet inspection and applies rules to the session, which includes the delivery of enhanced services. Internal applications such as the Personal Stateful Firewall, Enhanced Charging Service (ECS), and Peer-to-Peer are primary features that provide in-line service advantage to the subscriber and operators in service networks.For more information on the Enhanced Charging Service, see the Enhanced Charging Service Administration Guide.Personal Stateful Firewall Overview 12-23-2009 1-6Supported FeaturesStarent Networks Personal Stateful Firewall supports the following features: Protection against DoS Attacks Application-level Gateway (ALG) Support Stateful Packet Filtering and Inspection Support Host Pool, IMSI Pool, and Port Map Support Flow Recovery Support SNMP Thresholding Support Logging SupportProtection against DoS AttacksDoS attacks can deprive organizations/users of network resources and services that they would normally expect to have. DoS attacks may lead to: A host consuming excessive resources memory, disk space, CPU time, etc. eventually leading to a system crash or providing very sluggish response. Flooding of the network paths to the extent that no valid traffic is able to reach the intended destination. Confusing target TCP/IP stack on destination hosts by sending crafted, malformed packets resulting in system crash eventually.DoS attacks can destroy data in affected mobile nodes. Stateful Firewall is designed to defend mobile users from DoS attacks originating from both the Internet and the internal network.Type of Denial of Service (DoS) AttacksDoS attacks are classified based on the protocol layer that they work on. Stateful Firewall can detect the following DoS attacks: IP-based: Land Attacks J olt Attacks Teardrop Attacks Detected only in downlink direction, i.e. traffic coming from the external network towards the mobile subscribers Invalid IP Option Length IP-Unaligned-Timestamp Attack Detected only in downlink direction Short IP Header Length IP Checksum Errors IP Reassembly Failure (downlink) IP Reassembly Failure (uplink) Source Router Detected only in downlink direction TCP-based:12-23-2009 Supported Features1-7 Data Packets Received After RST/FIN Invalid SEQ Number Received with RST Data without Connection Established Invalid TCP Connection Requests Invalid TCP pre-connection Requests Invalid ACK Value (Cookie Enabled) Invalid TCP Packet Length Short TCP Header Length TCP Checksum Errors SEQ/ACK Out-of-range TCP Null Scan Attacks Post Connection SYN Unable to Send SYN Packet Send Final ACK to Target Failed Invalid TCP Packet: SYN-ACK Expected No TCP Flags Set All TCP Flags Set Invalid TCP Packets Flows Closed by RST before 3-Way Handshake Flows Timed-out in SYN_RCVD1 State Flows Timed-out in SYN_RCVD2 State TCP-SYN Flood Attacks Detected only in downlink direction FTP Bounce Attack Detected only in downlink direction MIME Flood Attacks Detected only in downlink direction Exceeding reset message threshold Source port zero WinNuke Attack Detected only in downlink direction TCP-Window-Containment Detected only in downlink direction UDP-based: Invalid UDP Echo Response Invalid UDP Packet Length UDP Checksum Errors Short UDP Header Length UDP Flood Attack Detected only in downlink direction ICMP-based: Invalid ICMP Response ICMP Reply Error Invalid ICMP Type PacketPersonal Stateful Firewall Overview 12-23-2009 1-8 ICMP Error Message Replay Attacks ICMP Packets with Duplicate Sequence Number Short ICMP Header Length Invalid ICMP Packet Length ICMP Flood Attack Detected only in downlink direction Ping Of Death Attacks ICMP Checksum Errors ICMP Packets With Destination Unreachable Message Other DoS attacks Port-scan attacks Detected only in downlink directionDistributed Denial-of-Service (DDoS) AttacksDDoS is an extended version of a DoS attack. In a distributed denial-of-service attack large numbers of compromised systems (sometimes called a botnet) attack a single target. This DDoS attack is more devastating compared to DoS attacks.In order to protect internal hosts and prevent the abuse of network bandwidth, operators need to secure systems at the network edge.The Personal Stateful Firewall feature provides protection against most known DoS and DDoS attacks by way of configured rule definitions.Protection against Port ScanningPort scanning is a technique used to determine the states of TCP/UDP ports on a network host, and to map out hosts on a network. Essentially, a port scan consists of sending a message to each port on the host, one at a time. The kind of response received indicates whether the port is used, and can therefore be probed further for weakness. This way hackers find potential weaknesses that can be exploited.The Personal Stateful Firewall feature provides protection against port scanning by implementing port scan detection algorithms. Port-scan attacks are only detected in downlink direction traffic from external network towards mobile subscribers. Application-level Gateway (ALG) SupportA stateful firewall while ensuring that only legitimate connections are allowed, also maintains the state of an allowed connection. Some network applications require additional connections to be opened up in either direction and information regarding such connections is sent in the application payload. For these applications to work properly, a stateful firewall must inspect, analyze, and parse these application payloads to get the additional connection information, and open partial connections/pin holes in the firewall to allow the connections.To parse application payloads firewall employs ALGs. ALGs also check for application-level attacks. Starent Networks Personal Stateful Firewall provides ALG functionality for the following protocols:12-23-2009 Supported Features1-9 Session Initialization Protocol (SIP) Real Time Streaming Protocol (RTSP) Real Time Protocol (RTP) File Transfer Protocol (FTP)ALG support for Simple Mail Transfer Protocol (SMTP) and HTTP is ECS functionality.Stateful Packet Filtering and Inspection SupportStateful filtering provides the stateful tracking of protocol information at Layer-4 and below. Personal Stateful Firewall overcomes the disadvantages of static packet filters by disallowing any incoming packets that have the TCP SYN flag set (which means a host is trying to initiate a new connection). If configured, stateful packet filtering allows only packets for new connections initiated from internal hosts to external hosts and disallows packets for new connections initiated from external hosts to internal hosts.Stateful packet filtering also tracks sequence and acknowledgement numbers per packet and the TCP packet flags.Stateful packet inspection uses all the Layer-4 information as well as the application-level commands up to Layer-7. All this information is combined to provide good definition of the individual connection state.In both stateful filtering and stateful inspection, the tracked state information is recorded into a state table that tracks the information until a connection is torn down or until a preconfigured session timeout is reached.Personal Stateful Firewall provides rules for configuring packet filtering and inspection using rules described in theUnderstanding Firewall Rules with Stateful Inspection section.Host Pool, IMSI Pool, and Port Map SupportHost Pool SupportHost pools allow the operator to group a set of host or IP addresses that share similar characteristics together. Firewall rule definitions (ruledefs) can be configured with host pools. Host pools are defined in the ACS Host Pool Configuration Mode.IMSI Pool SupportIMSI pools allow the operator to group a set of International Mobile Station Identifier (IMSI) numbers together. Firewall ruledefs can be configured with IMSI pools. IMSI pools are defined in the IMSI Pool Configuration Mode.Port Map SupportPort maps allow the operator to group a set of port numbers together. Firewall ruledefs can be configured with port maps. Port maps are defined in the ACS Port Map Configuration Mode.Personal Stateful Firewall Overview 12-23-2009 1-10The Personal Stateful Firewall uses standard application ports to trigger ALG functionality. The operator can modify the existing set to remove/add new port numbers.Flow Recovery SupportStarent Networks Stateful Firewall supports call recovery during session failover. Flows associated with the