История страницы

...

Local authentication configuration algorithm

Step	Description	Command	Keys
1	Set local as authentication method.	esr(config)# aaa authentication login { default \| <NAME> } <METHOD 1> [ <METHOD 2> ] [ <METHOD 3> ] [ <METHOD 4> ]	<NAME> – list name, set by the string of up to 31 characters. Authentication methods: local – authentication by local user base; tacacs – authentication by TACACS server list; radius – authentication by RADIUS server list; ldap – authentication by LDAP server list.
2	Set enable as authentication method of user privileges elevation.	esr(config)# aaa authentication enable <NAME><METHOD 1> [ <METHOD 2> ] [ <METHOD 3> ] [ <METHOD 4> ]	<NAME> – list name, set by the string of up to 31 characters. Authentication methods: local – authentication by local user base; tacacs – authentication by TACACS server list; radius – authentication by RADIUS server list; ldap – authentication by LDAP server list.
3	Set the method for iterating over authentication methods (optional).	esr(config)# aaa authentication mode <MODE>	<MODE> – options of iterating over methods: chain – if the server returned FAIL, proceed to the following authentication method in the chain; break – if the server returned FAIL, abandon authentication attempts. If the server is unavailable, continue authentication attempts by the following methods in the chain. Default value: chain.
4	Specify the number of failed authentication attempts to block the user login and time of the lock (optional)	esr(config)# aaa authentication attempts max-fail <COUNT> <TIME>	<COUNT> – amount of failed authentication attempts after which a user is blocked, takes the values of [1..65535]; <TIME> – user blocking time in minutes, takes the values of [1..65535]. Default value: <COUNT> – 5; <TIME> – 300
5	Enable request for change the default password for the ‘admin’ user (optional)	esr(config)# security passwords default-expired
6	Enable the inhibit mode on the use of previously set local user passwords (optional)	esr(config)# security passwords history <COUNT>	<COUNT> – number of passwords saved in the router memory. Takes values in the range of [1..15]. Default value: 0
7	Set the lifetime of local user password (optional)	esr(config)# security passwords lifetime <TIME>	<TIME> – password lifetime in days. Takes values in the range of [1..365]. Default: The lifetime of local user password is unlimited.
8	Set a limit on the minimum length of local user password and ENABLE password (optional)	esr(config)# security passwords min-length <NUM>	<NUM> – minimum number of characters in the password. Takes values in the range of [8..128]. Default value: 0
9	Set a limit on the maximum length of local user password and ENABLE password (optional)	esr(config)# security passwords max-length <NUM>	<NUM> – maximum number of characters in the password. Takes values in the range of [8..128]. Default value: no limit.
10	Set the minimum number of character types that must be present in the local user password and ENABLE password (optional)	esr(config)# security passwords symbol-types <COUNT>	<COUNT> – minimum number of character types in the password. Takes values in the range of [1..4]. Default value: 1
11	Set the minimum number of lower case letters in the local user password and ENABLE password (optional)	esr(config)# security passwords lower-case <COUNT>	<COUNT> – minimum number of lower case letters in the local user password and ENABLE password. Takes values in the range of [0..128]. Default value: 0
12	Set the minimum number of upper case letters in the local user password and ENABLE password (optional)	esr(config)# security passwords upper-case <COUNT>	<COUNT> – minimum number of upper case letters in the password. Takes values in the range of [0..128]. Default value: 0
13	Set the minimum number of digits in the local user password and ENABLE password (optional)	esr(config)# security passwords numeric-count <COUNT>	<COUNT> – minimum number of digits in the password. Takes values in the range of [0..128]. Default value: 0
14	Set the minimum number of special characters in the local user password and ENABLE password (optional)	esr(config)# security passwords special-case <COUNT>	<COUNT> – minimum number of special characters in the password. Takes values in the range of [0..128]. Default value: 0
15	Add user in the local database and switch to the user parameters configuration mode	esr(config)# username <NAME>	<NAME> – user name, set by the string of up to 31 characters.
16	Set user password	esr(config-user)# password { <CLEAR-TEXT> \| encrypted <HASH_SHA512> }	<CLEAR-TEXT> – password, set by the string of 8 to 32 characters, takes the value of [0-9a-fA-F]; <HASH_SHA512> – hash password via sha512 algorithm, set by the string of 110 characters.
17	Set user privileges level	esr(config-user)# privilege <PRIV>	<PRIV> – required privilege level. Takes values in the range of [1..15].
18	Switch to the corresponding terminal configuration mode	esr(config)# line console or esr(config)# line telnet or esr(config)# line ssh
19	Activate user login authentication list	esr(config-line-ssh)# login authentication <NAME>	<NAME> – list name, set by the string of up to 31 characters.
20	Activate authentication list of user privileges elevation	esr(config-line-ssh)# enable authentication <NAME>	<NAME> – list name, set by the string of up to 31 characters.
21	Set the interval after which the idle session will be terminated	esr(config-line-ssh)# exec-timeout <SEC>	<SEC> – time interval in minutes, takes values of [1..65535].

Якорь

	Алгоритм настройки AAA по протоколу RADIUS
	Алгоритм настройки AAA по протоколу RADIUS

