Firewall management
action
The command specifies the action that should be applied for the traffic meeting this requirements.
The use of a negative form (no) of the command removes an assigned action.
Syntax
action <ACT> [log]
no action
Parameters
<ACT> – allocated action:
- permit – traffic transfer is permitted;
- deny – traffic transfer is denied.
- reject – traffic passing is prohibited, error notification is sent to user;
- netflow-sample – traffic passing is allowed, statistics export via Netflow is performed;
- sflow-sample – traffic passing is allowed, statistics export via sFlow is performed;
- log – activation key for logging of sessions established according to this rule.
Default value
Action is not configured, logging is disabled.
Required privilege level
10
Command mode
CONFIG-ZONE-PAIR-RULE
Example
esr(config-zone-rule)# action permitclear ip firewall counters
The command resets Firewall rule counters.
Syntax
clear ip firewall counters [ vrf <VRF> ] [ <SOURCE-ZONE> [ <DESTINATION-ZONE> [<ORDER>] ] ]
Parameters
<VRF> – VRF instance name, set by the string of up to 31 characters. When specifying this parameter, rule counters in a specified VRF will be cleared;
<SOURCE-ZONE> – security zone from which traffic flows;
<DESTINATION-ZONE> – security zone to which traffic flows;
<ORDER> – rule number, takes values of [1..10000]. When specifying a rule number, only the given rule’s counters will be cleared.
Required privilege level
10
Command mode
ROOT
Example
esr# clear ip firewall counters trusted self
clear ip firewall sessions
The command removes active IP sessions.
Syntax
clear ip firewall sessions [ vrf <VRF> ] [ protocol <TYPE> ] [ inside-source-address <ADDR> ] [ outiside-source-address <ADDR> ] [ inside-destination-address <ADDR> ] [ outside-destination-address <ADDR> ] [ inside-source-port <PORT> ] [ outside-source-port <PORT> ] [ inside-destination-port <PORT> ] [ outside-destination-port <PORT> ]
Parameters
<VRF> – VRF instance name, set by the string of up to 31 characters. When specifying this parameter, active sessions in a specified VRF will be removed;
<TYPE> – protocol type, takes the following values: esp, icmp, ah, eigrp, ospf, igmp, ipip, tcp, pim, udp, vrrp, rdp, l2tp, gre;
<ADDR> – IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];
<PORT> – TCP/UDP port, takes values of [1..65535];
inside-source-address – key to specify source IP address of incoming packets;
inside-destination-address – key to specify destination IP address of incoming packets;
outside-source-address – key to specify source IP address of outgoing packets;
outside-destination-address – key to specify destination IP address of outgoing packets;
inside-source-port – key to specify sender TCP/UDP port of incoming packets;
outside-source-port – key to specify sender TCP/UDP port of outgoing packets;
inside-destination-port – key to specify receiver TCP/UDP port of incoming packets;
outside-destination-port – key to specify receiver TCP/UDP port of outgoing packets;
Required privilege level
10
Command mode
ROOT
Example
esr# clear ip firewall sessions vrf VRF1clear ipv6 firewall counters
The command resets Firewall rule counters.
Syntax
clear ipv6 firewall counters [ vrf <VRF> ] [ <SOURCE-ZONE> [ <DESTINATION-ZONE> [<ORDER>] ] ]
Parameters
<VRF> – VRF instance name, set by the string of up to 31 characters. When specifying this parameter, rule counters in a specified VRF will be cleared.
<SOURCE-ZONE> – security zone from which traffic flows.
<DESTINATION-ZONE> – security zone to which traffic flows.
<ORDER> – rule number, takes values of [1..10000]. When specifying a rule number, only the given rule’s counters will be cleared.
Required privilege level
10
Command mode
ROOT
Example
esr# clear ipv6 firewall counters trusted selfclear ipv6 firewall sessions
The command removes active IPv6 sessions.
Syntax
clear ipv6 firewall sessions [ vrf <VRF> ] [ protocol <TYPE> ] [ inside-source-address <IPV6-ADDR> ] [ outiside-source-address <IPV6-ADDR> ] [ inside-destination-address <IPV6-ADDR> ] [ outside-destination-address <IPV6-ADDR> ] [ inside-source-port <PORT> ] [ outside-source-port <PORT> ] [ inside-destination-port <PORT> ] [ outside-destination-port <PORT> ]
Parameters
<VRF> – VRF instance name, set by the string of up to 31 characters. When specifying this parameter, active sessions in a specified VRF will be removed.
<TYPE> – protocol type, takes the following values: esp, icmp, ah, eigrp, ospf, igmp, ipip, tcp, pim, udp, vrrp, rdp, l2tp, gre.