calls are recovered.A recovery-timeout parameter is configurable for uplink and downlink directions. If the value is zero, then Firewall Flow Recovery is not done. If the value is non-zero, then firewall will be bypassed for packets from MS/Internet until the time configured (uplink/downlink). Once the manager recovers, the recovery-timeout timer is started. During this time: If any ongoing traffic arrives from the subscriber and no association is found, and flow recovery is enabled, basic checks like header processing, attacks, etc. are done (stateful checks of packet is not done), and if all is okay, an association is created and the packet is allowed to pass through. If any ongoing traffic arrives from the Internet to MS and no association is found, and flow recovery is not enabled, it is dropped. No RESET is sent. Else, basic checks like header processing, flooding attack check are done (stateful checks of packet are not done), and if all is okay, an association is created and the packet is allowed to pass through. In case flow recovered from ongoing traffic arrives from Internet to MS, and MS sends a NACK, the Unwanted Traffic Suppression feature is triggered, i.e. upon repeatedly receiving NACK from MS for a 5-tuple, further traffic to the 5-tuple is blocked for some duration and not sent to MS. If any new traffic (3-way handshake) comes, whether it is a new flow or a new flow due to pin-hole, based on the direction of packet and flow-recovery is enabled, basic checks like header processing, attacks, etc. are done (stateful checks of packet is not done) and if all is okay, an association is created and the packet is allowed to pass through. For any traffic coming after the recovery-timeout: If any ongoing traffic arrives, it is allowed only if an association was created earlier. Else, it is dropped and reset is sent. If any new traffic (3-way handshake) arrives, the usual Firewall processing is done.If recovery-timeout is zero, then firewall flow recovery is not done.SNMP Thresholding SupportStarent Networks Stateful Firewall allows users to configure thresholds to get notifications for various events that are happening in the system. Whenever a measured value crosses the specified threshold value at the given time, an alarm is generated. And, whenever a measured value falls below the specified threshold clear value at the given time, a clear alarm is generated. The following events are supported for generating and clearing alarms: Dos-Attacks: When the number of DoS attacks crosses a given value, a threshold is raised, and it is cleared when the number of DoS attacks falls below a value in a given period of time.12-23-2009 Supported Features1-11 Drop-Packets: When the number of dropped packets crosses a given value, a threshold is raised, and it is cleared when the number of dropped packets falls below a value in a given period of time. Deny-Rule: When the number of Deny Rules cross a given value, a threshold is raised, and it is cleared when the number of Deny Rules falls below a value in a given period of time. No-Rule: When the number of No Rules cross a given value, a threshold is raised, and it is cleared when the number of No Rules falls below a value in a given period of time.Logging SupportStarent Networks Stateful Firewall supports logging of various messages on screen if logging is enabled for firewall. These logs provide detailed messages at various levels, like critical, error, warning, and debug.Logging is also supported at rule level, when enabled through rule a message will be logging whenever a packet hits the rule. This can be turned on/off in a rule.These logs are also sent to a syslog server if configured in the system.Personal Stateful Firewall Overview 12-23-2009 1-12How Personal Stateful Firewall WorksThis section describes how Personal Stateful Firewall works.IMPORTANTIn StarOS 8.x, Stateful Firewall for CDMA and early UMTS releases used rulebase-based configurations, whereas later UMTS releases used policy-based configurations. In StarOS 9.0, Stateful Firewall for UMTS and CDMA releases both use policy-based configurations. For more information, please contact your local service representative.Firewall-and-NAT policies are configured in the ACS Firewall-and-NAT Policy Configuration Mode. Each policy contains a set of firewall-specific ruledefs and the firewall configurations. Multiple such policies can be configured, however, only one policy is applied to a subscriber at any point of time.The policy used for a subscriber can be changed either from the CLI, or by dynamic update of policy name in Diameter and RADIUS messages. In both the cases NAT status on the active call remains unchanged.The firewall-and-NAT policy to be used for a subscriber can be configured in: ACS rulebase: The default Firewall-and-NAT policy configured in the ACS rulebase has the least priority. If there is no policy configured in the APN/subscriber template, and/or no policy to use is received from the AAA/OCS, only then the default policy configured in the ACS rulebase is used. APN/subscriber template: The Firewall-and-NAT policy configured in the APN/subscriber template overrides the default policy configured in the ACS rulebase. To use the default policy configured in the ACS rulebase, in the APN/subscriber configuration, the command to use the default rulebase policy must be configured. AAA/OCS: The Firewall-and-NAT policy to be used can come from the AAA server or the OCS. If the policy comes from the AAA/OCS, it will override the policy configured in the APN/subscriber template and/or the ACS rulebase.IMPORTANTThe Firewall-and-NAT policy received from the AAA and OCS have the same priority. Whichever comes latest, either from AAA/OCS, is applied.The Firewall-and-NAT policy to use can be received from RADIUS during authentication. Disabling Firewall PolicyIMPORTANTBy default, firewall processing for subscribers is disabled.Firewall processing is disabled for subscribers if:12-23-2009 How Personal Stateful Firewall Works1-13 Firewall is explicitly disabled in the APN/subscriber template configuration. If the AAA/OCS sends the SN-Firewall-Policy AVP with the string disable, the locally configured firewall policy does not get applied. If the SN-Firewall-Policy AVP is received with the string NULL, the existing policy will continue. If the SN-Firewall-Policy AVP is received with a name that is not configured locally, the subscriber session is terminated.Mid-session Firewall Policy UpdateThe firewall-and-NAT policy can be updated mid-session provided firewall policy was enabled during call setup.IMPORTANTWhen the firewall AVP contains disable during mid-session firewall policy change, there will be no action taken as the firewall-and-NAT policy cannot be disabled dynamically. The policy currently applied will continue.IMPORTANTWhen a Firewall-and-NAT policy is deleted, for all subscribers using the policy, Firewall processing is disabled, also ECS sessions for the subscribers are dropped. In case of session recovery, the calls are recovered but with Firewall disabled.Personal Stateful Firewall Overview 12-23-2009 1-14How it WorksThe following figure illustrates packet flow in Firewall processing for a subscriber. Figure 1-1 Firewall Processing continued...Flow limit per subscriber reachednoyesUpdate statistics and drop the packetData packet received for ECS processingIs packet fragmentednoyesBuffer and wait for fragmentsIP header checksUpdate statistics and DoS attacks, and drop the packetfailpassMatching flow exists for the packetUpdate flow stats for packetyesnoTransport layer header and state checksfailpassUpdate statistics and DoS attacks, and drop the packetIP ReassemblyUpdate statistics and drop the packetfaildoneIn progressTransport layer header and state checksUpdate statistics and drop the packetfailpass12-23-2009 How Personal Stateful Firewall Works1-15Figure 1-2 Firewall ProcessingMax allowed memory limits of ACSMgr reachedUpdate statistics and drop the packetyesnoMax no. of flows per ACSMgr reachedUpdate statistics and drop the packetyesFW rule match deniedUpdate statistics and drop the packetCreate FW flow, update the flow and packet statsnoTo ACSfor further processingFlooding detectedUpdate statistics and drop the packetyesnoallowednoPersonal Stateful Firewall Overview 12-23-2009 1-16Understanding Firewall Rules with Stateful