AAA configuration algorithm via RADIUS

Step	Description	Command	Keys
1	Set the DSCP code global value for the use in IP headers of RADIUS server egress packets (optional).	esr(config)# radius-server dscp <DSCP>	<DSCP> – DSCP code value, takes values in the range of [0..63]. Default value: 63.
2	Set the global number of re-requests to the last active RADIUS server (optional).	esr(config)# radius-server retransmit <COUNT>	<COUNT> – amount of iterative requests to RADIUS server, takes values of [1..10]. Default value: 1.
3	Set the global value of the interval after which the router assumes that the RADIUS server is not available (optional).	esr(config)# radius-server timeout <SEC>	<SEC> – time interval in seconds, takes values of [1..30]. Default value: 3 seconds.
4	Add RADIUS server to the list of used servers and switch to its configuration mode.	esr(config)# radius-server host { <IP-ADDR> \| <IPV6-ADDR> } [ vrf <VRF> ] esr(config-radius-server)#	<IP-ADDR> – RADIUS server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; <IPV6-ADDR> – RADIUS server IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF] <VRF> – VRF instance name, set by the string of up to 31 characters.
5	Specify the number of failed authentication attempts to block the user login and time of the lock (optional).	aaa authentication attempts max-fail <COUNT> <TIME>	<COUNT> – amount of failed authentication attempts after which a user is blocked, takes the values of [1..65535]; <TIME> – user blocking time in seconds, takes the values of [1..65535]. Default value: <COUNT> – 5; <TIME> – 300
6	Set the password for authentication on remote RADIUS server.	esr(config-radius-server)# key ascii-text { <TEXT> \| encrypted <ENCRYPTED-TEXT> }	<TEXT> – string [8..16] ASCII characters; <ENCRYPTED-TEXT> – encrypted password, [8..16] bytes size, set by the string of [16..32] characters.
7	Set the priority for using a remote RADIUS server (optional).	esr(config-radius-server)# priority <PRIORITY>	<PRIORITY> – remote server priority, takes values in the range of [1..65535]. The lower value, the higher the priority of server is. Default value: 1.
8	Set the interval after which the router assumes that the RADIUS server is not available (optional).	esr(config-radius-server)# timeout <SEC>	<SEC> – time interval in seconds, takes values of [1..30]. Default value: global timer value is used.
9	Set IPv4/IPv6 address that will be used as source IPv4/IPv6 address in transmitted RADIUS packets.	esr(config-radius-server)# source-address { <ADDR> \| <IPV6-ADDR> }	<ADDR> – source IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; <IPV6-ADDR> – source IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF].
10	Specify the interface or tunnel of the router which IPv4/IPv6 address will be used as the source IPv4/IPv6 address in outgoing RADIUS packets.	esr(config-radius-server)# source-interface { <IF> \| <TUN> }	<IF> – interface. <TUN> – tunnel name.
11	Set radius as authentication method.	esr(config)# aaa authentication login { default \| <NAME> } <METHOD 1> [ <METHOD 2> ] [ <METHOD 3> ] [ <METHOD 4> ]	<NAME> – list name, set by the string of up to 31 characters. Authentication methods: local – authentication by local user base; tacacs – authentication by TACACS server list; radius – authentication by RADIUS server list; ldap – authentication by LDAP server list.
12	Set radius as authentication method of user privileges elevation.	esr(config)# aaa authentication enable <NAME><METHOD 1> [ <METHOD 2> ] [ <METHOD 3> ] [ <METHOD 4> ]	<NAME> – list name, set by the string of up to 31 characters; default – default list name. <METHOD> – authentication methods: enable – authentication by enable passwords; tacacs – authentication by TACACS; radius – authentication by RADIUS; ldap – authentication by LDAP.
13	Specify authentication methods to be tried in case of failure (optional).	esr(config)# aaa authentication mode <MODE>	<MODE> – options of iterating over methods: chain – if the server returned FAIL, proceed to the following authentication method in the chain; break – if the server returned FAIL, abandon authentication attempts. If the server is unavailable, continue authentication attempts by the following methods in the chain. Default value: chain.
14	Configure radius in the list of user session accounting methods (optional).	esr(config)# aaa accounting login start-stop <METHOD 1> [ <METHOD 2> ]	<METHOD> – accounting methods: tacacs – session accounting by TACACS; radius – session accounting by RADIUS.
15	Switch to the corresponding terminal configuration mode.	esr(config)# line <TYPE>	<TYPE> – console type: console – local console; ssh – secure remote console.
16	Activate user login authentication list.	esr(config-line-console)# login authentication <NAME>	<NAME> – list name, set by the string of up to 31 characters. Created in step 8.
17	Activate authentication list of user privileges elevation.	esr(config-line-console)# enable authentication <NAME>	<NAME> – list name, set by the string of up to 31 characters. Created in step 9.

AAA configuration algorithm via TACACS

Step	Description	Command	Keys
1	Set the DSCP code global value for the use in IP headers of TACACS server egress packets (optional).	esr(config)# tacacs-server dscp <DSCP>	<DSCP> – DSCP code value, takes values in the range of [0..63]. Default value: 63.
2	Set the global value of the interval after which the router assumes that the TACACS server is not available (optional).	esr(config)# tacacs-server timeout <SEC>	<SEC> – time interval in seconds, takes values of [1..30]. Default value: 3 seconds.
3	Add TACACS server to the list of used servers and switch to its configuration mode.	esr(config)# tacacs -server host { <IP-ADDR> \| <IPV6-ADDR> } [ vrf <VRF> ] esr(config-tacacs-server)#	<IP-ADDR> – TACACS server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255] <IPV6-ADDR> – TACACS server IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF] <VRF> – VRF instance name, set by the string of up to 31 characters.
4	Specify the number of failed authentication attempts to block the user login and time of the lock (optional).	aaa authentication attempts max-fail <COUNT> <TIME>	<COUNT> – amount of failed authentication attempts after which a user is blocked, takes the values of [1..65535]; <TIME> – user blocking time in minutes, takes the values of [1..65535]. Default value: <COUNT> – 5; <TIME> – 300
5	Set the password for authentication on remote TACACS server.	esr(config-tacacs-server)# key ascii-text { <TEXT> \| encrypted <ENCRYPTED-TEXT> }	<TEXT> – string [8..16] ASCII characters; <ENCRYPTED-TEXT> – encrypted password, [8..16] bytes size, set by the string of [16..32] characters.
6	Set the port number to communicate with remote TACACS server (optional).	esr(config-tacacs-server)# port <PORT>	<PORT> – number of TCP port to exchange data with a remote server, takes values of [1..65535]. Default value: 49 for TACACS server.
7	Set the priority for using a remote TACACS server (optional).	esr(config-tacacs-server)# priority <PRIORITY>	<PRIORITY> – remote server priority, takes values in the range of [1..65535]. The lower value, the higher the priority of server is. Default value: 1.
8	Set IPv4/IPv6 address that will be used as source IPv4/IPv6 address in transmitted TACACS packets.	esr(config-tacacs-server)# source-address { <ADDR> \| <IPV6-ADDR> }	<ADDR> – source IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];
9	Specify the interface or tunnel of the router whose IPv4/IPv6 address will be used as the source IPv4/IPv6 address in outgoing TACACS packets.	esr(config-tacacs-server)# source-interface { <IF> \| <TUN> }	<IF> – interface. <TUN> – tunnel name.
10	Set TACACS as authentication method of user privileges elevation.	esr(config)# aaa authentication enable <NAME><METHOD 1> [ <METHOD 2> ] [ <METHOD 3> ] [ <METHOD 4> ]	<NAME> – list name, set by the string of up to 31 characters; default – default list name. <METHOD> – authentication methods: enable – authentication by enable passwords; tacacs – authentication by TACACS; radius – authentication by RADIUS; ldap – authentication by LDAP.
11	Set the method for iterating over authentication methods (optional).	esr(config)# aaa authentication mode <MODE>	<MODE> – options of iterating over methods: chain – if the server returned FAIL, proceed to the following authentication method in the chain; break – if the server returned FAIL, abandon authentication attempts. If the server is unavailable, continue authentication attempts by the following methods in the chain. Default value: chain.
12	Configure the list of CLI commands accounting methods (optional).	esr(config)# aaa accounting commands stop-only tacacs
13	Configure tacacs in the list of user session accounting methods (optional).	esr(config)# aaa accounting login start-stop <METHOD 1> [ <METHOD 2> ]	<METHOD> – accounting methods: tacacs – session accounting by TACACS; radius – session accounting by RADIUS.
14	Switch to the corresponding terminal configuration mode.	esr(config)# line <TYPE>	<TYPE> – console type: console – local console; ssh – secure remote console.
15	Activate user login authentication list.	esr(config-line-console)# login authentication <NAME>	<NAME> – list name, set by the string of up to 31 characters. Created in step 7.
16	Activate authentication list of user privileges elevation.	esr(config-line-console)# enable authentication <NAME>	<NAME> – list name, set by the string of up to 31 characters. Created in step 8.