<IPV6-ADDR> – IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF].
<PORT> – TCP/UDP port, takes values of [1..65535];
inside-source-address – command to specify IPv6 source address of incoming packets.
inside-destination-address – command to specify IPv6 destination address of incoming packets.
outiside-source-address – command to specify IPv6 source address of outgoing packets;
outside-destination-address – command to specify IPv6 destination address of outgoing packets;
inside-source-port – key to specify sender TCP/UDP port of incoming packets;
outside-source-port – key to specify sender TCP/UDP port of outgoing packets;
inside-destination-port – key to specify receiver TCP/UDP port of incoming packets;
outside-destination-port – key to specify receiver TCP/UDP port of outgoing packets;
Required privilege level
10
Command mode
ROOT
Example
esr# clear ipv6 firewall sessions vrf VRF1description
The command changes the description of configured zone or a pair of security zones. The use of a negative form (no) of the command removes a specified description.
Syntax
description <DESCRIPTION>
no description
Parameters
<DESCRIPTION> – security zone name, set by the string of up to 255 characters.
Required privilege level
10
Command mode
CONFIG-ZONE
CONFIG-ZONE-PAIR
CONFIG-ZONE-PAIR-RULE
Example
esr(config-zone)# description "Trusted interfaces"enable
The command enables a rule.
The use of a negative form (no) of the command enables a rule.
Syntax
[no] enable
Parameters
The command does not contain parameters.
Default value
Disabled.
Required privilege level
10
Command mode
CONFIG-ZONE-PAIR-RULE
Example
esr(config-zone-rule)# enable
ip firewall disable
The command disables Firewall function on a network interface.
The use of a negative form (no) of the command enables Firewall function on a network interface.
Syntax
[no] ip firewall disable
Parameters
The command does not contain parameters.
Required privilege level
15
Command mode
CONFIG-GI
CONFIG-TE
CONFIG-SUBIF
CONFIG-QINQ-IF
CONFIG-SERIAL
CONFIG-PORT-CHANNEL
CONFIG-BRIDGE
CONFIG-E1
CONFIG-MULTILINK
CONFIG-CELLULAR-MODEM
CONFIG-VTI
CONFIG-GRE
CONFIG-IP4IP4
CONFIG-L2TP
CONFIG-LT
CONFIG-PPPOE
CONFIG-PPTP
CONFIG-OPENVPN
Example
esr(config-if-gi)# ip firewall disable
ip firewall mode
The command selects firewall operation mode.
The use of a negative form (no) of the command sets the default firewall operation mode.
Syntax
ip firewall mode <MODE>
no ip firewall mode
Parameters
<MODE> – firewall operation mode, may take the following values:
- stateful – mode where the router monitors sessions. The first session packets are undergone a full verification cycle according to firewall rules and the following session packets are routed without additional verifications. This rule is not valid for DPI mechanism operation.
- stateful – mode where the router does not monitor sessions. Each packet is undergone a full verification cycle according to firewall rules that significantly reduces the equipment performance. The use of this mode is allowed only when strictly necessary.
Default value
stateful
Required privilege level
15
Command mode
CONFIG
Example
esr(config-if-gi)# ip firewall mode statelessip firewall sessions counters
The command enables session counters for NAT and Firewall. The counters increase only when a new session is established. For established sessions, increase of counters value does not occur during packets transmission. Enabling the counters reduces the router performance.
The commands for viewing counters and sessions are described in sections show ip firewall counters, show ip firewall sessions, show ipv6 firewall counters and show ipv6 firewall sessions.
The use of a negative form (no) of the command disables session counters.
Syntax
[no] ip firewall sessions counters
Parameters
The command does not contain parameters.
Default value
Disabled.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip firewall sessions countersip firewall sessions allow-unknown
The command disables filtration of packets for which it was not possible to define belonging to any known connection and which are not the beginning of a new connection.
The use of a negative form (no) of the command enables the interface being configured.
Syntax
[no] ip firewall sessions allow-unknown
Parameters
The command does not contain parameters.
Default value
Enabled.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip firewall sessions allow-unknownip firewall sessions generic-timeout
The command specifies session lifetime for unsupported protocols after which it is considered to be outdated and is removed from the trackable session table.
The use of a negative form (no) of the command sets the default value.
Syntax
ip firewall sessions generic-timeout <TIME>
no ip firewall sessions generic-timeout
Parameters
<TIME> – session lifetime for unsupported protocols, takes values in seconds [1..8553600].
Default value
60 seconds
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip firewall sessions generic-timeout 60ip firewall sessions icmp-timeout
The command specifies ICMP session lifetime after which it is considered to be outdated and is removed from the trackable session table.
