Académique Documents
Professionnel Documents
Culture Documents
Multimedia Core
Platforms
Personal Stateful
Firewall
Administration
Guide
Version 9.0
12-23-2009
NOTICE OF COPYRIGHT
The material contained in this document is for informational purposes only and is subject to change without notice.
No part of this document may be reproduced, transmitted, transcribed, or stored in a retrieval system in any form or
by any means, mechanical, magnetic, optical, chemical, or otherwise without the written permission of Starent
Networks, Corp.
Starent, the Starent logo, ST16, and ST40 are registered trademarks of Starent Networks, Corp. How Wireless
Connects and StarOS are trademarks of Starent Networks, Corp.
VA Linux is a registered trademark of VA Linux Systems, Inc. Microsoft and Microsoft Windows are registered
trademarks of Microsoft Corporation. Sun, Solaris, and Netra are registered trademarks of Sun Microsystems.
Linux is a registered trademark of Linus Torvalds. Adobe, Acrobat, Acrobat Reader are registered trademarks
of Adobe Systems, Inc. CompactFlash is a trademark of SanDisk Corporation. Panduit is a registered trademark
or Panduit Corporation. HyperTerminal is a registered trademark of Hilgraeve Inc. MOLEX is a registered
trademark of Molex, Inc. Red Hat is a registered trademark of Red Hat, Inc. Intel is a registered trademark of
Intel Corporation.
Any trademarks, trade names, service marks, or service names owned or registered by any other company and used
in this documentation are the property of their respective companies.
TABLE OF CONTENTS
Section I: Overview
Chapter 1: Personal Stateful Firewall Overview
Supported Platforms and Products ............................................................................................... 1-2
Licenses ........................................................................................................................................ 1-3
Overview ...................................................................................................................................... 1-4
Stateful Inspection ................................................................................................................... 1-4
In-line Services ........................................................................................................................ 1-5
Supported Features ....................................................................................................................... 1-6
Protection against DoS Attacks ............................................................................................... 1-6
Type of Denial of Service (DoS) Attacks ........................................................................... 1-6
Distributed Denial-of-Service (DDoS) Attacks .................................................................. 1-8
Protection against Port Scanning ........................................................................................ 1-8
Application-level Gateway (ALG) Support ............................................................................ 1-8
Stateful Packet Filtering and Inspection Support .................................................................... 1-9
Host Pool, IMSI Pool, and Port Map Support ......................................................................... 1-9
Host Pool Support ............................................................................................................... 1-9
IMSI Pool Support .............................................................................................................. 1-9
Port Map Support ................................................................................................................ 1-9
Flow Recovery Support ......................................................................................................... 1-10
SNMP Thresholding Support ................................................................................................ 1-10
Logging Support .................................................................................................................... 1-11
How Personal Stateful Firewall Works ...................................................................................... 1-12
Disabling Firewall Policy ................................................................................................. 1-12
Mid-session Firewall Policy Update ................................................................................. 1-13
How it Works ......................................................................................................................... 1-14
Understanding Firewall Rules with Stateful Inspection ............................................................. 1-16
Connection State and State Table in Personal Stateful Firewall ........................................... 1-17
Transport and Network Protocols and States .................................................................... 1-17
Application-Level Traffic and States ................................................................................ 1-18
12-23-2009
ii
12-23-2009
iii
12-23-2009
iv
This section contains an overview of the information contained within this document.
This documentation provides information on Personal Stateful Firewall support.
Topics covered in this document include:
Configuration Procedures
IMPORTANT
The information and instructions in this document assume that the system hardware has
been fully installed and the installation was verified according to the instructions found in
the System Installation Guide.
Conventions Used
The following tables describe the conventions used throughout this documentation.
Icon
Notice Type
Description
Information note
Caution
Warning
Typeface Conventions
Text represented as a screen display
Description
This typeface represents displays that appear on
your terminal screen, for example:
Login:
12-23-2009
Typeface Conventions
Description
This typeface represents commands that you
enter, for example:
show ip access-list
Description
{keyword or variable}
[keyword or variable]
{nonce | timestamp}
OR
[count number_of_packets | size number_of_bytes]
vi
12-23-2009
IMPORTANT
For warranty and repair information, please be sure to include the Return Material
Authorization (RMA) tracking number on the outside of the package.
vii
12-23-2009
viii
SECTION I
OVERVIEW
12-23-2009
Chapter 1 Personal Stateful Firewall Overview
CHAPTER 1
PERSONAL STATEFUL FIREWALL OVERVIEW
The Personal Stateful Firewall is an in-line service that performs both stateful inspection
and access control of individual subscriber traffic sessions. Personal Stateful Firewall
provides detection of Denial-of-Service (DoS) attacks and other protection applicable for
3GPP, 3GPP2, WiMAX, and subscribers of other core networks. This feature uses Deep
Packet Inspection (DPI) and additional algorithms to provide stateful firewall functionalities
for network subscriber sessions within the chassis.