Якорь
Алгоритм настройки AAA по протоколу LDAP
Алгоритм настройки AAA по протоколу LDAP
AAA configuration algorithm via LDAP

Step	Description	Command	Keys
1	Specify basic DN (Distinguished name) which will be used when searching for users.	esr(config)# ldap-server base-dn <NAME>	<NAME> – basic DN, set by the string of up to 255 characters.
2	Set the interval after which the router assumes that the LDAP server is not available (optional).	esr(config)# ldap-server bind timeout <SEC>	<SEC> – time interval in seconds, takes values of [1..30]. Default value: 3 seconds.
3	Specify the DN (Distinguished name) of a user with administrator rights, under which authorization will take place on the LDAP server when searching for users.	esr(config)# ldap-server bind authenticate root-dn <NAME>	<NAME> – DN of a user with administration rights, set by the string of up to 255 characters.
4	Specify the password of a user with administrator rights, under which authorization will take place on the LDAP server when searching for users.	esr(config)# ldap-server bind authenticate root-password ascii-text { <TEXT> \| encrypted <ENCRYPTED-TEXT> }	<TEXT> – string [8..16] ASCII characters; <ENCRYPTED-TEXT> – encrypted password, [8..16] bytes size, set by the string of [16..32] characters.
5	Specify a class name of the objects among which it is necessary to search for users on LDAP server (optional).	esr(config)# ldap-server search filter user-object-class <NAME>	<NAME> – object class name, set by the string of up to 127 characters. Default value: posixAccount.
6	Specify the user search scope in LDAP server tree (optional).	esr(config)# ldap-server search scope <SCOPE>	<SCOPE> – user search scope on LDAP server, takes the following values: onelevel – search through the objects on the level following a basic DN tree in LDAP server tree; subtree – search through all objects of basic DN subtree in LDAP server tree. Default value: subtree.
7	Specify the interval after which the device assumes that LDAP server has not found users entries satisfying the search condition (optional).	esr(config)# ldap-server search timeout <SEC>	<SEC> – time interval in seconds, takes values of [0..30] Default value: 0 – device is waiting for search completion and response from LDAP server.
8	Specify an attribute name of the object which is compared with the name of the desired user on LDAP server (optional).	esr(config)# ldap-server naming-attribute <NAME>	<NAME> – object attribute name, set by the string of up to 127 characters. Default value: uid.
9	Specify the object attribute name which is compared with the name of a desired user on LDAP server (optional).	esr(config)# ldap-server privilege-level-attribute <NAME>	<NAME> – object attribute name, set by the string of up to 127 characters. Default value: priv-lvl
10	Set the DSCP code global value for the use in IP headers of LDAP server egress packets (optional).	esr(config)# ldap-server dscp <DSCP>	<DSCP> – DSCP code value, takes values in the range of [0..63]. Default value: 63
11	Add LDAP server to the list of used servers and switch to its configuration mode.	esr(config)# ldap -server host { <IP-ADDR> \| <IPV6-ADDR> } [ vrf <VRF> ] esr(config-ldap-server)#	<IP-ADDR> – LDAP server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255] <IPV6-ADDR> – LDAP server IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF] <VRF> – VRF instance name, set by the string of up to 31 characters.
12	Specify the number of failed authentication attempts to block the user login and time of the lock (optional)	aaa authentication attempts max-fail <COUNT> <TIME>	<COUNT> – amount of failed authentication attempts after which a user is blocked, takes the values of [1..65535]; <TIME> – user blocking time in minutes, takes the values of [1..65535]. Default value: <COUNT> – 5; <TIME> – 300
13	Set the port number to communicate with remote LDAP server (optional).	esr(config-ldap-server)# port <PORT>	<PORT> – number of TCP port to exchange data with a remote server, takes values of [1..65535]. Default value: 389 for LDAP server.
14	Prioritize the use of a remote LDAP server (optional).	esr(config-ldap-server)# priority <PRIORITY>	<PRIORITY> – remote server priority, takes values in the range of [1..65535]. The lower value, the higher the priority of server is. Default value: 1.
15	Set IPv4/IPv6 address that will be used as source IPv4/IPv6 address in transmitted LDAP packets.	esr(config-ldap-server)# source-address { <ADDR> \| <IPV6-ADDR> }	<ADDR> – source IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; <IPV6-ADDR> – source IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF].
16	Set router interface or tunnel, IPv4/IPv6 address of which will be used as IPv4/IPv6 source address in sent LDAP packets.	esr(config-ldap-server)# source-interface { <IF> \| <TUN> }	<IF> – interface. <TUN> – tunnel name.
17	Set LDAP as authentication method.	esr(config)# aaa authentication login { default \| <NAME> } <METHOD 1> [ <METHOD 2> ] [ <METHOD 3> ] [ <METHOD 4> ]	<NAME> – list name, set by the string of up to 31 characters. Authentication methods: local – authentication by local user base; tacacs – authentication by TACACS server list; radius – authentication by RADIUS server list; ldap – authentication by LDAP server list.
18	Set LDAP as authentication method of user privileges elevation.	esr(config)# aaa authentication enable <NAME> <METHOD 1> [ <METHOD 2> ] [ <METHOD 3> ] [ <METHOD 4> ]	<NAME> – list name, set by the string of up to 31 characters; default – default list name. <METHOD> – authentication methods: enable – authentication by enable passwords; tacacs – authentication by TACACS; radius – authentication by RADIUS; ldap – authentication by LDAP.
19	Set the method for iterating over authentication methods.	esr(config)# aaa authentication mode <MODE>	<MODE> – options of iterating over methods: chain – if the server returned FAIL, proceed to the following authentication method in the chain; break – if the server returned FAIL, abandon authentication attempts. If the server is unavailable, continue authentication attempts by the following methods in the chain. Default value: chain.
20	Switch to the corresponding terminal configuration mode.	esr(config)# line <TYPE>	<TYPE> – console type: console – local console; ssh – secure remote console.
22	Activate user login authentication list.	esr(config-line-console)# login authentication <NAME>	<NAME> – list name, set by the string of up to 31 characters. Created in step 14.
22	Activate authentication list of user privileges elevation.	esr(config-line-console)# enable authentication <NAME>	<NAME> – list name, set by the string of up to 31 characters. Created in step 15.