The use of a negative form (no) of the command sets the default value.
Syntax
ip firewall sessions icmp-timeout <TIME>
no ip firewall sessions icmp-timeout
Parameters
<TIME> – ICMP session lifetime, takes values in seconds [1..8553600].
Default value
30 seconds
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip firewall sessions icmp-timeout 60ip firewall sessions icmpv6-timeout
The command specifies ICMPv6 session lifetime after which it is considered to be outdated and is removed from the trackable session table.
The use of a negative form (no) of the command sets the default value.
Syntax
ip firewall sessions icmpv6-timeout <TIME>
no ip firewall sessions icmpv6-timeout
Parameters
<TIME> – ICMPv6 session lifetime, takes values in seconds [1..8553600].
Default value
30 seconds
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip firewall sessions icmpv6-timeout 60ip firewall sessions max-expect
The command defines the size of outstanding session table.
The use of a negative form (no) of the command sets the default value.
Syntax
ip firewall sessions max-expect <COUNT>
no ip firewall sessions max-expect
Parameters
<COUNT> – table size, takes values of [1..8553600].
Default value
256
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip firewall sessions max-expect 512ip firewall sessions max-tracking
The command defines the size of trackable session table.
The use of a negative form (no) of the command sets the default value.
Syntax
ip firewall sessions max-tracking <COUNT>
no ip firewall sessions max- tracking
Parameters
<COUNT> – table size, takes values of [1..8553600].
Default value
512000
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip firewall sessions max-tracking 256000ip firewall sessions tcp-connect-timeout
The command defines the lifetime of TCP session in 'connection is being established' state after which it is considered to be outdated and is removed from trackable session table.
The use of a negative form (no) of the command sets the default value.
Syntax
ip firewall sessions tcp-connect-timeout <TIME>
no ip firewall sessions tcp-connect-timeout
Parameters
<TIME> – lifetime of TCP session in 'connection is being established' state, takes values in seconds [1..8553600].
Default value
60 seconds
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip firewall sessions tcp-connect-timeout 120ip firewall sessions tcp-disconnect-timeout
The command defines the lifetime of TCP session in 'connection is closed' state after which it is considered to be outdated and is removed from trackable session table.
The use of a negative form (no) of the command sets the default value.
Syntax
ip firewall sessions tcp-disconnect-timeout <TIME>
no ip firewall sessions tcp-disconnect-timeout
Parameters
<TIME> – lifetime of TCP session in 'connection is being closed' state, takes values in seconds [1..8553600].
Default value
30 seconds
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip firewall sessions tcp-disconnect-timeout 10ip firewall sessions tcp-estabilished-timeout
The command defines the lifetime of TCP session in 'connection is established' state after which it is considered to be outdated and is removed from trackable session table.
The use of a negative form (no) of the command sets the default value.
Syntax
ip firewall sessions tcp-estabilished-timeout <TIME>
no ip firewall sessions tcp-estabilished-timeout
Parameters
<TIME> – lifetime of TCP session in 'connection is being established' state, takes values in seconds [1..8553600].
Default value
120 seconds
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip firewall sessions tcp-estabilished-timeout 3600ip firewall sessions tcp-latecome-timeout
The command defines the timeout after which the closed TCP session is actually deleted from the table of trackable sessions.
The use of a negative form (no) of the command sets the default value.
Syntax
ip firewall sessions tcp-latecome-timeout <TIME>
no ip firewall sessions tcp-latecome-timeout
Parameters
<TIME> – timeout, takes value in seconds [1..8553600].
Default value
120 seconds
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip firewall sessions tcp-latecome-timeout 10ip firewall sessions tracking
The command enables the function of application level session tracking for certain protocols.
The use of a negative form (no) of the command disables the function of application level session tracking for certain protocols.
Syntax
ip firewall sessions tracking { <PROTOCOL> | sip [ port <OBJECT-GROUP-SERVICE> ] }
no ip firewall sessions tracking { <PROTOCOL> | sip [ port <OBJECT-GROUP-SERVICE> ] | all }Parameters
<PROTOCOL> – application level protocol, sessions of which should be monitored, takes the values of [ftp, h323, pptp, netbios-ns].
<OBJECT-GROUP-SERVICE> – sip session TCP/UDP ports’ profile name, set by the string of up to 31 characters. If a group is not specified, sip sessions monitoring will be performed for 5060 port.
Instead of a certain protocol you can use the 'all' key that enables application-level session tracking for all available protocols.
Default value
Disabled for all protocols.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip firewall sessions tracking ftpip firewall sessions udp-assured-timeout
The command defines the lifetime of UDP session in 'connection is confirmed' state after which it is considered to be outdated and is removed from trackable session table.