InspectionThis section describes terms used in the Personal Stateful Firewall context. Access Ruledefs: The stateful packet inspection feature of the Personal Stateful Firewall allows the operator to configure rule definitions (ruledefs) that take active session information into consideration to permit or deny incoming or outgoing packets.An access ruledef contains the criteria for multiple actions that could be taken on packets matching the rules. These rules specify the protocols, source and destination hosts, source and destination ports, direction of traffic parameters for a subscriber session to allow or reject the traffic flow.An access ruledef consists of the following fields: Ruledef name Source IP address Source port number not required if the protocol is other than TCP or UDP Destination IP address Destination port number not required if the protocol is other than TCP or UDP Transport protocol (TCP/UDP/ICMP/AH/ESP) Direction of connection (Uplink/Downlink) Bearer (IMSI-pool and APN) Logging action (enable/disable)An access ruledef can be added to multiple Firewall-and-NAT policies.A combined maximum of 4096 rules (host pools +IMSI pools +port maps +charging ruledefs +firewall/access ruledefs +routing ruledefs) can be created in a system. Access/firewall ruledefs are different from ACS ruledefs. A combined maximum of 2048 charging and firewall ruledefs can be created in a system. Firewall-and-NAT Policy: In Policy-based Firewall and NAT, Firewall-and-NAT policies can be configured in the ACS Firewall-and-NAT Policy Configuration Mode. Each policy contains a set of firewall-specific ruledefs with priorities defined for each rule and the firewall configurations. Multiple such policies can be configured, however, only one policy is applied to a subscriber at any point of time. Service Definition: User defined firewall service for defining state-full firewall policy for initiating an outgoing connection on a primary port and allowing opening of auxiliary ports for that association in the reverse direction. Maximum Association: The maximum number of firewall associations for a subscriber.12-23-2009 Understanding Firewall Rules with Stateful Inspection1-17Connection State and State Table in Personal Stateful FirewallThis section describes the state table and different connection states for transport and network protocols.After packet inspection the Personal Stateful Firewall stores session state and other information into a table. This state table contains the entries of all the communication sessions of which the firewall subsystem is aware of. Every entry in this table holds a list of information that identifies the subscriber session it represents. Generally this information includes the source and destination IP address, flags, sequence, acknowledgement numbers, etc.When a connection is permitted through the Personal Stateful Firewall enabled chassis, a state entry is created. If a session connection with same information (source address, source port, destination address, destination port, protocol) is requested the firewall subsystem compares the packets information to the state table entry to determine the validity of session. If the packet is currently in a table entry, it allows it to pass, otherwise it is dropped.Transport and Network Protocols and StatesTransport protocols have their connections state tracked in various ways. Many attributes, including IP address and port combination, sequence numbers, and flags are used to track the individual connection. The combination of this information is kept as a hash in the state table.TCP Protocol and Connection StateTCP is considered as a stateful connection-oriented protocol that has well defined session connection states. TCP tracks the state of its connections with flags as defined for TCP protocol. The following table describes different states of TCP connection.Table 1-1 TCP Connection States State Flag DescriptionTCP (Establishing Connection)CLOSED A non-state that exists before a connection actually begins.LISTENThe state a host is in waiting for a request to start a connection. This is the starting state of a TCP connection.SYN-SENTThe time after a host has sent out a SYN packet and is waiting for the proper SYN-ACK reply.SYN-RCVDThe state a host is in after receiving a SYN packet and replying with its SYN-ACK reply.ESTABLISHEDThe state a host is in after its necessary ACK packet has been received. The initiating host goes into this state after receiving a SYN-ACK.TCP (Closing Connection)FIN-WAIT-1The state a connection is in after it has sent an initial FIN packet asking for a graceful termination of the TCP connection.CLOSE-WAITThe state a hosts connection is in after it receives an initial FIN and sends back an ACK to acknowledge the FIN.FIN-WAIT-2The connection state of the host that has received the ACK response to its initial FIN, as it waits for a final FIN from its connection peer.Personal Stateful Firewall Overview 12-23-2009 1-18UDP Protocol and Connection StateUDP is a connection-less transport protocol. Due to its connection-less nature, tracking of its state is a more complicated process than TCP. The Personal Stateful Firewall tracks a UDP connection in a different manner than TCP. A UDP packet has no sequence number or flag field in it. The port numbers used in UDP packet flow change randomly for any given session connection. So the Personal Stateful Firewall keeps the status of IP addresses.UDP traffic cannot correct communication issues on its own and it relies entirely on ICMP as its error handler. This method makes ICMP an important part of a UDP session for tracking its overall state.UDP has no set method of connection teardown that announces the sessions end. Because of the lack of a defined ending, the Personal Stateful Firewall clears a UDP sessions state table entries after a preconfigured timeout value reached.ICMP Protocol and Connection StateICMP is also a connection-less network protocol. The ICMP protocol is often used to return error messages when a host or protocol cannot do so on its own. ICMP response-type messages are precipitated by requests using other protocols like TCP or UDP. This way of messaging and its connection-less and one-way communication make the tracking of its state a much more complicated process than UDP. The Personal Stateful Firewall tracks an ICMP connection based on IP address and request message type information in a state table.Like UDP, the ICMP connection lacks a defined session ending process, the Personal Stateful Firewall clears a state table entry on a predetermined timeout.Application-Level Traffic and StatesThe Personal Stateful Firewall uses Deep Packet Inspection (DPI) functionality to manage application-level traffic and its state. With the help of DPI functionality, the Personal Stateful Firewall inspects packets up to Layer-7. It takes application behaviors into account to verify that all session-related traffic is properly handled and then decides which traffic to allow into the network.Different applications follow different rules for communication exchange so the Personal Stateful Firewall manages the different communication sessions with different rules through DPI functionality.LAST-ACKThe state of the host that just sent the second FIN needed to gracefully close the TCP connection back to the initiating host while it waits for an acknowledgement.TIME-WAITThe state of the initiating host that received the final FIN and has sent an ACK to close the connection and waiting for an acknowledgement of ACK from the connection peer.Note that the amount of time the TIME-STATE is defined to pause is equal to the twice of the Maximum Segment Lifetime (MSL), as defined for the TCP implementation.CLOSINGA state that is employed when a connection uses the unexpected simultaneous close.Table 1-1 TCP Connection States (continued)State Flag Description12-23-2009 Understanding Firewall Rules with Stateful Inspection1-19The Personal Stateful Firewall also provides inspection and filtering functionality on application content with DPI. Personal Stateful Firewall is responsible for performing many simultaneous functions and it detect, allow, or drop packets at the ingress point of the network.HTTP Application and StateHTTP is the one of the main protocols used on the Internet today. It uses TCP as its transport protocol, and