Example of authentication configuration using telnet via RADIUS server

...

Logging and network attacks protection configuration

Configuration algorithm

Step	Description	Command	Keys
1	Enable protection against ICMP flood attacks.	esr(config)# ip firewall screen dos-defense icmp-threshold { <NUM> }	<NUM> – amount of ICMP packets per second, set in the range of [1..10000]
2	Enable protection against land attacks.	esr(config)# firewall screen dos-defense land
3	Enable a limit on the number of packets sent per second per destination address	esr(config)# ip firewall screen dos-defense limit-session-destination { <NUM> }	<NUM> – limit number of IP packets per second, set in the range of [1..10000].
4	Enable a limit on the number of packets sent per second per source address	esr(config)# ip firewall screen dos-defense limit-session-source { <NUM> }	<NUM> – limit number of IP Packets per second, set in the range of [1..10000].
5	Enable protection against SYN flood attacks.	esr(config)# ip firewall screen dos-defense syn-flood { <NUM> } [src-dsr]	<NUM> – maximum amount of TCP packets with the set SYN flag per second, set in the range of [1..10000]. src-dst – limitation on the amount of TCP packets with the SYN flag set, based on the source and destination addresses.
6	Enable protection against UDP flood attacks.	esr(config)# ip firewall screen dos-defense udp-threshold { <NUM> }	<NUM> – maximum amount of UDP packets per second, set in the range of [1..10000].
7	Enable protection against winnuke attacks.	esr(config)# ip firewall screen dos-defense winnuke
8	Enable blocking of TCP packets with the FIN flag set and the ACK flag not set.	esr(config)# ip firewall screen spy-blocking fin-no-ack
9	Enable blocking of various type ICMP packets.	esr(config)# ip firewall screen spy-blocking icmp-type	<TYPE> – ICMP type, may take the following values: destination-unreachable echo-request reserved source-quench time-exceeded
10	Enable protection against IP sweep attacks.	esr(config)# ip firewall screen spy-blocking ip-sweep { <NUM> }	<NUM> – ip sweep attack detection time, set in milliseconds [1..1000000].
11	Enable protection against port scan attacks.	esr(config)# ip firewall screen spy-blocking port-scan { <threshold> } [ <TIME> ]	<threshold> – interval in milliseconds during which the port scan attack will be recorded [1..1000000]. <TIME> – blocking time in milliseconds [1..1000000].
12	Enable protection against IP spoofing attacks.	esr(config)# ip firewall screen spy-blocking spoofing
13	Enable blocking of TCP packets, with the SYN and FIN flags set.	esr(config)# ip firewall screen spy-blocking syn-fin
14	Enable blocking of TCP packets, with all flags or with the set of flags: FIN, PSH, URG. The given command provides the protection against XMAS attack.	esr(config)# ip firewall screen spy-blocking tcp-all-flag
15	Enable blocking of TCP packets, with the zero 'flags' field.	esr(config)# ip firewall screen spy-blocking tcp-no-flag
16	Enable blocking of fragmented ICMP packets.	esr(config)# ip firewall screen suspicious-packets icmp-fragment
17	Enable blocking of fragmented IP packets.	esr(config)# ip firewall screen suspicious-packets ip-fragment
18	Enable blocking of ICMP packets more than 1024 bytes.	esr(config)# ip firewall screen suspicious-packets icmp-fragment
19	Enable blocking of fragmented TCP packets, with the SYN flag.	esr(config)# ip firewall screen suspicious-packets syn-fragment
20	Enable blocking of fragmented UDP packets.	esr(config)# ip firewall screen suspicious-packets udp-fragment
21	Enable blocking of packets with the protocol ID contained in IP header equal to 137 and more.	esr(config)# ip firewall screen suspicious-packets unknown-protocols
22	Set the frequency of notification (via SNMP, syslog and in CLI) of detected and blocked network attacks.	esr(config)# ip firewall logging interval <NUM>	<NUM> – time interval in seconds [30 .. 2147483647]
23	Enable more detailed message output about detected and blocked network attacks in the CLI.	esr(config)# logging firewall screen detailed
24	Enable mechanism of DoS attacks detection and logging via CLI, syslog and SNMP.	esr(config)# logging firewall screen dos-defense <ATACK_TYPE>	<ATACK_TYPE> – DoS attack type, takes the following values: icmp-threshold, land, limit-session-destination, limit-session-source, syn-flood, udp-threshold, winnuke.
25	Enable mechanism of espionage activity detection and logging via CLI, syslog and SNMP.	esr(config)# logging firewall screen spy-blocking { <ATACK_TYPE> \| icmp-type <ICMP_TYPE> }	<ATACK_TYPE> – espionage activity type, takes the following values: fin-no-ack, ip-sweep, port-scan, spoofing, syn-fin, tcp-all-flag, tcp-no-flag. <ICMP_TYPE> – ICMP type, takes the following values: destination-unreachable, echo-request, reserved, source-quench, time-exceeded.
26	Enable mechanism of specialized packets detection and logging via CLI, syslog and SNMP.	esr(config)# logging firewall screen suspicious-packets <PACKET_TYPE>	<PACKET_TYPE> – non-standard packets type, takes the following values: icmp-fragment, ip-fragment, large-icmp, syn-fragment, udp-fragment, unknown-protocols.