The use of a negative form (no) of the command sets the default value.
Syntax
ip firewall sessions udp-assured-timeout <TIME>
no ip firewall sessions udp-assured-timeout
Parameters
<TIME> – lifetime of UDP session in 'connection is confirmed' state, takes values in seconds [1..8553600].
Default value
180 seconds
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# ip firewall sessions udp-assured-timeout 3600ip firewall sessions udp-wait-timeout
The command defines the lifetime of UDP session in 'connection is not confirmed' state after which it is considered to be outdated and is removed from trackable session table.
The use of a negative form (no) of the command sets the default value.
Syntax
ip firewall sessions udp-wait-timeout <TIME>
no ip firewall sessions udp-wait-timeout
Parameters
<TIME> – lifetime of UDP session in 'connection is not confirmed' state, takes values in seconds [1..8553600].
Default value
30 seconds
Required privilege level
10
Command mode
CONFIG
Example
esr(config)# ip firewall sessions udp-wait-timeout 60match application
The command sets application profile for which the rule should work. The function is used for filtration on the basis of applications (DPI mechanism)
When using 'not' parameter, the rule will work for applications which are not included in a specified profile.
The use of a negative form (no) of the command cancels the assignment.
Syntax
match [not] application <OBJ-GROUP-APPLICATION>
no match application
Parameters
<OBJ-GROUP-APPLICATION> – application profile name, set by the string of up to 31 characters.
Required privilege level
10
Command mode
CONFIG-ZONE-PAIR-RULE
Example
esr(config-zone-rule)# match application APP_DENYmatch destination-address
The command sets the profile of destination IP addresses for which the rule should work.
When using 'not' parameter, the rule will work for destination IP addresses which are not included in a specified profile.
The use of a negative form (no) of the command cancels the assignment.
Syntax
match [not] destination-address <OBJ-GROUP-NETWORK-NAME>
no match destination-address
Parameters
<OBJ-GROUP-NETWORK-NAME> – IP addresses profile name, set by the string of up to 31 characters. When specifying the 'any' value, the rule will be triggered for any source IP address.
Default value
any
Required privilege level
10
Command mode
CONFIG-ZONE-PAIR-RULE
Example
esr(config-zone-rule)# match destination-address localmatch destination-address-port
This command sets the profile of IP address bundles and destination TCP/UDP ports for which the rule should work.
When using 'not' parameter, the rule will work for IP address bundles and destination TCP/UDP ports which are not included in a specified profile.
The use of a negative form (no) of the command cancels the assignment.
Syntax
match [not] destination-address-port <OBJ-GROUP-ADDRESS-PORT-NAME>
no match destination-address
Parameters
<OBJ-GROUP-ADDRESS-PORT-NAME> – the name of the profile of IP address bundles and TCP/UDP ports is specified by a string of up to 31 characters. When specifying the value 'any', the rule will not consider this filtering method.
Default value
any
Required privilege level
10
Command mode
CONFIG-ZONE-PAIR-RULE
Example
esr(config-zone-rule)# match destination-address localmatch destination-mac
The command sets destination MAC address for which the rule should work.
When using 'not' (match not) parameter, the rule will work for destination MAC addresses different from a specified one.
The use of a negative form (no) of the command cancels the assignment.
Syntax
match [not] destination-mac <ADDR>
no match destination-mac <ADDR>
Parameters
<ADDR> – destination MAC address, defined as XX:XX:XX:XX:XX:XX where each part takes the values of [00..FF].
Required privilege level
10
Command mode
CONFIG-ZONE-PAIR-RULE
Example
esr(config-zone-rule)# match destination-mac A8:F9:4B:AA:00:40match destination-nat
The command sets the limitation under which the rule will only work for traffic modified by the IP address and destination ports translation service.
When using 'not' parameter, the rule will work for traffic not modified by the IP address and destination ports translation service. The use of a negative form (no) of the command cancels the assignment.
Syntax
match [not] destination-nat
no match destination-nat
Parameters
The command does not contain parameters.
Required privilege level
10
Command mode
CONFIG-ZONE-PAIR-RULE
Example
esr(config-zone-rule)# match destination-natmatch destination-port
This command sets the profile of destination TCP/UDP ports for which the rule should work.
When using 'not' parameter, the rule will work for destination TCP/UDP ports which are not included in a specified profile.
The use of a negative form (no) of the command removes the assignment.
Syntax
match [not] destination-port <PORT-SET-NAME>
no match destination-port
Parameters
<PORT-SET-NAME> – TCP/UDP ports profile name, set by the string of up to 31 characters. When specifying the 'any' value, the rule will be triggered for any source TCP/UDP port.