It is recommended that you select the configuration example that best meets your service
model, and configure the required elements for that model as described in the System
Administration Guide and the Enhanced Charging Services Administration Guide.
This chapter covers the following topics:
Licenses
Overview
Supported Features
12-23-2009
1-2
12-23-2009
Licenses
Licenses
Personal Stateful Firewall is a licensed feature. For information on license requirements for
these features, please contact your local sales representative.
IMPORTANT
For information on obtaining and installing licenses, see the Managing License Keys
chapter of the System Administration and Configuration Guide.
1-3
12-23-2009
Overview
Firewalls are systems designed to prevent unauthorized access to or from a service network.
The firewall is considered to be the first line of defense in protecting private networks from
unauthorized users accessing private networks connected to the Internet, especially
intranets. All messages entering or leaving the intranet pass through the firewall, which
examines each message and blocks those that do not meet the specified security criteria.
There are several firewall techniques:
Static Packet Filters: Packet filtering is the most basic type of firewall function that
controls the flow of datagram across service provider network boundary based on the
source IP address, source port, destination IP address, and destination port. It looks at
each packet entering or leaving the network and accepts or rejects it based on
user-defined rules. Packet filtering is fairly effective and transparent to users, but it is
difficult to configure. In addition, it is susceptible to IP spoofing.
Packet filters have the following drawbacks:
They are not easily implemented for applications requiring opening ports
dynamically like Session Initiation Protocol (SIP) or active File Transfer Protocol
(FTP)
They allow external servers to access internal hosts directly because no masking or
abstraction of the internal network addressing is performed, which would allow
attackers to learn about the network
Proxy Server: Intercepts all messages entering and leaving the network. The proxy
server effectively hides the true network addresses.
Stateful Firewall: This provide all the features of static packet filters, application and
circuit level gateway, and proxy based firewalls. Since it inspects the packets in a
stateful manner, it analyzes the application and dynamically allows or denies port access.
It also provides ALG support, preventing various DoS attacks, dynamic pinhole, etc.
Stateful Inspection
Also referred to as dynamic packet filtering, Stateful Inspection is a firewall architecture
that works at the network layer. Unlike static packet filtering, which examines a packet
based on the information in its header, stateful inspection tracks each connection traversing
all interfaces of the firewall and makes sure they are valid.
1-4
12-23-2009
Overview
Stateful firewall examines not only the header information, but also the contents of the
packet up through the application layer in order to determine more about the packet than just
information about its source and destination address/port and protocol. A stateful firewall
also monitors the state of the connection and compiles the information in a state table.
Because of this, filtering decisions are based not only on administrator-defined rules (as in
static packet filtering) but also on the context that has been established by prior packets that
have passed through the firewall. As an added security measure against port scanning,
stateful inspection firewalls close off ports until connection to the specific port is requested.
For more information, see the Protection against Port Scanning section.
By implementing the Personal Stateful Firewall functionality within the chassis, the system
easily decides on how to treat an outgoing and/or incoming packet of a subscriber session.
Charging of packets can be managed by the operator. The operator can charge only for those
packets that pass the firewall rules and the packets that are dropped by the firewall can be
excluded. This flexibility is not possible in an external firewall solution where all the
packets are chargeable whether they are allowed by the firewall or not.
In-line Services
As described earlier, the Personal Stateful Firewall provides a mechanism of inspecting user
traffic, while providing protection from different types of well-known attacks, for the
purpose of applying stateful services to the users subsequent data flows.
Active Charging Service (ACS) is the primary vehicle that performs the packet inspection
and applies rules to the session, which includes the delivery of enhanced services. Internal
applications such as the Personal Stateful Firewall, Enhanced Charging Service (ECS), and
Peer-to-Peer are primary features that provide in-line service advantage to the subscriber
and operators in service networks.
For more information on the Enhanced Charging Service, see the Enhanced Charging
Service Administration Guide.
1-5
12-23-2009
Supported Features
Starent Networks Personal Stateful Firewall supports the following features:
Logging Support
A host consuming excessive resources memory, disk space, CPU time, etc.
eventually leading to a system crash or providing very sluggish response.
Flooding of the network paths to the extent that no valid traffic is able to reach the
intended destination.
DoS attacks can destroy data in affected mobile nodes. Stateful Firewall is designed to
defend mobile users from DoS attacks originating from both the Internet and the internal
network.