Description of attack protection mechanisms

Command	Description
ip firewall screen dos-defense icmp-threshold	This command enables the protection against ICMP flood attacks. When the protection is enabled, the amount of all types ICMP packets per second for one destination address is limited. The attack leads to the host reboot and its failure due to the necessity to process each query and respond to it.
firewall screen dos-defense land	This command enables the protection against land attacks. When the protection is enabled, the packets with the same source and destination IP addresses and with SYN flag in TCP header are blocked. The attack leads to the host reboot and its failure due to the necessity to process each TCP SYN packet and the attempts of the host to establish a TCP session with itself.
ip firewall screen dos-defense limit-session-destination	When the host IP sessions table is overfilled, the host is unable to establish new sessions and it drops the requests (this may happen during various DoS attacks: SYN flood, UDP flood, ICMP flood, etc.). The command enables limiting the number of packets transmitted per second per destination address, which attenuates DoS attacks.
ip firewall screen dos-defense limit-session-source	When the host IP sessions table is overfilled, the host is unable to establish new sessions and it drops the requests (this may happen during various DoS attacks: SYN flood, UDP flood, ICMP flood, etc.). The command enables limiting the number of packets transmitted per second per source address, which attenuates DoS attacks.
ip firewall screen dos-defense syn-flood	This command enables the protection against SYN flood attacks. When the protection is enabled, the amount of TCP packets with the SYN flag set per second for one destination address is limited. The attack leads to the host reboot and its failure due to the necessity to process each TCP SYN packet and the attempts to establish a TCP session.
ip firewall screen dos-defense udp-threshold	This command enables the protection against UDP flood attacks. When the protection is enabled, the amount of UDP packets per second for one destination address is limited. The attack lead to the host reboot and its failure due to the massive UDP traffic.
ip firewall screen dos-defense winnuke	This command enables the protection against winnuke attacks. When the protection is enabled, TCP packets with the URG flag set and 139 destination port are blocked. The attack leads to the older Windows versions (up to 95 version) failure.
ip firewall screen spy-blocking fin-no-ack	The given command enables the blocking of TCP packets with the FIN flag set and the ACK flag not set. These packets are specialized and it is possible to determine a victim operational system by the respond.
ip firewall screen spy-blocking icmp-type destination-unreachable	The given command enables the blocking of all 3 type ICMP packets (destination-unreachable) including the packets generated by the router itself. The protection prevents an attacker from learning about network topology and hosts availability.
ip firewall screen spy-blocking icmp-type echo-request	The given command enables the blocking of all 8 type ICMP packets (echo-request) including the packets generated by the router itself. The protection prevents an attacker from learning about network topology and hosts availability.
ip firewall screen spy-blocking icmp-type reserved	The given command enables the blocking of all 2 and 7 type ICMP packets (reserved) including the packets generated by the router itself. The protection prevents an attacker from learning about network topology and hosts availability.
ip firewall screen spy-blocking icmp-type source-quench	The given command enables the blocking of all 4 type ICMP packets (source quench) including the packets generated by the router itself. The protection prevents an attacker from learning about network topology and hosts availability.
ip firewall screen spy-blocking icmp-type time-exceeded	The given command enables the blocking of all 11 type ICMP packets (time exceeded) including the packets generated by the router itself. The protection prevents an attacker from learning about network topology and hosts availability.
ip firewall screen spy-blocking ip-sweep	This command enables the protection against IP-sweep attacks. When the protection is enabled, if more than 10 ICMP queries from one source arrive within the specified interval, the first 10 queries are dropped by the router and 11th with the following ones are discarded for the remaining interval time. The protection prevents an attacker from learning about network topology and hosts availability.
ip firewall screen spy-blocking port-scan	This command enables the protection against port scan attacks. If more than 10 TCP packets with the SYN flag arrive to several TCP ports and or more than 10 UDP packets arrive ti several UDP ports of one source within the first specified interval (<threshold>), then this behavior is recorded as port scan attack and all the following packets of that type are blocked for the second specified time interval (<TIME>). An attacker will not be able to scan the device open ports quickly.
ip firewall screen spy-blocking spoofing	The given command enables the protection against ip spoofing attacks. When the protection is enabled, the router checks packets for matching the source address and routing table entries, and in case of mismatch the packet is dropped. For example, if a packet with source address 10.0.0.1/24 arrives to the Gi1/0/1 interface and the given subnet is located after the Gi1/0/2 interface in the routing table, it is considered that the source address has been replaced. Protects from network intrusions with replaced source IP addresses.
ip firewall screen spy-blocking syn-fin	The given command enables the blocking of TCP packets, with the SYN and FIN flags set. These packets are specialized and it is possible to determine a victim operational system by the respond.
ip firewall screen spy-blocking tcp-all-flag	This command enables the blocking of TCP packets, with all flags or with the set of flags: FIN, PSH, URG. The protection against XMAS attack is provided.
ip firewall screen spy-blocking tcp-no-flag	This command enables the blocking of TCP packets with the zero 'flags' field. These packets are specialized and it is possible to determine a victim operational system by the respond.
ip firewall screen suspicious-packets icmp-fragment	The given command enables the blocking of fragmented ICMP packets. ICMP packets are usually small and there is no need to fragment them.
ip firewall screen suspicious-packets ip-fragment	The given command enables the blocking of fragmented packets.
ip firewall screen suspicious-packets large-icmp	The given command enables the blocking of ICMP packets more than 1024 bytes.
ip firewall screen suspicious-packets syn-fragment	This command enables the blocking of fragmented TCP packets with the SYN flag. TCP packets with the SYN flag are usually small and there is no need to fragment them. The protection prevents concentration of fragmented packets in a buffer.
ip firewall screen suspicious-packets udp-fragment	The given command enables the blocking of fragmented UDP packets.
ip firewall screen suspicious-packets unknown-protocols	The given command enables the blocking of packets, with the protocol ID contained in IP header equal to 137 and more.

Configuration example of logging and protection against network attacks

...

Firewall is a package of hardware or software tools that allows for control and filtering of transmitted network packets in accordance with the defined rules.