Default value
any
Required privilege level
10
Command mode
CONFIG-ZONE-PAIR-RULE
Example
esr(config-zone-rule)# match destination-port sshmatch fragment
The command defines fragmented packets sent to the device. The command is applicable only in rules between ‘any self’ zones. The second and the following fragments of a packet are subject to the rule. Packets are proceeded by the rule before DNAT addresses translation.
When using 'not' parameter, the rule will work for non fragmented packets.
The use of a negative form (no) of the command cancels the assignment.
Syntax
match [not] fragment
no match fragmen
Parameters
None.
Default value
Disabled.
Required privilege level
10
Command mode
CONFIG-ZONE-PAIR-RULE
Example
esr(config-zone-pair-rule)# match fragmentmatch icmp
The command is used to configure ICMP parameters if it is selected by 'match protocol' command. The command specifies the type and code of ICMP messages for which the rule should work.
When using 'not' parameter, the rule will work for all types and codes of ICMP messages excluding specified ones.
The use of a negative form (no) of the command cancels the assignment.
Syntax
match [not] icmp { <ICMP_TYPE> <ICMP_CODE> | <OPTION> }no match icmp
Parameters
<ICMP_TYPE> – ICMP message type, takes values of [0..255].
<ICMP_CODE> – ICMP message code, takes values of [0..255]. When specifying the “any” value, the rule will work for any ICMP message code
<OPTION> – standard types of ICMP messages can take values:
- administratively-prohibited;
- alternate-address;
- conversion-error;
- dod-host-prohibited;
- dod-network-prohibited;
- echo;
- echo-reply;
- host-isolated;
- host-precedence;
- host-redirect;
- host-tos-redirect;
- host-tos-unreachable;
- host-unknown;
- host-unreachable;
- information-reply;
- information-request;
- mask-reply;
- mask-request;
- network-redirect;
- network-tos-redirect;
- network-tos-unreachable;
- network-unknown;
- network-unreachable;
- option-missing;
- packet-too-big;
- parameter-problem;
- port-unreachable;
- precedence;
- protocol-unreachable;
- reassembly-timeout;
- router-advertisement;
- router-solicitation;
- source-quench;
- source-route-failed;
- time-exceeded;
- timestamp-reply;
- timestamp-request;
- traceroute.
Required privilege level
10
Command mode
CONFIG-ZONE-PAIR-RULE
Example
esr(config-zone-rule)# match icmp 2 anymatch ip-option
The command defines packets which contain options in IP headers. The command is applicable only in rules between ‘any self’ zones.
When using 'not' parameter, the rule will work for packets which do not contain options in IP headers.
The use of a negative form (no) of the command cancels the assignment.
Syntax
match [not] ip-option
no match ip-option
Parameters
The command does not contain parameters.
Default value
Disabled.
Required privilege level
10
Command mode
CONFIG-ZONE-PAIR-RULE
Example
esr(config-zone-pair-rule)# match ip-optionsmatch protocol
The command sets name or number of IP for which the rule should work.
When using 'not' parameter, the rule will work for all protocols except a specified one.
The use of a negative form (no) of the command cancels the assignment.
Syntax
match [not] protocol <TYPE>
no match protocol
match [not] protocol-id <ID>
no match protocol-id
Parameters
<TYPE> – protocol type, takes the following values: esp, icmp, ah, eigrp, ospf, igmp, ipip, tcp, pim, udp, vrrp, rdp, l2tp, gre.
When specifying the 'any' value, the rule will work for any protocols.
<ID> – IP identification number, takes values of [0x00-0xFF].
Default value
any
Required privilege level
10
Command mode
CONFIG-ZONE-PAIR-RULE
Example
esr(config-zone-rule)# match protocol udpmatch source-address
The command specifies the profile of source IP addresses for which the rule should work.
When using 'not' (match not) parameter, the rule will work for source IP addresses which are not included in a specified profile.
The use of a negative form (no) of the command cancels the assignment.
Syntax
match [not] source-address <OBJ-GROUP-NETWORK-NAME>
no match source-address <OBJ-GROUP-NETWORK-NAME>
Parameters
<OBJ-GROUP-NETWORK-NAME> – IP addresses profile name, set by the string of up to 31 characters. When specifying the 'any' value, the rule will be triggered for any source IP address.
Default value
any
Required privilege level
10
Command mode
CONFIG-ZONE-PAIR-RULE
Example
esr(config-zone-rule)# match source-address remotematch source-address-port
This command sets the profile of IP address bundles and source TCP/UDP ports for which the rule should work.
When using 'not' (match not) parameter, the rule will work for IP address bundles and source TCP/UDP ports which are not included in a specified profile.