its session initialization follows the standard TCP connection method.Due to the TCP flow, the HTTP allows an easier definition of the overall sessions state. It uses a single established connection from the client to the server and all its requests are outbound and responses are inbound. The state of the connection matches with the TCP state tracking.For content verification and validation on the HTTP application session, the Personal Stateful Firewall uses DPI functionality in the chassis.File Transfer Protocol and StateFTP is an application for moving files between systems across the network. This is a two way connection and uses TCP as its transport protocol.Due to TCP flow, FTP allows an easier definition of the overall sessions state. As it uses a single established connection from the client to the server, the state of the connection matches with the TCP state tracking.Personal Stateful Firewall uses application-port mapping along with FTP application-level content verification and validation with DPI functionality in the chassis. It also supports Pinhole data structure and Initialization, wherein FTP ALG parses FTP Port command to identify the initiation and termination end points of future FTP DATA sessions. The source/destination IP and destination Port of FTP DATA session is stored. When a new session is to be created for a call, a check is made to see if the source/destination IP and Destination Port of this new session matches with the values stored. Upon match, a new ACS data session is created.This lookup in the pinhole list is made before port trigger check and stateful firewall ruledef match. If the look up returns a valid pinhole then a particular session is allowed. Whenever a new FTP data session is allowed because of a pinhole match the associated pinhole is deleted. Pinholes are also expired if the associated FTP Control session is deleted in, or when the subscriber call goes down.Personal Stateful Firewall Overview 12-23-2009 1-20SECTION II CONFIGURATION12-23-2009Chapter 2 Personal Stateful Firewall ConfigurationChapter 3 Verifying and Saving Your ConfigurationCHAPTER 2PERSONAL STATEFUL FIREWALL CONFIGURATIONThis chapter describes how to configure Personal Stateful Firewall support in a system.IMPORTANTIn StarOS 8.x, Stateful Firewall for CDMA and early UMTS releases used rulebase-based configurations, whereas later UMTS releases used policy-based configurations. In StarOS 9.0, Stateful Firewall for UMTS and CDMA releases both use policy-based configurations. For more information, please contact your local service representative.This chapter describes the following topics: Before You Begin Configuring the System Stateful Firewall Configuration Saving the Configuration Gathering Stateful Firewall Statistics Managing Your ConfigurationPersonal Stateful Firewall Configuration 12-23-2009 2-2Before You BeginThis section lists the steps to perform before you can start configuring the Personal Stateful Firewall support in a system.1 Configure the required 3GPP/3GPP2/WiMax/IMS core network service for subscribers on the system as described in the System Administration Guide.2 Obtain and install required feature licenses for the required number of subscriber sessions.3 Proceed to the Configuring the System section.12-23-2009 Configuring the System2-3Configuring the SystemThis section lists the high-level steps to configure Stateful Firewall support with Active Charging Service.IMPORTANTIn StarOS 8.x, Stateful Firewall for CDMA and early UMTS releases used rulebase-based configurations, whereas later UMTS releases used policy-based configurations. In StarOS 9.0, Stateful Firewall for UMTS and CDMA releases both use policy-based configurations. For more information, please contact your local service representative.1 To configure Policy-based Stateful Firewall functionality, see Stateful Firewall Configuration.2 Configure the schema for bulk statistics collection as described in the Configuring Bulk Statistics Schema section.3 Save changes to the system configuration as described in theSaving the Configuration section.Personal Stateful Firewall Configuration 12-23-2009 2-4Stateful Firewall ConfigurationIMPORTANTIn StarOS 8.x, Stateful Firewall for CDMA and early UMTS releases used rulebase-based configurations, whereas later UMTS releases used policy-based configurations. In StarOS 9.0, Stateful Firewall for UMTS and CDMA releases both use policy-based configurations. For more information, please contact your local service representative.This section describes how to configure Policy-based Stateful Firewall support in a system.1 Enable enhanced charging as described in the Enabling the ACS Subsystem in Optimized Mode section.2 Create the ACS service as described in the Creating the Active Charging Service section.3 Optional: Configure ACS application-port maps for TCP and UDP protocols as described in the Configuring ACS Port Maps section.4 Optional: Configure ACS host pools as described in the Configuring ACS Host Pools section.5 Optional: Configure ACS IMSI pools as described in the Configuring ACS IMSI Pools section.6 Configure access ruledefs as described in the Configuring Access Ruledefs section.7 Configure Firewall-and-NAT policy as described in the Configuring Firewall-and-NAT Policy section.8 Configure action on packets with no rule matches as described in the Configuring Action on Packets with No Access Ruledef Match section.9 Configure protection from DoS attacks as described in the Configuring Protection from DoS Attacks section.10 Configure action on packets dropped by firewall due to any error conditions as described in the Configuring Action on Packets Dropped by Firewall section.11 Configure the maximum limit on flows regardless of the flow type, or based on protocol as described in the Configuring Maximum Limit of Flows section.12 Configure protection from port scanning as described in the Configuring Protection from Port Scanning section.13 Configure threshold on TCP reset messages as described in the Configuring Threshold on TCP Reset Messages section.14 Configure threshold on ICMP error messages as described in the Configuring Threshold on ICMP Error Messages section.15 Configure the maximum IP packet size allowed for ICMP and non-ICMP packets to prevent packet flooding attacks to the host as described in the Configuring Maximum IP Packet Size section.16 Configure flow session timeout settings for stateful firewall as described in the Configuring Firewall Idle Timeout Settings section.17 Configure action to take on TCP flows starting with a non-syn packet, and on TCP idle timeout expiry as described in the Configuring Other Firewall Settings section.12-23-2009 Stateful Firewall Configuration2-518 Configure ALGs as described in the Configuring Dynamic Pinholes/ALGs section.19 Enable firewall support for APN/subscribers as described in the Enabling Firewall for APN/Subscribers section.20 Optional: Configure the default Firewall-and-NAT policy as described in the Configuring Default Firewall-and-NAT Policy section.21 Configure Firewall threshold limits and polling interval for DoS-attacks, dropped packets, deny rules, and no rules as described in the Configuring Firewall Thresholds section.22 Enable bulk statistics schema for the Personal Stateful Firewall service as described int he Configuring Bulk Statistics Schema section.23 Enable Stateful Firewall Session Recovery as described int he Configuring Session Recovery section.IMPORTANTCommands used in the configuration examples in this section provide base functionality to the extent that the most common or likely commands and/or keyword options are presented. In many cases, other optional commands and/or keyword options are available. Refer to the Command Line Interface Reference for complete information regarding all commands.Enabling the ACS Subsystem in Optimized ModeTo enable enhanced charging on the system use the following configuration example:conf i gur er equi r eact i ve- char gi ngendCreating the Active Charging ServiceTo create the active charging service use the following configuration example:conf i gur eact i ve- char gi ngser vi ce [ - noconf i r m]endConfiguring ACS Port MapsTo create and configure a port map use the following configuration example:conf i gur eact i ve- char gi ngser vi cepor t - map[ - noconf i r m]por t { | r ange t o }endNotes: A maximum of 256 host pools, IMSI pools, and port maps each, and a combined maximum of 4096 rules (host pools +IMSI pools +port maps +charging ruledefs +access ruledefs +routing ruledefs) can be created in a system.Personal Stateful Firewall Configuration 12-23-2009 2-6 Port maps, host pools, IMSI pools, and charging, firewall, and routing ruledefs must each have unique names. A maximum of 10 options can be configured in each host pool, IMSI pool, and port map.Configuring ACS Host PoolsTo create and configure a host pool use the following configuration example:conf i gur eact i ve- char gi ngser vi cehost - pool [ - noconf i r m]i p{| | r ange t o }endConfiguring ACS IMSI PoolsTo create and configure an IMSI pool use the following configuration example:conf i gur eact i ve- char gi ngser vi cei msi - pool [ - noconf i r m]i msi {| r anget o}endConfiguring Access RuledefsTo create and configure an access rule definition use the following configuration example:conf i gur eact i ve- char gi ngser vi ceaccess- r ul edef [ - noconf i r m]bear er apn[ case- sensi t i ve] bear er i msi {| {! r ange| r ange}i msi - pool}bear er user name[ case- sensi t i ve] i cmp{any- mat ch| code | t ype}i p{{{any- mat ch| downl i nk| upl i nk} }| {{dst - addr ess| sr c- addr ess}{{{| }}| {! r ange| r ange}host - pool }|pr ot ocol {{{| }}| { }}t cp{any- mat ch| {{dst - por t |ei t her - por t | sr c- por t }{{}| {! r ange|r ange}{t o| por t - map}}}udp{any- mat ch| {dst - por t |ei t her - por t | sr c- por t }{| {! r ange| r ange} {t o| por t - map}}}cr eat e- l og- r ecor dendNotes:12-23-2009 Stateful Firewall Configuration2-7 If the source IP address is not configured, then it is treated as any source IP. If the destination IP address is not configured, then it is treated as any destination IP. If the source port number is not configured, then it is treated as any source port. If the destination port is not configured, then it is treated as any destination port. If no protocol is specified then it is treated as any protocol. If both uplink and downlink fields are not configured, then the rule will be treated as either direction, i.e. packets from any direction will match that rule. Configuring access ruledefs involves the creation of several ruledefs with different sets of rules and parameters. For more information, see the Firewall Ruledef Configuration Mode Commands chapter of the Command Line Interface Reference.Configuring Firewall-and-NAT PolicyUse the following configuration example to create and configure a Firewall-and-NAT Policy:conf i gur eact i ve- char gi ngser vi cef w- and- nat pol i cy [ - noconf i r m]f i r ewal l pol i cyf i r ewal l - r equi r edaccess- r ul epr i or i t y{[ dynami c- onl y|st at i c- and- dynami c] access- r ul edef {deny[char gi ng- act i on] | per mi t [ t r i gger open- por t { | r anget o}di r ect i on{bot h|r ever se| same}] }endConfiguring Action on Packets with No Access Ruledef MatchUse the following configuration example to configure the default action on packets with no access ruledef matches:conf i gur eact i ve- char gi ngser vi cef w- and- nat pol i cy [ - noconf i r m]access- r ul eno- r ul edef - mat ches{downl i nk| upl i nk}act i on{ deny[ char gi ng- act i on ] | per mi t }endNotes: Rule matching is done for the first packet for a flow. Only when no rules match, the no-ruledef-matches configuration is considered. The default settings for uplink direction is permit, and for downlink direction deny.Configuring Protection from DoS AttacksUse the following configuration example to configure protection from DoS attacks:conf i gur eact i ve- char gi ngser vi cef w- and- nat pol i cyPersonal Stateful Firewall Configuration 12-23-2009 2-8f i r ewal l dos- pr ot ect i on{al l | f l oodi ng{i cmp| t cp- syn| udp }| f t p- bounce| i p- unal i gned- t i mest amp| mi me- f l ood| por t - scan|sour ce- r out er | t cp- wi ndow- cont ai nment | t ear dr op| wi nnuke}f i r ewal l f l oodi ng{{pr ot ocol {i cmp| t cp- syn| udp}packetl i mi t }| {sampl i ng- i nt er val }}f i r ewal l mi me- f l ood{ht t p- header s- l i mi t |max- ht t p- header - f i el d- si ze}f i r ewal l t cp- syn- f l ood- i nt er cept {mode{none| wat ch[aggr essi ve] }| wat ch- t i meout }endNotes: The following DoS attacks are only detected in the downlink direction: flooding, ftp-bounce, ip-unaligned-timestamp, mime-flood, port-scan, source-router, tcp-window-containment, teardrop, winnuke.Configuring Action on Packets Dropped by FirewallUse the following configuration example to configure the accounting action on packets dropped by firewall due to any error:conf i gur eact i ve- char gi ngser vi cer ul ebasef l ow any- er r or char gi ng- act i onendNotes: For a packet dropped due to any error condition after data session is created, the charging action used is the one configured in the flow any-error charging-action command. Whereas, for a packet dropped due to firewall ruledef match or no match (first packet of a flow), the charging action applied is the one configured in the access-rule priority or the access-rule no-ruledef-matches command respectively.Configuring Maximum Limit of FlowsUse the following configuration example to configure the maximum number of flows per subscriber/APN sent to a rulebase:conf i gur eact i ve- char gi ngser vi cer ul ebasef l ow l i mi t - acr oss- appl i cat i ons{ | non- t cp |t cp }endConfiguring Protection from Port ScanningUse the following configuration example to configure protection from port scanning:conf i gur eact i ve- char gi ngser vi ce12-23-2009 Stateful Firewall Configuration2-9f i r ewal l por t - scan{connect i on- at t empt - success- per cent age{ non- scanner | scanner } | i nact i vi t y- t i meout | pr ot ocol {t cp| udp}r esponse- t i meout | scanner - pol i cy{bl ocki nact i vi t y- t i meout | l og- onl y}}endConfiguring Threshold on TCP Reset MessagesUse the following configuration example to configure threshold on the number of TCP reset messages sent by the subscriber for a particular data flow:conf i gur eact i ve- char gi ngser vi cef w- and- nat pol i cyf i r ewal l t cp- r eset - message- t hr eshol d t hen- bl ock- ser verendConfiguring Threshold on ICMP Error MessagesUse the following configuration example to configure threshold on the number of ICMP error messages sent by subscribers for a particular data flow:conf i gur eact i ve- char gi ngser vi cef w- and- nat pol i cyf i r ewal l i cmp- dest i nat i on- unr eachabl e- message- t hr eshol d t hen- bl ock- ser verendConfiguring Maximum IP Packet SizeUse the following configuration example to configure the maximum IP packet size:conf i gur eact i ve- char gi ngser vi cef w- and- nat pol i cyf i r ewal l max- i p- packet - si zepr ot ocol {i cmp|non- i cmp}endConfiguring Firewall Idle Timeout SettingsUse the following configuration example to configure firewall idle timeout durations:conf i gur eact i ve- char gi ngser vi cei dl e- t i meout {i cmp| t cp| udp}endPersonal Stateful Firewall Configuration 12-23-2009 2-10Configuring Other Firewall SettingsUse the following configuration example to configure action to take on TCP flows starting with a non-syn packet and on TCP idle timeout expiry:conf i gur eact i ve- char gi ngser vi cef w- and- nat pol i cyf i r ewal l t cp- f i r st - packet - non- syn{dr op| r eset }f i r ewal l t cp- i dl e- t i meout - act i on{dr op| r eset }endConfiguring Dynamic Pinholes/ALGsUse the following configuration examples to configure routing rules to open up dynamic pinholes for ALG functionality.Creating Routing RuledefsUse the following configuration example to configure routing rules for FTP, SIP, and RTSP protocols:conf i gur eact i ve- char gi ngser vi cer ul edef t cpei t her - por t r ul e- appl i cat i onr out i ngendNotes: Create a separate ruledef for each protocol.Configuring Routing Ruledefs in the RulebaseUse the following configuration example to configure the routing ruledefs in the rulebase:conf i gur eact i ve- char gi ngser vi cer ul ebaser out epr i or i t y r ul edef anal yzer { f t p- cont r ol | r t sp| si p}[ descr i pt i on ]r t pdynami c- f l ow- det ect i onendNotes: Add each ruledef as a separate route priority. For RTSP ALG to work, in the rulebase, the rtp dynamic-flow-detection command must be configured.Enabling Firewall for APN/SubscribersUse the following