1-6
IP-based:
Land Attacks
Jolt Attacks
Teardrop Attacks Detected only in downlink direction, i.e. traffic coming from the
external network towards the mobile subscribers
IP Checksum Errors
TCP-based:
12-23-2009
Supported Features
SEQ/ACK Out-of-range
UDP-based:
ICMP-based:
1-7
12-23-2009
1-8
12-23-2009
Supported Features
ALG support for Simple Mail Transfer Protocol (SMTP) and HTTP is ECS functionality.
1-9
12-23-2009
The Personal Stateful Firewall uses standard application ports to trigger ALG functionality.
The operator can modify the existing set to remove/add new port numbers.
If any ongoing traffic arrives from the subscriber and no association is found, and flow
recovery is enabled, basic checks like header processing, attacks, etc. are done (stateful
checks of packet is not done), and if all is okay, an association is created and the packet
is allowed to pass through.
If any ongoing traffic arrives from the Internet to MS and no association is found, and
flow recovery is not enabled, it is dropped. No RESET is sent. Else, basic checks like
header processing, flooding attack check are done (stateful checks of packet are not
done), and if all is okay, an association is created and the packet is allowed to pass
through.
In case flow recovered from ongoing traffic arrives from Internet to MS, and MS sends a
NACK, the Unwanted Traffic Suppression feature is triggered, i.e. upon repeatedly
receiving NACK from MS for a 5-tuple, further traffic to the 5-tuple is blocked for some
duration and not sent to MS.
If any new traffic (3-way handshake) comes, whether it is a new flow or a new flow due
to pin-hole, based on the direction of packet and flow-recovery is enabled, basic checks
like header processing, attacks, etc. are done (stateful checks of packet is not done) and
if all is okay, an association is created and the packet is allowed to pass through.
If any ongoing traffic arrives, it is allowed only if an association was created earlier.
Else, it is dropped and reset is sent.
If any new traffic (3-way handshake) arrives, the usual Firewall processing is done.
1-10
Dos-Attacks: When the number of DoS attacks crosses a given value, a threshold is
raised, and it is cleared when the number of DoS attacks falls below a value in a given
period of time.
12-23-2009
Supported Features
Drop-Packets: When the number of dropped packets crosses a given value, a threshold is
raised, and it is cleared when the number of dropped packets falls below a value in a
given period of time.
Deny-Rule: When the number of Deny Rules cross a given value, a threshold is raised,
and it is cleared when the number of Deny Rules falls below a value in a given period of
time.
No-Rule: When the number of No Rules cross a given value, a threshold is raised, and it
is cleared when the number of No Rules falls below a value in a given period of time.
Logging Support
Starent Networks Stateful Firewall supports logging of various messages on screen if
logging is enabled for firewall. These logs provide detailed messages at various levels, like
critical, error, warning, and debug.
Logging is also supported at rule level, when enabled through rule a message will be
logging whenever a packet hits the rule. This can be turned on/off in a rule.
These logs are also sent to a syslog server if configured in the system.
1-11
12-23-2009
ACS rulebase: The default Firewall-and-NAT policy configured in the ACS rulebase has
the least priority. If there is no policy configured in the APN/subscriber template, and/or
no policy to use is received from the AAA/OCS, only then the default policy configured
in the ACS rulebase is used.
AAA/OCS: The Firewall-and-NAT policy to be used can come from the AAA server or
the OCS. If the policy comes from the AAA/OCS, it will override the policy configured
in the APN/subscriber template and/or the ACS rulebase.
IMPORTANT
The Firewall-and-NAT policy received from the AAA and OCS have the same priority.
Whichever comes latest, either from AAA/OCS, is applied.
The Firewall-and-NAT policy to use can be received from RADIUS during authentication.
1-12
12-23-2009
If the AAA/OCS sends the SN-Firewall-Policy AVP with the string disable, the locally
configured firewall policy does not get applied.
If the SN-Firewall-Policy AVP is received with the string NULL, the existing policy
will continue.
If the SN-Firewall-Policy AVP is received with a name that is not configured locally, the
subscriber session is terminated.
IMPORTANT
When a Firewall-and-NAT policy is deleted, for all subscribers using the policy, Firewall
processing is disabled, also ECS sessions for the subscribers are dropped. In case of session
recovery, the calls are recovered but with Firewall disabled.
1-13
12-23-2009
How it Works
The following figure illustrates packet flow in Firewall processing for a subscriber.