Configuration algorithm

Step	Description	Command	Keys
1	Create security zones.	esr(config)# security zone <zone-name1> esr(config)# security zone <zone-name2>	<zone-name> – up to 12 characters. Names all, any and self are reserved.
2	Specify a security zone description.	esr(config-zone)# description <description>	<description> – up to 255 characters..
3	Specify VRF instance, in which the given security zone will operate (optional).	esr(config- zone)# ip vrf forwarding <VRF>	<VRF> – VRF name, set by the string of up to 31 characters.
4	Enable session counters for NAT and Firewall (optional, may reduce the performance).	esr(config)# ip firewall sessions counters
5	Disable filtration of packets for which it was not possible to determine belonging to any known connection and which are not the beginning of a new connection (optional, may reduce the performance).	esr(config)# ip firewall sessions allow-unknown
6	Select firewall operation mode (optional). In stateful mode, only the first packet of the session is checked, and if direct traffic is allowed, return traffic is allowed automatically. In stateless mode, each packet is checked. Direct and return traffic must be allowed in the corresponding zone-pair (see step 29). Firewall operation according to the list of applications is possible only in stateless mode.	esr(config)# ip firewall mode <MODE>	<MODE> – firewall operation mode, may take the following values: stateful, stateless. Default value: stateful.
7	Determine the session lifetime for unsupported protocols (optional).	esr(config)# ip firewall sessions generic-timeout <TIME>	<TIME> – session lifetime for unsupported protocols, takes values in seconds [1..8553600]. Default value: 60 seconds.
8	Determine ICMP session lifetime after which it is considered to be outdated (optional).	esr(config)# ip firewall sessions icmp-timeout <TIME>	<TIME> – ICMP session lifetime, takes values in seconds [1..8553600]. Default value: 30 seconds.
9	Determine ICMPv6 session lifetime after which it is considered to be outdated (optional).	esr(config)# ip firewall sessions icmpv6-timeout <TIME>	<TIME> – ICMP session lifetime, takes values in seconds [1..8553600]. Default value: 30 seconds.
10	Determine the size of outstanding sessions table (optional).	esr(config)# ip firewall sessions max-expect <COUNT>	<COUNT> – table size, takes values of [1..8553600]. Default value: 256.
11	Determine the size of trackable sessions table (optional).	esr(config)# ip firewall sessions max-tracking <COUNT>	<COUNT> – table size, takes values of [1..8553600]. Default value: 512000.
12	Determine the lifetime of TCP session in 'connection is being established' state after which it is considered to be outdated (optional).	esr(config)# ip firewall sessions tcp-connect-timeout <TIME>	<TIME> – lifetime of TCP session in 'connection is being established' state, takes values in seconds [1..8553600]. Default value: 60 seconds.
13	Determine the lifetime of TCP session in 'connection is being closed' state after which it is considered to be outdated (optional).	esr(config)# ip firewall sessions tcp-disconnect-timeout <TIME>	<TIME> – lifetime of TCP session in 'connection is being closed' state, takes values in seconds [1..8553600]. Default value: 30 seconds.
14	Determine the lifetime of TCP session in 'connection is being established' state after which it is considered to be outdated (optional).	esr(config)# ip firewall sessions tcp-established-timeout <TIME>	<TIME> – lifetime of TCP session in 'connection is being established' state, takes values in seconds [1..8553600]. Default value: 120 seconds.
15	Determine the timeout after which the closed TCP session is actually deleted from the table of trackable sessions (optional).	esr(config)# ip firewall sessions tcp-latecome-timeout <TIME>	<TIME> – timeout, takes value in seconds [1..8553600]. Default value: 120 seconds.
16	Enable application-level session tracking for certain protocols (optional).	esr(config)# ip firewall sessions tracking	<PROTOCOL> – application-level protocol [ftp, h323, pptp, netbios-ns, tftp] sessions of which should be tracked. <OBJECT-GROUP-SERVICE> – sip session TCP/UDP ports’ profile name, set by the string of up to 31 characters. If a group is not specified, sip sessions monitoring will be performed for 5060 port. Instead of a certain protocol you can use the 'all' key that enables application-level session tracking for all available protocols. By default – disabled for all protocols.
17	Determine the lifetime of UDP session in 'connection is confirmed' state after which it is considered to be outdated (optional).	esr(config)# ip firewall sessions udp-assured-timeout <TIME>	<TIME> – lifetime of UDP session in 'connection is confirmed' state, takes values in seconds [1..8553600]. Default value: 180 seconds.
18	Determine the lifetime of UDP session in 'connection is not confirmed' state after which it is considered to be outdated.	esr(config)# ip firewall sessions udp-wait-timeout <TIME>	<TIME> – lifetime of UDP session in 'connection is not confirmed' state, takes values in seconds [1..8553600]. Default value: 30 seconds.
19	Create IP addresses lists which will be used during filtration.	esr(config)# object-group network <obj-group-name>	<obj-group-name> – up to 31 characters.
20	Specify IP addresses list description (optional).	esr(config-object-group-network)# description <description>	<description> – profile description, set by the string of up to 255 characters.
21	Add necessary IPv4/IPv6 addresses to the list.	esr(config-object-group-network)# ip prefix <ADDR/LEN>	<ADDR/LEN> – subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32].
		esr(config-object-group-network)# ip address-range <FROM-ADDR>-<TO-ADDR>	<FROM-ADDR> – range starting IP address; <TO-ADDR> – range ending IP address, optional parameter; If the parameter is not specified, a single IP address is set by the command. The addresses are defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].
		esr(config-object-group-network)# ipv6 prefix <IPV6-ADDR/LEN>	<IPV6-ADDR/LEN> – IP address and mask of a subnet, defined as X:X:X:X::X/EE where each X part takes values in hexadecimal format [0..FFFF] and EE takes values of [1..128].