The use of a negative form (no) of the command cancels the assignment.
Syntax
match [not] source-address-port <OBJ-GROUP-ADDRESS-PORT-NAME>
no match source-address-port <OBJ-GROUP-ADDRESS-PORT-NAME>
Parameters
<OBJ-GROUP-ADDRESS-PORT-NAME> – the name of the profile of IP address bundles and TCP/UDP ports is specified by a string of up to 31 characters. When specifying the value 'any', the rule will not consider this filtering method.
Default value
any
Required privilege level
10
Command mode
CONFIG-ZONE-PAIR-RULE
Example
esr(config-zone-rule)# match source-address-port adminmatch source-mac
The command sets source MAC address for which the rule should work.
When using 'not' (match not) parameter, the rule will work for source MAC addresses different from a specified one.
The use of a negative form (no) of the command cancels the assignment.
Syntax
match [not] source-mac <ADDR>
no match source-mac <ADDR>
Parameters
<ADDR> – source MAC address, defined as XX:XX:XX:XX:XX:XX where each part takes the values of [00..FF].
Required privilege level
10
Command mode
CONFIG-ZONE-PAIR-RULE
Example
esr(config-zone-rule)# match source-mac A8:F9:4B:AA:00:40match source-port
The command sets the profile of source TCP/UDP ports for which the rule should work.
When using 'not' parameter, the rule will work for source TCP/UDP ports which are not included in a specified profile.
The use of a negative form (no) of the command cancels the assignment.
Syntax
match [not] source-port <PORT-SET-NAME>
no match source-port
Parameters
<PORT-SET-NAME> – TCP/UDP ports profile name, set by the string of up to 31 characters. When specifying the 'any' value, the rule will be triggered for any source TCP/UDP port.
Required privilege level
10
Command mode
CONFIG-ZONE-PAIR-RULE
Example
esr(config-zone-rule)# match source-port telnetports firewall enable
The command enables session filtration and monitoring during packets transmission between Bridge interface members.
The use of a negative form (no) of the command removes an assigned action.
Syntax
[no] ports firewall enable
Parameters
The command does not contain parameters.
Default value
Disabled.
Required privilege level
15
Command mode
CONFIG-BRIDGE
Example
esr(config-bridge)# ports firewall enablerate-limit pps
The command limits the amount of packets per second proceeded by the rule. The command can be used only in rules between any self zones and subject to the action permit action in this rule.
The use of a negative form (no) of the command removes an assigned action.
Syntax
rate-limit pps <RATE>
no rate-limit
Parameters
<PPS> – amount of MAC addresses per second, takes value of [1..10000].
Default value
Not limited.
Required privilege level
15
Command mode
CONFIG-ZONE-PAIR-RULE
Example
esr(config-if-gi)# rate-limit pps 200rearrange
This command changes the step between the created rules.
Syntax
rearrange <VALUE>
Parameters
<VALUE> – maximum between rules, takes values of [1..50].
Required privilege level
10
Command mode
CONFIG-ZONE-PAIR
Example
esr(config-zone-pair)# rearrange 10renumber rule
This command changes the rule number.
Syntax
renumber rule <CUR_ORDER> <NEW_ORDER>
Parameters
<CUR_ORDER> – current rule number, takes values of [1..10000].
<NEW_ORDER> – new rule number, takes values of [1..10000].
Required privilege level
10
Command mode
CONFIG-ZONE-PAIR
Example
esr(config-zone-pair)# renumber rule 13 100rule
The command is used to create the rule and to switch to SECURITY ZONE PAIR RULE command mode. The rules are proceeded by the device in number ascending order.
The use of a negative form (no) of the command removes a specified rule.
Syntax
[no] rule <ORDER>
Parameters
<ORDER> – rule number, takes values of [1..10000]. If the «all» parameter value is used when removing, all rules for the configured security zone pairs will be removed.
Required privilege level
10
Command mode
CONFIG-ZONE-PAIR
Example
esr(config-zone-pair)# rule 10
esr(config-zone-rule)#security zone
The command is used to create a security zone and to switch to the zone edit mode.
The use of a negative form (no) of the command removes a specified security zone.
Syntax
[no] security zone [ <NAME> | all ]
Parameters
<NAME> – security zone name, set by the string of up to 12 characters. The use of a negative form (no) of the command with ‘all’ parameter removes all security zones.
Required privilege level
10
Command mode
CONFIG
Example
esr(config)# security zone trusted
esr(config-zone)#security-zone
The command adds a current network interface to security zone. The use of a negative form (no) of the command removes interface from the zone.
Syntax
security-zone <NAME>
no security-zone
Parameters
<NAME> – security zone name, set by the string of up to 12 characters.