Data packet
received for ECS
processing
done
Is packet fragmented
yes
no
IP header checks
IP Reassembly
fail
Update statistics
and drop the
packet
Transport layer
header and state
checks
fail
Update statistics
and drop the
packet
In progress
fail
Update statistics
and DoS attacks,
and drop the
packet
yes
pass
no
Transport layer
header and state
checks
pass
fail
Update statistics
and DoS attacks,
and drop the
packet
yes
Update statistics
and drop the
packet
pass
no
1-14
12-23-2009
no
yes
Update statistics
and drop the
packet
yes
Update statistics
and drop the
packet
denied
Update statistics
and drop the
packet
yes
Update statistics
and drop the
packet
no
no
FW rule match
allowed
Flooding detected
no
Create FW flow,
update the flow
and packet stats
To ACS
for further
processing
1-15
12-23-2009
Access Ruledefs: The stateful packet inspection feature of the Personal Stateful Firewall
allows the operator to configure rule definitions (ruledefs) that take active session
information into consideration to permit or deny incoming or outgoing packets.
An access ruledef contains the criteria for multiple actions that could be taken on packets
matching the rules. These rules specify the protocols, source and destination hosts,
source and destination ports, direction of traffic parameters for a subscriber session to
allow or reject the traffic flow.
An access ruledef consists of the following fields:
Ruledef name
Source IP address
Source port number not required if the protocol is other than TCP or UDP
Destination IP address
Destination port number not required if the protocol is other than TCP or UDP
1-16
Service Definition: User defined firewall service for defining state-full firewall policy
for initiating an outgoing connection on a primary port and allowing opening of
auxiliary ports for that association in the reverse direction.
12-23-2009
Description
LISTEN
The state a host is in waiting for a request to start a connection. This is the
starting state of a TCP connection.
SYN-SENT
The time after a host has sent out a SYN packet and is waiting for the
proper SYN-ACK reply.
SYN-RCVD
The state a host is in after receiving a SYN packet and replying with its
SYN-ACK reply.
ESTABLISHED
The state a host is in after its necessary ACK packet has been received.
The initiating host goes into this state after receiving a SYN-ACK.
The state a connection is in after it has sent an initial FIN packet asking for
a graceful termination of the TCP connection.
CLOSE-WAIT
The state a hosts connection is in after it receives an initial FIN and sends
back an ACK to acknowledge the FIN.
FIN-WAIT-2
The connection state of the host that has received the ACK response to its
initial FIN, as it waits for a final FIN from its connection peer.
1-17
12-23-2009
TIME-WAIT
CLOSING
Description
The state of the host that just sent the second FIN needed to gracefully
close the TCP connection back to the initiating host while it waits for an
acknowledgement.
The state of the initiating host that received the final FIN and has sent an
ACK to close the connection and waiting for an acknowledgement of ACK
from the connection peer.
Note that the amount of time the TIME-STATE is defined to pause is equal
to the twice of the Maximum Segment Lifetime (MSL), as defined for the
TCP implementation.
A state that is employed when a connection uses the unexpected
simultaneous close.
1-18
12-23-2009
The Personal Stateful Firewall also provides inspection and filtering functionality on
application content with DPI. Personal Stateful Firewall is responsible for performing many
simultaneous functions and it detect, allow, or drop packets at the ingress point of the
network.
HTTP Application and State
HTTP is the one of the main protocols used on the Internet today. It uses TCP as its
transport protocol, and its session initialization follows the standard TCP connection
method.
Due to the TCP flow, the HTTP allows an easier definition of the overall sessions state. It
uses a single established connection from the client to the server and all its requests are
outbound and responses are inbound. The state of the connection matches with the TCP
state tracking.
For content verification and validation on the HTTP application session, the Personal
Stateful Firewall uses DPI functionality in the chassis.
File Transfer Protocol and State
FTP is an application for moving files between systems across the network. This is a two
way connection and uses TCP as its transport protocol.
Due to TCP flow, FTP allows an easier definition of the overall sessions state. As it uses a
single established connection from the client to the server, the state of the connection
matches with the TCP state tracking.
Personal Stateful Firewall uses application-port mapping along with FTP application-level
content verification and validation with DPI functionality in the chassis. It also supports
Pinhole data structure and Initialization, wherein FTP ALG parses FTP Port command to
identify the initiation and termination end points of future FTP DATA sessions. The
source/destination IP and destination Port of FTP DATA session is stored.
When a new session is to be created for a call, a check is made to see if the
source/destination IP and Destination Port of this new session matches with the values
stored. Upon match, a new ACS data session is created.
This lookup in the pinhole list is made before port trigger check and stateful firewall ruledef
match. If the look up returns a valid pinhole then a particular session is allowed. Whenever
a new FTP data session is allowed because of a pinhole match the associated pinhole is
deleted. Pinholes are also expired if the associated FTP Control session is deleted in, or
when the subscriber call goes down.