		esr(config-object-group-network)# ipv6 address-range <FROM-ADDR>-<TO-ADDR>	<FROM-ADDR> – range starting IPv6 address; <TO-ADDR> – range ending IPv6 address, optional parameter. If the parameter is not specified, a single IPv6 address is set by the command. The addresses are defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF].
22	Create services lists which will be used during filtration.	esr(config)# object-group service <obj-group-name>	<obj-group-name> – service profile name, set by the string of up to 31 characters.
23	Specify services list description (optional).	esr(config-object-group-service)# description <description>	<description> – profile description, set by the string of up to 255 characters.
24	Add necessary services (tcp/udp ports) to the list.	esr(config-object-group-service)# port-range <port>	<port> – takes values in the range of [1..65535]. You can specify several ports separated by commas ',' or you can specify the range of ports with '-'.
25	Create applications lists which will be used in DPI mechanism.	esr(config)# object-group application <NAME>	<NAME> – application profile name, set by the string of up to 31 characters.
26	Specify applications list description (optional).	esr(config-object-group-application)# description <description>	<description> – profile description, set by the string of up to 255 characters.
27	Add necessary applications to the lists.	esr(config-object-group-application)# application < APPLICATION >	<APPLICATION> – specifies the application covered by the given profile
28	Add interfaces (physical, logical, E1/Multilink and connected), remote-access server (l2tp, openvpn, pptp) or tunnels (gre, ip4ip4, l2tp, lt, pppoe, pptp) into security zones (optional).	esr(config-if-gi)# security-zone <zone-name>	<zone-name> – up to 12 characters.
28	Disable Firewall functions on the network interface (physical, logical, E1/Multilink and connected), remote-access server (l2tp, openvpn, pptp) or tunnels (gre, ip4ip4, l2tp, lt, pppoe, pptp) (optional).	esr(config-if-gi)# ip firewall disable
29	Create an interzone interaction rule set. There is always a security zone named 'self' on the router. If the router itself acts as a traffic recipient, that is, the traffic is not transit, then the 'self' zone is specified as a parameter. The order of traffic processing for different zone-pairs is described in the note.	esr(config)# security zone-pair <src-zone-name1> <dst-zone-name2>	<src-zone-name> – up to 12 characters. <dst-zone-name> – up to 12 characters.
30	Create an interzone interaction rule set.	esr(config-zone-pair)# rule <rule-number>	<rule-number> – 1..10000.
31	Specify rule description (optional).	esr(config-zone-rule)# description <description>	<description> – up to 255 characters..
32	Specify the given rule force.	esr(config-zone-rule)# action <action> [ log ]	<action> – permit/deny/reject/netflow-sample/sflow-sample log – activation key for logging of sessions established according to the given rule.
33	Set name or number of IP for which the rule should work (optional).	esr(config-zone-rule)# match [not] protocol <protocol-type>	<protocol-type> – protocol type, takes the following values: esp, icmp, ah, eigrp, ospf, igmp, ipip, tcp, pim, udp, vrrp, rdp, l2tp, gre. When specifying the 'any' value, the rule will work for any protocols.
33		esr(config-zone-rule)# match [not] protocol-id <protocol-id>	<protocol-id> – IP identification number, takes values of [0x00-0xFF].
34	Specify the profile of transmitter IP addresses for which the rule should work (optional).	esr(config-zone-rule)# match [not] source-address <OBJ-GROUP-NETWORK-NAME>	<OBJ-GROUP-NETWORK-NAME> – IP addresses profile name, set by the string of up to 31 characters. When specifying the 'any' value, the rule will work for any sender/recipient IP address.
35	Set the profile of destination IP addresses for which the rule should work (optional).	esr(config-zone-rule)# match [not] destination-address <OBJ-GROUP-NETWORK-NAME>
36	Set source MAC address for which the rule should work (optional).	esr(config-zone-rule)# match [not] source-mac <mac-addr>	<mac-addr> – defined as XX:XX:XX:XX:XX:XX where each part takes the values of [00..FF].
37	Set sender MAC address for which the rule should work (optional).	esr(config-zone-rule)# match [not] destination-mac <mac-addr>
38	Set TCP/UDP ports profile for which the rule should work (if the protocol is specified).	esr(config-zone-rule)# match [not] source-port <PORT-SET-NAME>	<PORT-SET-NAME> – set by the string of up to 31 characters. When specifying the 'any' value, the rule will work for any sender/recipient TCP/UDP port.
39	Set the destination TCP/UDP ports profile for which the rule should work (if the protocol is specified).	esr(config-zone-rule)# match [not] destination-port <PORT-SET-NAME>
40	Specify the type and code of ICMP messages for which the rule should work (if ICMP is selected as protocol) (optional).	esr(config-zone-rule)# match [not] icmp <ICMP_TYPE> <ICMP_CODE>	<ICMP_TYPE> – ICMP message type, takes values of [0..255]. <ICMP_CODE> – ICMP message code, takes values of [0..255]. When specifying the 'any' value, the rule will work for any ICMP message code.
41	Set the limitation under which the rule will only work for traffic modified by the IP address and destination ports translation service.	esr(config-zone-rule)# match [not] destination-nat
42	Set the maximum packet rate (optional, available only for zone-pair any self and zone-pair <zone-name> any).	esr(config-zone-pair-rule)# rate-limit pps <rate-pps>	<rate-pps> – maximum amount of packets that can be transmitted. Takes values in the range of [1..10000].
43	Set the filtration only for fragmented IP packets (optional, available only for zone-pair any self and zone-pair <zone-name> any).	esr(config-zone-pair-rule)# match [not] fragment
44	Set the filtration only for IP packets including ip-option (optional, available only for zone-pair any self and zone-pair <zone-name> any).	esr(config-zone-pair-rule)# match [not] ip-option
45	Create an interzone interaction rule.	esr(config-zone-rule)# enable
46	Enable filtering and session tracking mode while packets are transmitted between one Bridge group participants (optional, available only for ESR-1000/1200/1500/1511/1700 /3100).	esr(config-bridge)# ports firewall enable