configuration examples to enable firewall support for APN/subscribers.12-23-2009 Stateful Firewall Configuration2-11Enabling Firewall for APNUse the following configuration example to configure the Firewall-and-NAT Policy in an APN:conf i gur econt ext apnf w- and- nat pol i cyendNotes: To specify that the default Firewall-and-NAT policy configured in the rulebase be used for subscribers who use this APN, in the APN Configuration Mode, apply the following command: default fw-and-nat policyEnabling Firewall for SubscribersUse the following configuration example to configure the Firewall-and-NAT Policy in a subscriber template:conf i gur econt ext subscr i ber def aul tf w- and- nat pol i cyendNotes: To specify that the default Firewall-and-NAT policy configured in the rulebase be used for subscribers, in the Subscriber Configuration Mode, apply the following command: default fw-and-nat policyConfiguring Default Firewall-and-NAT PolicyThis is an optional configuration to specify a default Firewall-and-NAT policy to use if in the APN/subscriber configurations the following command is configured:default fw-and-nat policyUse the following configuration example to configure the default Firewall-and-NAT policy:conf i gur eact i ve- char gi ngser vi cer ul ebasef w- and- nat def aul t - pol i cyendConfiguring Firewall ThresholdsUse the following configuration example to configure firewall threshold limits and polling interval for DoS-attacks, dropped packets, deny rules, and no rules:conf i gur et hr eshol d{f w- deny- r ul e| f w- dos- at t ack| f w- dr op- packet | f w- no- r ul e }[ cl ear ]t hr eshol dpol l {f w- deny- r ul e| f w- dos- at t ack| f w- dr op- packet |f w- no- r ul e}i nt er val Personal Stateful Firewall Configuration 12-23-2009 2-12snmpt r apenabl e{Thr eshFWDenyRul e| Thr eshFWDosAt t ack|Thr eshFWDr opPacket | Thr eshFWNoRul e}+endConfiguring Bulk Statistics SchemaIMPORTANTTo configure the various parameters for the Bulk Statistics collection, see the Configuring and Maintaining Bulk Statistics chapter of the System Administration Guide prior to configuring these commands.The following configuration example enables bulk statistics schema for the Personal Stateful Firewall service on a chassis:conf i gur ebul kst at smodecont ext schema f or mat endNotes: For more information on format_string variable, see the Bulk Statistics Configuration Mode Commands chapter of the Command Line Interface Reference.Configuring Session RecoveryThe following configuration example enables Stateful Firewall session recovery:conf i gur eact i ve- char gi ngser vi cef i r ewal l f l ow- r ecover y{downl i nk| upl i nk}[ t i meout ]endChanging Firewall Policy in Mid-sessionTo change the Firewall-and-NAT policy in mid-session, in the Exec mode, use the following configuration:updat eact i ve- char gi ng{swi t ch- t o- f w- and- nat - pol i cy |swi t ch- t o- r ul ebase }{al l | cal l i d |f w- and- nat - pol i cy | i msi | i p- addr ess | msi d | r ul ebase | user name }[ - noconf i r m]Notes: To be able to change the Firewall-and-NAT policy in mid session, firewall-and-NAT must have been enabled for the subscriber in the APN/Subscriber template configuration, or in the rulebase (the default policy) during call setup. The above command takes effect only for current calls. For new calls, the RADIUS returned/APN/Subscriber template/rulebase configured policy is used.12-23-2009 Saving the Configuration2-13Saving the ConfigurationTo save changes made to the system configuration, see the Saving Your Configuration chapter.Personal Stateful Firewall Configuration 12-23-2009 2-14Gathering Stateful Firewall StatisticsThe following table lists commands to gather Stateful Firewall statistics.IMPORTANTFor more information on these commands, see the Exec Mode Commands chapter of the Command Line Interface Reference.Table 2-1 Gathering Firewall Statistics Statistics Wanted Command Information to Look ForFirewall-and-NAT Policy statistics.show active-charging fw-and-nat policy statistics allshow active-charging fw-and-nat policy statistics name The output displays statistics for the specified or all Firewall-and-NAT policies configured.Firewall-and-NAT Policy information.show active-charging fw-and-nat policy allshow active-charging fw-and-nat policy name The output displays information for the specified or all Firewall-and-NAT policies configured.Flow related statistics on a chassis. show active-charging flows allThe output displays statistics for all flows for a subscriber session in a system/service.Detailed disconnect reasons for session flow.show session disconnect-reasons [verbose ]The output of this command displays the disconnect reasons for flows of a subscriber session in a system/service.Detailed statistics of firewall service.show active-charging firewall statisticsThe output displays detailed statistics of firewall configured in a system/service.Detailed statistics of rulebases.show active-charging rulebase statisticsThe output displays detailed statistics of rulebases in a service.Detailed statistics of all ruledefs.show active-charging ruledef statisticsThe output displays detailed statistics of configured firewall ruledefs in a system/service.Detailed statistics of all Charging ruledefs.show active-charging ruledef statistics all chargingThe output displays detailed statistics of all charging ruledefs configured in a service.Detailed statistics of all Firewall ruledefs.show active-charging ruledef statistics all firewall [ wide ]The output displays detailed statistics of all firewall ruledefs configured in a service.12-23-2009 Managing Your Configuration2-15Managing Your ConfigurationThis section explains how to review the Personal Stateful Firewall configurations after saving them in a .cfg file as described in the Saving Your Configuration chapter, and also to retrieve errors and warnings with in an active configuration for a service.Output descriptions for most of these commands are available in the Command Line Interface Reference.Table 2-2 System Status and Personal Stateful Firewall Service Monitoring Commands To do this: Enter this command:View Administrative InformationView current administrative user accessView a list of all administrative users currently logged on to the systemshow administratorsView the context in which the administrative user is working, the IP address from which the administrative user is accessing the CLI, and a system generated ID numbershow administrators session idView information pertaining to local-user administrative accounts configured for the systemshow local-user verboseView statistics for local-user administrative accounts show local-user statistics verboseView information pertaining to your CLI session show cliDetermining the Systems UptimeView the systems uptime (time since last reboot) show system uptimeView Status of Configured NTP ServersView status of the configured NTP servers show ntp statusView System Alarm StatusView the status of the systems outstanding alarms show alarm outstanding allView detailed information about all currently outstanding alarmsshow alarm outstanding all verboseView system alarm statistics show alarm statisticsView Subscriber Configuration InformationView locally configured subscriber profile settings (must be in context where subscriber resides)show subscribers configuration username subscriber_nameView Subscriber InformationView a list of subscribers currently accessing the system show subscribers allView information for a specific subscriber show subscribers full username user_nameView Personal Stateful Firewall Related InformationView System ConfigurationView the configuration of a contextshow configuration context context_nameView configuration errors for Active Charging Service/Stateful Firewall Serviceshow configuration errors section active-charging [ verbose ] [ | { grep grep_options | more } ]show configuration errors verboseView Personal Stateful Firewall ConfigurationView Personal Stateful Firewall configurations show configuration | grep FirewallPersonal Stateful Firewall Configuration 12-23-2009 2-16View access policy association with subscriber show subscribers all | grep Firewallshow apn all | grep FirewallView firewall policy status for specific subscriber/APN show subscribers configuration username user_name | grep Firewallshow apn name apn_name | grep FirewallView