1-19
1-20
12-23-2009
SECTION II
CONFIGURATION
12-23-2009
Chapter 2 Personal Stateful Firewall Configuration
Chapter 3 Verifying and Saving Your Configuration
CHAPTER 2
PERSONAL STATEFUL FIREWALL CONFIGURATION
This chapter describes how to configure Personal Stateful Firewall support in a system.
IMPORTANT
In StarOS 8.x, Stateful Firewall for CDMA and early UMTS releases used rulebase-based
configurations, whereas later UMTS releases used policy-based configurations. In StarOS
9.0, Stateful Firewall for UMTS and CDMA releases both use policy-based configurations.
For more information, please contact your local service representative.
12-23-2009
2-2
12-23-2009
2-3
12-23-2009
This section describes how to configure Policy-based Stateful Firewall support in a system.
1 Enable enhanced charging as described in the Enabling the ACS Subsystem in Optimized
Mode section.
2 Create the ACS service as described in the Creating the Active Charging Service section.
3 Optional: Configure ACS application-port maps for TCP and UDP protocols as described
in the Configuring ACS Port Maps section.
4 Optional: Configure ACS host pools as described in the Configuring ACS Host Pools
section.
5 Optional: Configure ACS IMSI pools as described in the Configuring ACS IMSI Pools
section.
6 Configure access ruledefs as described in the Configuring Access Ruledefs section.
7 Configure Firewall-and-NAT policy as described in the Configuring Firewall-and-NAT
Policy section.
8 Configure action on packets with no rule matches as described in the Configuring Action on
Packets with No Access Ruledef Match section.
9 Configure protection from DoS attacks as described in the Configuring Protection from DoS
Attacks section.
10 Configure action on packets dropped by firewall due to any error conditions as described in
the Configuring Action on Packets Dropped by Firewall section.
11 Configure the maximum limit on flows regardless of the flow type, or based on protocol as
described in the Configuring Maximum Limit of Flows section.
12 Configure protection from port scanning as described in the Configuring Protection from
Port Scanning section.
13 Configure threshold on TCP reset messages as described in the Configuring Threshold on
TCP Reset Messages section.
14 Configure threshold on ICMP error messages as described in the Configuring Threshold on
ICMP Error Messages section.
15 Configure the maximum IP packet size allowed for ICMP and non-ICMP packets to prevent
packet flooding attacks to the host as described in the Configuring Maximum IP Packet Size
section.
16 Configure flow session timeout settings for stateful firewall as described in the Configuring
Firewall Idle Timeout Settings section.
17 Configure action to take on TCP flows starting with a non-syn packet, and on TCP idle
timeout expiry as described in the Configuring Other Firewall Settings section.
2-4
12-23-2009
Notes:
A maximum of 256 host pools, IMSI pools, and port maps each, and a combined
maximum of 4096 rules (host pools + IMSI pools + port maps + charging ruledefs +
access ruledefs + routing ruledefs) can be created in a system.
2-5
12-23-2009
Port maps, host pools, IMSI pools, and charging, firewall, and routing ruledefs must
each have unique names.
A maximum of 10 options can be configured in each host pool, IMSI pool, and port
map.
Notes:
2-6
12-23-2009
If the source IP address is not configured, then it is treated as any source IP.
If the destination IP address is not configured, then it is treated as any destination IP.
If the source port number is not configured, then it is treated as any source port.
If the destination port is not configured, then it is treated as any destination port.
If both uplink and downlink fields are not configured, then the rule will be treated as
either direction, i.e. packets from any direction will match that rule.
Configuring access ruledefs involves the creation of several ruledefs with different
sets of rules and parameters. For more information, see the Firewall Ruledef
Configuration Mode Commands chapter of the Command Line Interface Reference.
Notes:
Rule matching is done for the first packet for a flow. Only when no rules match, the
no-ruledef-matches configuration is considered. The default settings for uplink
direction is permit, and for downlink direction deny.
2-7
12-23-2009
Notes:
The following DoS attacks are only detected in the downlink direction: flooding,
ftp-bounce, ip-unaligned-timestamp, mime-flood, port-scan, source-router,
tcp-window-containment, teardrop, winnuke.
Notes:
For a packet dropped due to any error condition after data session is created, the
charging action used is the one configured in the flow any-error
charging-action command. Whereas, for a packet dropped due to firewall ruledef
match or no match (first packet of a flow), the charging action applied is the one
configured in the access-rule priority or the access-rule
no-ruledef-matches command respectively.