Required privilege level
15
Command mode
CONFIG-GI
CONFIG-TE
CONFIG-SUBIF
CONFIG-QINQ-IF
CONFIG-SERIAL
CONFIG-PORT-CHANNEL
CONFIG-BRIDGE
CONFIG-CELLULAR-MODEM
CONFIG-E1
CONFIG-MULTILINK
CONFIG-VTI
CONFIG-GRE
CONFIG-IP4IP4
CONFIG-LT
CONFIG-PPPOE
CONFIG-PPTP
CONFIG-L2TP
CONFIG-OPENVPN
CONFIG-L2TP-SERVER
CONFIG-OPENVPN-SERVER
CONFIG-PPTP-SERVER
Example
esr(config-if-gi)# security-zone trustedsecurity zone-pair
The command creates rule group for a pair of security zones.
The use of a negative form (no) of the command removes a specified rule group.
Syntax
[no] security zone-pair <SOURCE-ZONE> <DESTINATION-ZONE>
Parameters
<SOURCE-ZONE> – security zone from which traffic flows;
<DESTINATION-ZONE> – security zone to which traffic flows. Router always has a security zone named 'self'. When the traffic recipient is the router itself, i.e. traffic is not transit, pass 'self' zone as a parameter. If the 'all' parameter value is used when removing, all configurable pairs of security zones will be removed.
Required privilege level
10
Command mode
CONFIG
Example
esr(config)# security zone-pair trusted selfshow ip firewall counters
This command dispays statistics on packets that pass between zones for which no session is established.
Syntax
show ip firewall counters [ vrf <VRF> ] [ <SOURCE-ZONE> [ <DESTINATION-ZONE> [ <ORDER> ] ] ]
Parameters
<VRF> – VRF instance name, set by the string of up to 31 characters. When specifying this parameter, rule counters in a specified VRF will be shown;
<DESTINATION-ZONE> – security zone to which traffic flows;
<SOURCE-ZONE> – security zone from which traffic flows;
<ORDER> – rule number, takes values of [1..10000]. When specifying a rule number, only the given rules information will be displayed.
Required privilege level
1
Command mode
ROOT
Example
esr# show ip firewall counters trusted self
Zone-pair Rule Action Pkts Bytes
------------------------------ ---------- --------------- ---------- ----------
any/any default deny 0 0
trusted/self 1 permit 0 0
trusted/trusted 1 permit 0 0show ip firewall sessions
The command displays active IP sessions.
Syntax
show ip firewall sessions [ vrf <VRF> ] [ protocol <TYPE> ] [ inside-source-address <ADDR>] [ outside-source-address <ADDR> ] [ inside-destination-address <ADDR> ] [ outside-destination-address <ADDR> ] [ inside-source-port <PORT> ] [ outside-source-port <PORT> ] [ inside-destination-port <PORT> ] [ outside-destination-port <PORT> ] [ summary ] [ configuration ] [ expected ]
Parameters
<VRF> – VRF instance name, set by the string of up to 31 characters. When specifying this parameter, active sessions will be displayed in a specified VRF.
<TYPE> – protocol type, takes the following values: esp, icmp, ah, eigrp, ospf, igmp, ipip, tcp, pim, udp, vrrp, rdp, l2tp, gre;
<ADDR> – IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];
<PORT> – TCP/UDP port, takes values of [1..65535];
inside-source-address – command to specify IP source address of incoming packets;
inside-destination-address – command to specify IP destination address of incoming packets;
outiside-source-address – command to specify IP source address of outgoing packets;
outside-destination-address – command to specify IP destination address of outgoing packets;
inside-source-port – key to specify sender TCP/UDP port of incoming packets;
outside-source-port – key to specify sender TCP/UDP port of outgoing packets;
inside-destination-port – key to specify receiver TCP/UDP port of incoming packets;
outside-destination-port – key to specify receiver TCP/UDP port of outgoing packets;
summary – displays summary statistics for IP sessions;
configuration – displays IP sessions timeout configuration and table volume;
expected - command to display sessions waiting to be processed by other sessions.
Required privilege level
1
Command mode
ROOT
Example
esr# show ip firewall sessions
Prot Inside source Inside destination Outside source Outside destination Pkts Bytes
--- ------------ ---------------- ------------- ---------------- ----- ----
vrrp 4.4.4.4 224.0.0.18 4.4.4.4 224.0.0.18 -- --show ip firewall sessions tracking
This command displays the configuration of the application session tracking functionality.
Syntax
show ip firewall sessions tracking
Parameters
The command does not contain parameters.