all Personal Stateful Firewall ruledefs show active-charging ruledef firewallView specific Personal Stateful Firewall ruledef show active-charging ruledef name firewall_ruleView which DoS attack prevention is enabled show configuration verbose | grep dosView attack statistics show active-charging firewall statistics verboseView firewall ruledef action properties, checksum verification status, etcshow active-charging rulebase name rulebase_nameView session disconnect reasons show session disconnect-reasons [ verbose ]View information of sessions with firewall processing required or not required as specified.show active-charging sessions firewall { not-required | required }View information of subscribers for whom firewall processing is required or not required as specified.show subscribers firewall { not-required | required }Table 2-2 System Status and Personal Stateful Firewall Service Monitoring Commands (continued)To do this: Enter this command:CHAPTER 3VERIFYING AND SAVING YOUR CONFIGURATIONThis chapter describes how to verify and save the system configuration. Verifying the Configuration You can use a number of command to verify the configuration of your feature, service, or system. Many are hierarchical in their implementation and some are specific to portions of or specific lines in the configuration file.Feature ConfigurationIn many configurations, specific features are set and need to be verified. Examples include APN and IP address pool configuration. Using these examples, enter the following commands to verify proper feature configuration:show apn allThe output displays the complete configuration for the APN. In this example, an APN called apn1 is configured.accesspoi nt name( APN) : apn1aut hent i cat i oncont ext : t estpdpt ype: i pv4Sel ect i onMode: subscr i bedi psour cevi ol at i on: Checkeddr opl i mi t : 10account i ngmode: gt ppNoear l yPDUs: Di sabl edmax- pr i mar y- pdp- cont ext s: 1000000t ot al - pdp- cont ext s: 1000000pr i mar ycont ext s: not avai l abl et ot al cont ext s: not avai l abl el ocal i p: 0. 0. 0. 0pr i mar ydns: 0. 0. 0. 0secondar ydns: 0. 0. 0. 0pppkeepal i veper i od: 0pppmt u: 1500absol ut et i meout : 0i dl et i meout : 0l ongdur at i ont i meout : 0l ongdur at i onact i on: Det ect i oni pheader compr essi on: vjdat acompr essi on: st acmppcdef l at ecompr essi onmode: nor malmi ncompr essi onsi ze: 128i pout put access- gr oup: i pi nput access- gr oup:pppaut hent i cat i on:al l ow noaut hent i cat i on: Enabl edi msi aut hent i cat i on: Di sabl edVerifying and Saving Your Configuration 12-23-2009 3-2Enter the following command to display the IP address pool configuration:show ip poolThe output from this command should look similar to the sample shown below. In this example, all IP pools were configured in the isp1 context.cont ext : i sp1:+- - - - - Type: ( P) - Publ i c( R) - Pr i vat e| ( S) - St at i c( E) - Resour ce|| +- - - - St at e: ( G) - Good( D) - Pendi ngDel et e( R) - Resi zi ng| || | ++- - Pr i or i t y: 0. . 10( Hi ghest ( 0) . . Lowest ( 10) )| | | || | | | +- Busyout : ( B) - Busyout conf i gur ed| | | | || | | | |vvvvvPool NameSt ar t Addr essMask/ EndAddr essUsedAvai l- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -PG00i psec12. 12. 12. 0255. 255. 255. 00254PG00pool 110. 10. 0. 0255. 255. 0. 0065534SG00vpnpool 192. 168. 1. 250192. 168. 1. 25405Tot al Pool Count : 5IMPORTANTMany features can be configured on the system. There are show commands specifically for these features. Refer to theCommand Line Interface Reference for more information.Service ConfigurationVerify that your service was created and configured properly by entering the following command:show The output is a concise listing of the service parameter settings similar to the sample displayed below. In this example, a P-GW service called pgw1 is configured.Ser vi cename: pgw1Ser vi ce- I d: 1Cont ext : t est 1St at us: STARTEDRest ar t Count er : 8EGTPSer vi ce: egt p1LMASer vi ce: Not def i nedSessi on- Del et e- Del ayTi mer : Enabl edSessi on- Del et e- Del ayt i meout : 10000( msecs)PLMNI DLi st : MCC: 100, MNC: 99Newcal l Pol i cy: None12-23-2009 Verifying the Configuration3-3Context ConfigurationVerify that your context was created and configured properly by entering the following command:show context name The output shows the active context. Its ID is similar to the sample displayed below. In this example, a context named test1 is configured.Cont ext NameCont ext I DSt at e- - - - - - - - - - - - - - - - - - - - - - - - - -t est 12Act i veSystem ConfigurationVerify that your entire configuration file was created and configured properly by entering the following command:show configurationThis command displays the entire configuration including the context and service configurations defined above. Finding Configuration ErrorsIdentify errors in your configuration file by entering the following command:show configuration errorsThis command displays errors it finds within the configuration. For example, if you have created a service named service1, but entered it as srv1 in another part of the configuration, the system displays this error.You must refine this command to specify particular sections of the configuration. Add the section keyword and choose a section from the help menu:show configuration errors section ggsn-serviceorshow configuration errors section aaa-configIf the configuration contains no errors, an output similar to the following is displayed:####################################################################################### Di spl ayi ngGl obal AAA- conf i gur at i oner r or s######################################################################################Tot al 0er r or ( s) i nt hi ssect i on!Verifying and Saving Your Configuration 12-23-2009 3-4Saving the ConfigurationSave system configuration information to a file locally or to a remote node on the network. You can use this configuration file on any other systems that require the same configuration.Files that you save locally can be stored in the SPCs/SMCs CompactFlash or on an installed PCMCIA memory card on the SPC/SMC. Files that you save to a remote network node can be transmitted via FTP or TFTP.Saving the Configuration on ST-series PlatformsThese instructions assume that you are at the root prompt for the Exec mode:[ l ocal ] host_name#To save your current configuration, enter the following command:save configuration url [-redundant] [-noconfirm] [showsecrets] [verbose]Keyword/Variable DescriptionurlSpecifies the path and name to which the configuration file is to be stored. url may refer to a local or a remote file. url must be entered using one of the following formats: {/flash | /pcmcia1 | /pcmcia2 }[ /dir ] /file_name file:/{/flash | /pcmcia1 | /pcmcia2 }[ /dir ] /file_name tftp://{ipaddr | host_name [ :port# ] }[ /dir ] /file_name ftp://[ username [ :pwd ] @ ] {ipaddr | host_name }[ :port# ] [ /dir ] /file_name sftp://[ username [ :pwd ] @ ] {ipaddr | host_name }[ :port# ] [ /dir ] /file_name/flash corresponds to the CompactFlash on the SPC/SMC./pcmcia1 corresponds to PCMCIA slot 1./pcmcia2 corresponds to PCMCIA slot 2.ipaddr is the IP address of the network server.host_name is the network servers hostname.port# is the network servers logical port number. Defaults are: tftp: 69 - data ftp: 20 - data, 21 - control sftp: 115 - dataNote: host_name can only be used if the networkconfig parameter is configured for DHCP and the DHCP server returns a valid nameserver.dxusername is the username required to gain access to the server, if necessary.pwd is the password for the specified username if required./dir specifies the directory where the file is located if one exists./file_name specifies the name of the configuration file to be saved.Note: Name configuration files with a .cfg extension.12-23-2009 Saving the Configuration3-5IMPORTANTThe -redundant keyword is only applicable when saving a configuration file to local devices. This command does not synchronize the local file system. If you have added, modified, or deleted other files or directories to or from a local device for the active SPC/SMC, then you must synchronize the local file system on both SPCs/SMCs.EXAMPLE(S)To save a configuration file called system.cfg to a directory that was previously created called cfgfiles on the SPCs/SMCs CompactFlash, enter the