2-8
12-23-2009
2-9
12-23-2009
Notes:
Notes:
2-10
12-23-2009
Notes:
Notes:
Use the following configuration example to configure the default Firewall-and-NAT policy:
configure
active-charging service <service_name>
rulebase <rulebase_name>
fw-and-nat default-policy <fw_nat_policy>
end
2-11
12-23-2009
The following configuration example enables bulk statistics schema for the Personal
Stateful Firewall service on a chassis:
configure
bulkstats mode
context schema <schema_name> format <format_string>
end
Notes:
Notes:
2-12
The above command takes effect only for current calls. For new calls, the RADIUS
returned/APN/Subscriber template/rulebase configured policy is used.
12-23-2009
2-13
12-23-2009
Command
show active-charging fw-and-nat
policy statistics all
2-14
12-23-2009
show cli
2-15
12-23-2009
Table 2-2 System Status and Personal Stateful Firewall Service Monitoring Commands (continued)
To do this:
View access policy association with subscriber
2-16
CHAPTER 3
VERIFYING AND SAVING YOUR CONFIGURATION
This chapter describes how to verify and save the system configuration.
Feature Configuration
In many configurations, specific features are set and need to be verified. Examples include
APN and IP address pool configuration. Using these examples, enter the following
commands to verify proper feature configuration:
show apn all
The output displays the complete configuration for the APN. In this example, an APN called
apn1 is configured.
access point name (APN): apn1
authentication context: test
pdp type: ipv4
Selection Mode: subscribed
ip source violation: Checked
accounting mode: gtpp
max-primary-pdp-contexts: 1000000
primary contexts: not available
local ip: 0.0.0.0
primary dns: 0.0.0.0
ppp keep alive period : 0
absolute timeout : 0
long duration timeout: 0
ip header compression: vj
data compression: stac mppc deflate
min compression size: 128
ip output access-group:
ppp authentication:
allow noauthentication: Enabled
drop limit: 10
No early PDUs: Disabled
total-pdp-contexts: 1000000
total contexts: not available
secondary dns: 0.0.0.0
ppp mtu : 1500
idle timeout : 0
long duration action: Detection
compression mode:
normal
ip input access-group:
imsi authentication:Disabled
12-23-2009
The output from this command should look similar to the sample shown below. In this
example, all IP pools were configured in the isp1 context.
context : isp1:
+-----Type:
(P) - Public
(R) - Private
|
(S) - Static
(E) - Resource
|
|+----State:
(G) - Good
(D) - Pending Delete
(R)-Resizing
||
||++--Priority: 0..10 (Highest (0) .. Lowest (10))
||||
||||+-Busyout: (B) - Busyout configured
|||||
|||||
vvvvv Pool Name Start Address
Mask/End Address Used
Avail
----- --------- --------------- --------------- -------- -------PG00 ipsec
12.12.12.0
255.255.255.0
0
254
PG00 pool1
10.10.0.0
255.255.0.0
0
65534
SG00 vpnpool
192.168.1.250
192.168.1.254
0
5
Total Pool Count: 5
IMPORTANT
Many features can be configured on the system. There are show commands specifically for
these features. Refer to the Command Line Interface Reference for more information.
Service Configuration
Verify that your service was created and configured properly by entering the following
command:
show <service_type> <service_name>
The output is a concise listing of the service parameter settings similar to the sample
displayed below. In this example, a P-GW service called pgw1 is configured.
Service name
:
Service-Id
Context
Status
Restart Counter
EGTP Service
LMA Service
Session-Delete-Delay Timer
Session-Delete-Delay timeout
PLMN ID List
Newcall Policy
3-2
pgw1
: 1
: test1
: STARTED
: 8
: egtp1
: Not defined
: Enabled
: 10000(msecs)
: MCC: 100, MNC: 99
: None
12-23-2009
Context Configuration
Verify that your context was created and configured properly by entering the following
command:
show context name <name>
The output shows the active context. Its ID is similar to the sample displayed below. In this
example, a context named test1 is configured.
Context Name
-----------test1
ContextID
--------2
State
----Active
System Configuration
Verify that your entire configuration file was created and configured properly by entering
the following command:
show configuration
This command displays the entire configuration including the context and service
configurations defined above.
This command displays errors it finds within the configuration. For example, if you have
created a service named service1, but entered it as srv1 in another part of the
configuration, the system displays this error.
You must refine this command to specify particular sections of the configuration. Add the
keyword and choose a section from the help menu:
section
or
show configuration errors section aaa-config
3-3
12-23-2009
Description
Specifies the path and name to which the configuration file is to be stored. url may refer to a local or
a remote file. url must be entered using one of the following formats:
tftp: 69 - data
Note: host_name can only be used if the networkconfig parameter is configured for DHCP and
the DHCP server returns a valid nameserver.dx
username is the username required to gain access to the server, if necessary.
pwd is the password for the specified username if required.
/dir specifies the directory where the file is located if one exists.
/file_name specifies the name of the configuration file to be saved.