Required privilege level
1
Command mode
ROOT
Example
esr# show ip firewall sessions tracking
Tracking Status:
FTP: Enabled
H.323: Enabled
GRE: Enabled
PPTP: Enabled
NETBIOS-NS: Enabled
SIP: Enabledshow ipv6 firewall counters
This command dispays statistics on packets that pass between zones for which no session is established.
Syntax
show ipv6 firewall counters [ vrf <VRF> ] [ <SOURCE-ZONE> [ <DESTINATION-ZONE> [ <ORDER> ] ] ]
Parameters
<VRF> – VRF instance name, set by the string of up to 31 characters. When specifying this parameter, rule counters in a specified VRF will be shown;
<DESTINATION-ZONE> – security zone to which traffic flows;
<SOURCE-ZONE> – security zone from which traffic flows;
<ORDER> – rule number, takes values of [1..10000]. When specifying a rule number, only the given rules information will be displayed.
Required privilege level
1
Command mode
ROOT
Example
esr# show ipv6 firewall counters trusted self
Zone-pair Rule Action Pkts Bytes
------------------------------ ---------- --------------- ---------- ----------
any/any default deny 0 0
trusted/self 1 permit 0 0
trusted/trusted 1 permit 0 0show ipv6 firewall sessions
The command displays active IPv6 sessions.
Syntax
show ipv6 firewall sessions [ vrf <VRF> ] [summary] [ protocol <TYPE> ] [ inside-source-address <IPV6-ADDR>] [ outiside-source-address <IPV6-ADDR> ] [ inside-destination-address <IPV6-ADDR> ] [ outside-destination-address <IPV6-ADDR> ] [ inside-source-port <PORT> ] [ outside-source-port <PORT> ] [ inside-destination-port <PORT> ] [ outside-destination-port <PORT> ] [ expected ] [ summary ]
Parameters
<VRF> – VRF instance name, set by the string of up to 31 characters. When specifying this parameter, active sessions will be displayed in a specified VRF.
<TYPE> – protocol type, takes the following values: esp, icmp, ah, eigrp, ospf, igmp, ipip, tcp, pim, udp, vrrp, rdp, l2tp, gre;
<IPV6-ADDR> – IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF];
<PORT> – TCP/UDP port, takes values of [1..65535];
inside-source-address – command to specify IPv6 source address of incoming packets;
inside-destination-address – command to specify IPv6 destination address of incoming packets;
outiside-source-address – command to specify IPv6 source address of outgoing packets;
outside-destination-address – command to specify IPv6 destination address of outgoing packets;
inside-source-port – key to specify sender TCP/UDP port of incoming packets;
outside-source-port – key to specify sender TCP/UDP port of outgoing packets;
inside-destination-port – key to specify receiver TCP/UDP port of incoming packets;
outside-destination-port – key to specify receiver TCP/UDP port of outgoing packets;
expected - command to display sessions waiting to be processed by other sessions;
summary – displays summary statistics for IPv6 sessions.
Required privilege level
1
Command mode
ROOT
Example
esr# show ipv6 firewall sessions
Prot Inside source Inside destination Outside source Outside destination Pkts Bytes ----- -------------- ------------------- -------------- -------------------- ----- -----
icmp6 fc00::2 fc00::2 fc00::2 fc00::2 -- --
icmp6 fc00::2 fc00::1 fc00::2 fc00::1 -- --show security zone
This command displays the interfaces included in the security zone.
Syntax
show security zone [<NAME>]
Parameters
<NAME> – zone name, set by the string of up to 31 characters.
Required privilege level
1
Command mode
ROOT
Example
esr# show security zone
Zone name Interfaces
------------- ------------------------------------------
trusted gi1/0/2-6, gi1/0/8-24, bridge 1
untrusted gi1/0/1, te1/0/1-2, bridge 2show security zone-pair
The command displays zone pairs lists.
Syntax
show security zone-pair
Parameters
The command does not contain parameters.
Required privilege level
1
Command mode
ROOT
Example
esr# show security zone-pair
From zone To zone
------------- -------------
trusted untrusted
trusted trusted
trusted self
untrusted selfshow security zone-pair configuration
The command displays rules for security zones pair.
Syntax
show security zone-pair configuration <SOURCE-ZONE> <DESTINATION-ZONE> [<ORDER>]
Parameters
<SOURCE-ZONE> – security zone from which traffic flows;
<DESTINATION-ZONE> – security zone to which traffic flows;
<ORDER> – rule number, takes values of [1..10000]. When specifying a rule number, only the given rules information will be displayed.
Required privilege level
1
Command mode
ROOT
Example
esr# show security zone-pair configuration trusted self
Order: 1
Description: --
Matching pattern:
Protocol: tcp(6)
Src-addr: any
src-port: any
Dest-addr: any
dest-port: 23
0 0