following command:save configuration /flash/cfgfiles/system.cfgTo save a configuration file called simple_ip.cfg to a directory called host_name_configs using an FTP server with an IP address of 192.168.34.156 on which you have an account with a username of administrator and a password of secure, use the following command:save configuration ftp://administrator:[email protected]/host_name_configs/ simple_ip.cfgTo save a configuration file called init_config.cfg to the root directory of a TFTP server with a hostname of config_server, enter the following command:save configuration tftp://config_server/init_config.cfg-redundantOptional: This keyword directs the system to save the CLI configuration file to the local device, defined by the url variable, and then automatically copies the file to the like device on the standby SPC/SMC, if available.Note: This keyword works only for like local devices that are located on both the active and standby SPCs/SMCs. For example, if you save the file to the /pcmcia1 device on the active SPC/SMC, that same type of device (a PC-Card in Slot 1 of the standby SPC/SMC) must be available. Otherwise, a failure message is displayed.Note: If saving the file to an external network (non-local) device, the system disregards this keyword.-noconfirmOptional: Indicates that no confirmation is to be given prior to saving the configuration information to the specified filename (if one was specified) or to the currently active configuration file (if none was specified).showsecretsOptional: This keyword causes the CLI configuration file to be saved with all passwords in plain text, rather than their default encrypted format.verbose Optional: Specifies to display every parameter that is being saved to the new configuration file.Keyword/Variable DescriptionVerifying and Saving Your Configuration 12-23-2009 3-6SECTION III APPENDICES12-23-2009Appendix A Sample Personal Stateful Firewall ConfigurationAPPENDIX ASAMPLE PERSONAL STATEFUL FIREWALL CONFIGURATIONThis appendix provides the following sample configurations:conf i gl i censekey" \VER=1| C1M=SanDi skSDCFJ - 4096| C1S=116904I 0207E31| DOI =1258470708| DOE=12\SI G=MC4CFQCf 9f 7bAi bGKJ Wq69J aJ Md5XowxVwI VALI VgTVDsVAAogKe7f UHAEUTokw"aaadef aul t - domai nsubscr i ber r adi usaaal ast - r esor t cont ext subscr i ber r adi usgt ppsi ngl e- sour cesyst emhost nameABCCH4aut oconf i r mcl ockt i mezoneasi a- cal cut t acr ashenabl eencr ypt edur l 123abc456def 789ghicar d1modeact i vepsc#exi tcar d2modeact i vepsc#exi tcar d4modeact i vepsc#exi tr equi r esessi onr ecover yr equi r eact i ve- char gi ngcont ext l ocali nt er f aceSPI O1i paddr ess1. 2. 3. 4255. 255. 255. 0#exi tser ver f t pd#exi tsshkey123abc456def 789ghi 123abc456def 789ghi l en461ser ver sshdsubsyst emsf t p#exi tser ver t el net d#exi tsubscr i ber def aul texi tadmi ni st r at or st ar admi nencr ypt edpasswor d123abc456def 789ghi f t paaagr oupdef aul t#exi tgt ppgr oupdef aul t#exi ti pr out e0. 0. 0. 00. 0. 0. 02. 3. 4. 5SPI O1#exi tpor t et her net 24/ 1noshut downSample Personal Stateful Firewall Configuration 12-23-2009 A-2bi ndi nt er f aceSPI O1l ocal#exi tnt penabl eser ver 10. 6. 1. 1#exi tsnmpengi ne- i dl ocal 77777e66666a55555act i ve- char gi ngser vi ceser vi ce_1nat al l ocat i on- f ai l ur esend- i cmp- dest - unr eachabl ep2p- dynami c- r ul espr ot ocol al lhost - pool host 1i pr ange1. 2. 3. 4t o2. 3. 4. 5#exi thost - pool host 2i pr ange3. 4. 5. 6t o4. 5. 6. 7#exi thost - pool host 3i pr ange5. 6. 7. 8t o6. 7. 8. 9#exi tr ul edef i p_anyi pany- mat ch= TRUE#exi tr ul edef r t _f t pt cpei t her - por t = 21r ul e- appl i cat i onr out i ng#exi tr ul edef r t _f t p_dat at cpei t her - por t = 20r ul e- appl i cat i onr out i ng#exi tr ul edef r t _ht t pt cpei t her - por t = 80r ul e- appl i cat i onr out i ng#exi tr ul edef r t _r t pr t pany- mat ch= TRUEr ul e- appl i cat i onr out i ng#exi tr ul edef r t _r t spt cpei t her - por t = 554r ul e- appl i cat i onr out i ng#exi taccess- r ul edef f w_i cmpi cmpany- mat ch= TRUE#exi taccess- r ul edef f w_t cpt cpany- mat ch= TRUE#exi taccess- r ul edef f w_udpudpany- mat ch= TRUE#exi tedr - f or mat nbr _f or mat 1at t r i but esn- st ar t - t i mef or mat MM/ DD/ YYYY- HH: MM: SSpr i or i t y5at t r i but esn- end- t i mef or mat MM/ DD/ YYYY- HH: MM: SSpr i or i t y10at t r i but er adi us- nas- i p- addr esspr i or i t y15at t r i but esn- cor r el at i on- i dpr i or i t y20r ul e- var i abl ei psubscr i ber - i p- addr esspr i or i t y2512-23-2009A-3r ul e- var i abl ei pser ver - i p- addr esspr i or i t y30at t r i but esn- subscr i ber - por t pr i or i t y35at t r i but esn- ser ver - por t pr i or i t y40at t r i but esn- f l ow- i dpr i or i t y45at t r i but esn- vol ume- amt i pbyt esupl i nkpr i or i t y50at t r i but esn- vol ume- amt i pbyt esdownl i nkpr i or i t y55at t r i but esn- vol ume- amt i ppkt supl i nkpr i or i t y60at t r i but esn- vol ume- amt i ppkt sdownl i nkpr i or i t y65at t r i but esn- vol ume- amt t cppkt sdownl i nkpr i or i t y66at t r i but esn- vol ume- amt t cppkt supl i nkpr i or i t y67at t r i but esn- vol ume- amt t cpbyt esdownl i nkpr i or i t y68at t r i but esn- vol ume- amt t cpbyt esupl i nkpr i or i t y69r ul e- var i abl ei ppr ot ocol pr i or i t y70at t r i but esn- app- pr ot ocol pr i or i t y75at t r i but er adi us- user - namepr i or i t y80at t r i but er adi us- cal l i ng- st at i on- i dpr i or i t y85at t r i but esn- di r ect i onpr i or i t y90at t r i but esn- vol ume- dr opped- amt i pbyt esupl i nkpr i or i t y100at t r i but esn- vol ume- dr opped- amt i pbyt esdownl i nkpr i or i t y110at t r i but esn- vol ume- dr opped- amt i ppackt supl i nkpr i or i t y115at t r i but esn- vol ume- dr opped- amt i ppackt sdownl i nkpr i or i t y120at t r i but esn- vol ume- dr opped- amt t cpbyt esupl i nkpr i or i t y130at t r i but esn- vol ume- dr opped- amt t cpbyt esdownl i nkpr i or i t y140at t r i but esn- vol ume- dr opped- amt t cppackt supl i nkpr i or i t y155at t r i but esn- vol ume- dr opped- amt t cppackt sdownl i nkpr i or i t y160#exi tudr - f or mat udr _f or matat t r i but esn- st ar t - t i mef or mat MM/ DD/ YYYY- HH: MM: SSl ocal t i me pr i or i t y1at t r i but esn- end- t i mef or mat MM/ DD/ YYYY- HH: MM: SSl ocal t i me pr i or i t y2at t r i but esn- cor r el at i on- i dpr i or i t y4at t r i but esn- cont ent - vol byt esupl i nkpr i or i t y6at t r i but esn- cont ent - vol byt esdownl i nkpr i or i t y7at t r i but esn- f a- cor r el at i on- i dpr i or i t y8at t r i but er adi us- f a- nas- i p- addr esspr i or i t y9at t r i but er adi us- f a- nas- i dent i f i er pr i or i t y10at t r i but er adi us- user - namepr i or i t y11at t r i but esn- cont ent - vol pkt supl i nkpr i or i t y12at t r i but esn- cont ent - vol pkt sdownl i nkpr i or i t y13at t r i but esn- gr oup- i dpr i or i t y14at t r i but esn- cont ent - i dpr i or i t y15#exi txheader - f or mat headeri nser t St upi d- 1var i abl ebear er sn- r ul ebasei nser t St upi d- 2var i abl ebear er subscr i ber - i p- addr ess#exi tchar gi ng- act i onca_not hi ngcont ent - i d20#exi tbandwi dt h- pol i cybw1#exi tbandwi dt h- pol i cybw2#exi tr ul ebasebase_1t cppacket s- out - of - or der t i meout 30000t cppacket s- out - of - or der t r ansmi t af t er - r eor der i ngSample Personal Stateful Firewall Configuration 12-23-2009 A-4bi l l i ng- r ecor dsudr udr - f or mat udr _f or matact i onpr i or i t y1r ul edef i p_anychar gi ng- act i onca_not hi ngr out epr i or i t y1r ul edef r t _f t panal yzer f t p- cont r olr out epr i or i t y10r ul edef r t _f t p_dat aanal yzer f t p- dat ar out epr i or i t y20r ul edef r t _r t spanal yzer r t spr out epr i or i t y30r ul edef r t _r t panal yzer r t pr out epr i or i t y40r ul edef r t _ht t panal yzer ht t pr t pdynami c- f l ow- det ect i onbandwi dt hdef aul t - pol i cybw1f w- and- nat def aul t - pol i cybase_1#exi tr ul ebasebase_2act i onpr i or i t y1r ul edef i p_anychar gi ng- act i onca_not hi ngr out epr i or i t y1r ul edef r t _f t panal yzer f t p- cont r olr out epr i or i t y10r ul edef r t _f t p_dat aanal yzer f t p- dat ar out epr i or i t y40r ul edef r t _ht t panal yzer ht t pbandwi dt hdef aul t - pol i cybw2f w- and- nat def aul t - pol i cybase_2#exi tr ul ebasedef aul t#exi tf w- and- nat pol i cybase