Note: Name configuration files with a .cfg extension.
3-4
12-23-2009
Keyword/Variable
Description
Optional: This keyword directs the system to save the CLI configuration file to the local device, defined
by the url variable, and then automatically copies the file to the like device on the standby SPC/SMC, if
available.
-redundant
Note: This keyword works only for like local devices that are located on both the active and standby
SPCs/SMCs. For example, if you save the file to the /pcmcia1 device on the active SPC/SMC, that
same type of device (a PC-Card in Slot 1 of the standby SPC/SMC) must be available. Otherwise, a
failure message is displayed.
Note: If saving the file to an external network (non-local) device, the system disregards this keyword.
-noconfirm
Optional: Indicates that no confirmation is to be given prior to saving the configuration information to
the specified filename (if one was specified) or to the currently active configuration file (if none was
specified).
showsecrets
Optional: This keyword causes the CLI configuration file to be saved with all passwords in plain text,
rather than their default encrypted format.
verbose
Optional: Specifies to display every parameter that is being saved to the new configuration file.
IMPORTANT
The -redundant keyword is only applicable when saving a configuration file to local
devices.
This command does not synchronize the local file system. If you have added, modified, or
deleted other files or directories to or from a local device for the active SPC/SMC, then you
must synchronize the local file system on both SPCs/SMCs.
EXAMPLE(S)
To save a configuration file called system.cfg to a directory that was previously created
called cfgfiles on the SPCs/SMCs CompactFlash, enter the following command:
save configuration /flash/cfgfiles/system.cfg
To save a configuration file called init_config.cfg to the root directory of a TFTP server with a
hostname of config_server, enter the following command:
save configuration tftp://config_server/init_config.cfg
3-5
3-6
12-23-2009
SECTION III
APPENDICES
12-23-2009
Appendix A Sample Personal Stateful Firewall Configuration
APPENDIX A
SAMPLE PERSONAL STATEFUL FIREWALL
CONFIGURATION
12-23-2009
A-2
12-23-2009
A-3
12-23-2009
A-4
12-23-2009
subscriber default
ip access-group css-1 in
ip access-group css-1 out
ip context-name isp
mobile-ip send accounting-correlation-info
active-charging rulebase base_1
exit
aaa group default
#exit
gtpp group default
#exit
pdsn-service pdsn
spi remote-address 1.1.1.1 spi-number 256 encrypted secret
5c4a38dc2ff61f72 timestamp-tolerance 0
spi remote-address 2.2.2.2 spi-number 256 encrypted secret
5c4a38dc2ff61f72 timestamp-tolerance 0
spi remote-address 3.3.3.3 spi-number 9999 encrypted secret
5c4a38dc2ff61f72 timestamp-tolerance 0
authentication pap 1 chap 2 allow-noauth
bind address 4.4.4.4
#exit
edr-module active-charging-service
file name NBR_nat current-prefix Record rotation time 45 headers
edr-format-name
#exit
#exit
context isp
ip access-list css
redirect css service service_1 ip any any
#exit
ip pool pool1 5.5.5.5 255.255.0.0 public 0
interface isp
ip address 6.6.6.6 255.255.255.0
#exit
subscriber default
exit
aaa group default
#exit
gtpp group default
#exit
ip route 0.0.0.0 0.0.0.0 7.7.7.7 isp
#exit
context radius
interface radius
ip address 8.8.8.8 255.255.255.0
#exit
subscriber default
exit
subscriber name ABC7-sub
ip access-group css in
ip access-group css out
ip context-name isp
active-charging rulebase base_1
exit
subscriber name ABC9-sub
ip access-group css in
ip access-group css out
A-5
12-23-2009
ip context-name isp1
active-charging rulebase base_2
exit
domain ABC7.com default subscriber ABC7-sub
domain ABC9.com default subscriber ABC9-sub
radius change-authorize-nas-ip 77.77.77.77 encrypted key
123abc456def789ghi port 4000
aaa group default
radius attribute nas-ip-address address 99.99.99.99
radius dictionary custom9
radius server 9.9.9.9 encrypted key 123abc456def789gh port 1645
radius accounting server 8.8.8.8 encrypted key 123abc port 1646
#exit
gtpp group default
#exit
diameter endpoint acs-fire.star.com
origin host acs-fire.star.com address 44.44.44.44
peer minid realm star.com address 55.55.55.55
#exit
#exit
bulkstats collection
bulkstats mode
sample-interval 1
transfer-interval 15
file 1
remotefile format /localdisk/ABCCH4.bulkstat
receiver 66.66.66.66 primary mechanism ftp login root encrypted
password 123abc456def789ghi
context schema sfw-dir format
"sfw-dir\nsfw-dnlnk-droppkts:%sfw-dnlnk-droppkts%\nsfw-dnlnk-dropbytes:
%sfw-dnlnk-dropbytes%\nsfw-uplnk-droppkts:%sfw-uplnk-droppkts%\nsfw-upl
nk-dropbytes:%sfw-uplnk-dropbytes%\nsfw-ip-discardpackets:%sfw-ip-disca
rdpackets%\nsfw-ip-malpackets:%sfw-ip-malpackets%\nsfw-icmp-discardpack
ets:%sfw-icmp-discardpackets%\nsfw-icmp-malpackets:%sfw-icmp-malpackets
%\nsfw-tcp-discardpackets:%sfw-tcp-discardpackets%\nsfw-tcp-malpackets:
%sfw-tcp-malpackets%\nsfw-udp-discardpackets:%sfw-udp-discardpackets%\n
sfw-udp-malpackets:%sfw-udp-malpackets%\n---------------------\n"
context schema sfw-total format
"sfw-total\nvpnname:%vpnname%\nvpnid:%vpnid%\nsfw-total-rxpackets:%sfwtotal-rxpackets%\nsfw-total-rxbytes:%sfw-total-rxbytes%\nsfw-total-txpa
ckets:%sfw-total-txpackets%\nsfw-total-txbytes:%sfw-total-txbytes%\nsfw
-total-injectedpkts:%sfw-total-injectedpkts%\nsfw-total-injectedbytes:%
sfw-total-injectedbytes%sfw-total-malpackets:%sfw-total-malpackets%\nsf
w-total-dosattacks:%sfw-total-dosattacks%\nsfw-total-flows:%sfw-total-f
lows%\n---------------------\n"
#exit
#exit
port ethernet 17/1
no shutdown
bind interface pdsn pdsn
#exit
port ethernet 17/2
no shutdown
bind interface isp isp
#exit
port ethernet 17/3
no shutdown
A-6
12-23-2009
A-7
A-8
12-23-2009
INDEX
A
About This Guide ..................................................v
Active Charging Service (ACS) .......................... 1-5
creating ....................................................... 2-5
enabling ...................................................... 2-5
ALG
Firewall, support.......................................... 1-8
Application Level Gateway, see ALG
Application-Level Traffic and States ................. 1-18
File Transfer Protocol and State .................. 1-19
HTTP Application and State ....................... 1-19
B
bulk statistics schema
configuring ............................................... 2-12
C
configuring
managing .................................................. 2-15
connection state ............................................... 1-17
Contacting
Customer Support ......................................... vii
Starent Networks ............................................vi
Technical Support......................................... vii
Conventions
Used in document ............................................v
Customer Support
Contacting ................................................... vii
D
DDoS attacks .................................................... 1-8
Denial-of-Service. See DoS attacks
Distributed Denial-of-Service. See DDoS attacks
Documentation
Providing feedback ....................................... vii
DoS attacks
about .......................................................... 1-6
types ........................................................... 1-6
Documentation ..............................................vii
firewall
overview ..................................................... 1-4
H
host pools
configuring ................................................. 2-6
support ....................................................... 1-9
I
IMSI pools
configuring ................................................. 2-6
support ....................................................... 1-9
In-line services .................................................. 1-5
L
licenses
Stateful Firewall .......................................... 1-3
logging, support .............................................. 1-11
M
maximum limit of flows
configuring ................................................. 2-8
P
Peer to Peer ....................................................... 1-5
platforms, supported .......................................... 1-2
port map
configuring ................................................. 2-5
support ....................................................... 1-9
port scanning
protection against ........................................ 1-8
Providing Documentation Feedback......................vii
R
ruledefs, firewall
about ........................................................ 1-16
configuring ................................................. 2-6
S
session recovery
Stateful Firewall ........................................ 1-10
SNMP Thresholding, about .............................. 1-10
Starent Networks
Contacting .....................................................vi
Customer support ..........................................vii
Technical support ..........................................vii
12-23-2009
configuring........................................ 2-12
configuration, managing ............................ 2-15
configuration, sample...................................A-1
features, supported....................................... 1-6
how it works ............................................. 1-12
licenses ....................................................... 1-3
overview ..................................................... 1-4
platforms and networks, supported................ 1-2
state table .................................................. 1-17
statistics, gathering .................................... 2-14
stateful packet filtering and inspection, support ... 1-9
T
Technical Support
Contacting ....................................................vii
thresholds, SNMP
Stateful Firewall, configuring ..................... 2-11
support ..................................................... 1-10
transport and network protocols and states......... 1-17
ICMP protocol and connection state............ 1-18
TCP protocol and connection state .............. 1-17
UDP protocol and connection state ............. 1-18
Index-2