...

Якорь

	Firewall_desc
	Firewall_desc

¹ When using the not key, the rule will work for values which are not included in a specified profile.

...

Each 'match' command may contain the 'not' key. When using the key, packets that do not meet the given requirement will fall under the rule.

You can obtain more detail information about firewall configuration in 'CLI command reference guide'.

Scroll Pagebreak

Firewall configuration example

...

To set the rules of traffic passing from 'WAN' zone to 'LAN' zone, create a couple of zones and add a rule prohibiting the application traffic flow and a rule allowing all allowing all other traffic to pass. Rules are applied with the enable command:

...

Access Control List or ACL is a list that contains rules defining traffic transmission through the interface.

Configuration algorithm

Step	Description	Command	Keys
1	Create access control list and switch to its configuration mode.	esr(config)# ip access-list extended <NAME>	<NAME> – access control list name, set by the string of up to 31 characters.
2	Specify the description of a configurable access control list (optional).	esr(config-acl)# description <DESCRIPTION>	<DESCRIPTION> – access control list description, set by the string of up to 255 characters.
3	Create a rule and switch to its configuration mode. The rules are proceeded by the router in number ascending order.	esr(config-acl)# rule <ORDER>	<ORDER> – rule number, takes values of [1..4094].
4	Specify the action that should be applied for the traffic meeting the given requirements.	esr(config-acl-rule)# action <ACT>	<ACT> – allocated action: permit – traffic transfer is permitted; deny – traffic transfer is denied.
5	Set name of protocol for which the rule should work (optional).	esr(config-acl-rule)# match protocol <TYPE>	<TYPE> – protocol type, takes the following values: esp, icmp, ah, eigrp, ospf, igmp, ipip, tcp, pim, udp, vrrp, rdp, l2tp, gre. When specifying the 'any' value, the rule will work for any protocols.
5		esr(config-acl-rule)# match protocol-id <ID>	<ID> – IP identification number, takes values of [0x00-0xFF].
6	Set sender IP addresses for which the rule should work (optional).	esr(config-acl-rule)# match source-address { <ADDR> <MASK> \| any }	<ADDR> – sender IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; <MASK> – IP address mask, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]. Mask bits, set to zero, specify IP address bits excluded from the comparison when searching. When specifying the 'any' value, the rule will work for any sender/recipient IP address.
7	Set destination IP addresses for which the rule should work (optional).	esr(config-acl-rule)# match destination-address { <ADDR> <MASK> \| any }
8	Set sender MAC addresses for which the rule should work (optional).	esr(config-acl-rule)# match source-mac <ADDR><WILDCARD>	<ADDR> – sender MAC address, defined as XX:XX:XX:XX:XX:XX where each part takes the values of [00..FF]. <WILDCARD> – MAC address mask, defined as XX:XX:XX:XX:XX:XX where each part takes the values of [00..FF]. Mask bits, set to zero, specify MAC address bits excluded from the comparison when searching.
9	Set destination MAC addresses for which the rule should work (optional).	esr(config-acl-rule)# match destination-mac <ADDR><WILDCARD>
10	Set the number of sender TCP/UDP ports for which the rule should work (if the protocol is specified).	esr(config-acl-rule)# match source-port { <PORT> \| any }	<PORT> – number of sender TCP/UDP port, takes values of [1..65535]. When specifying the 'any' value, the rule will work for any sender TCP/UDP port.
11	Set the destination TCP/UDP ports number for which the rule should work (if the protocol is specified).	esr(config-acl-rule)# match destination-port { <PORT> \| any }
12	Set priority 802.1p value for which the rule should work (optional).	esr(config-acl-rule)# match с os <COS>	<COS> – priority 802.1p value, takes values of [0..7].
13	Set DSCP code value for which the rule should work (optional). Can not be used with IP Precedence.	esr(config-acl-rule)# match dscp <DSCP>	<DSCP> – DSCP code value, takes values in the range of [0..63].
14	Set IP Precedence code for which the rule should work (optional). Can not be used with DSCP.	esr(config-acl-rule)# match ip-precedence <IPP>	<IPP> – IP Precedence code value, takes values in the range of [0..7].
15	Set VLAN ID for which the rule should work (optional).	esr(config-acl-rule)# match vlan <VID>	<VID> – VLAN ID, takes values of [1..4094].
16	Activate a rule.	esr(config-acl-rule)# enable
17	Specify access control list for the configured interface to filtrate incoming traffic.	esr(config-if-gi)# service-acl input <NAME>	<NAME> – access control list name, set by the string of up to 31 characters.

Also the access lists can be used to organize QoS policy.

...

Base configuration algorithm

Step	Description	Command	Keys
1	Create IPS/IDS security policy.	esr(config)# security ips policy <NAME>	<NAME> – security policy name, set by the string of up to 32 characters
2	Specify policy description (optional).	esr(config-ips-policy)# description <DESCRIPTION>	<DESCRIPTION> – description, set by the string of up to 255 characters.
3	Specify the IP address profile that IPS/IDS will protect.	esr(config-ips-policy)# protect network-group <OBJ-GROUP-NETWORK_NAME>	<OBJ-GROUP-NETWORK-NAME> – protected IP addresses profile name, set by the string of up to 32 characters.
4	Specify the profile of IP addresses that are external for IPS/IDS (optional).	esr(config-ips-policy)# external network-group <OBJ-GROUP-NETWORK_NAME>	<OBJ-GROUP-NETWORK-NAME> – external IP addresses profile name, set by the string of up to 32 characters.
5	Switch to the IPS/IDS configuration mode.	esr(config)# security ips
6	Assign IPS/IDS security policy.	esr(config-ips)# policy <NAME>	<NAME> – security policy name, set by the string of up to 32 characters
7	Use all ESR resources for IPS/IDS (optional).	esr(config-ips)# perfomance max	By default, half of the available processor cores are allocated for IPS/IDS.
8	Set remote server parameters for sending IPS/IDS service statistics in EVE format (elasticsearch) (optional).	esr(config-ips)# logging remote-server { <ADDR> \| <IPV6-ADDR> } [ <TRANSPORT> ] [ <PORT> ] [ source-address { <SRC-ADDR> \| <IPV6-SRC-ADDR> } ]	<ADDR> – sender IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; <IPV6-ADDR> – IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]; <TRANSPORT> – data transfer protocol, by default is UDP, takes the following values: TCP – data transfer via TCP; UDP – data transfer via UDP. <PORT> – number of sender TCP/UDP port, takes values of [1..65535], by default is 514; <SRC-ADDR> – IPv4 address of the router that will be used as the source IP address in the sent syslog packets. By default – the IPv4 address of the interface from which the packets are sent; <IPV6-SRC-ADDR> – IPv6 address of the router that will be used as the source IP address in the sent syslog packets. By default – the IPv6 address of the interface from which the packets are sent.
9	Set the interval for sending IPS/IDS service statistics in EVE (elasticsearch) format (optional).	esr(config-ips)# logging update-interval <INTERVAL>	<INTERVAL> – IPS/IDS service statistics sending interval, set in minutes.
10	Activate IPS/IDS on the interface.	esr(config-if-gi)# service-ips { inline \| monitor }	inline – this mode is set when ESR with IPS/IDS service is put into network break. monitor – this mode is set when ESR with IPS/IDS monitors mirrored traffic.

Configuration algorithm for IPS/IDS rules autoupdate from external sources

Step	Description	Command	Keys
1	Switch to the autoupdate configuration mode	esr(config-ips)# auto-upgrade
2	Specify a name and enter the configuration mode of the user update server.	esr(config-ips-auto-upgrade)# user-server <WORD>	<WORD> – server name, set by the string of up to 32 characters.
3	Specify the description of the user update server (optional).	esr(config-ips-upgrade-user-server)# description <DESCRIPTION>	<DESCRIPTION> – description, set by the string of up to 255 characters.
4	Specify URL.	esr(config-ips-upgrade-user-server)# url <URL>	<URL> – text field containing URL link of 8-255 characters length. As an URL-links can be specified: rule file with the .rule extension; rule classifier file named classification.config; directory on the server containing rule files and/or rule classifier file.
5	Set the frequency for update checking (optional).	esr(config-ips-upgrade-user-server)# upgrade interval <HOURS>	<HOURS> – update interval in hours, from 1 to 240. Default value: 24 hours

Предупреждение

For IPS/IDS rules loaded from external sources, a separate area of volatile memory is allocated on ESR routers.

The size of this area depends on the ESR model:

ESR-1X – 25 MB;
ESR-2X – 50 MB.

For all other models - 100 MB.

If you configure too many rule sources or load rules that exceed the specified limits, the router will generate error messages: %STORAGE_IPS_MGR-I-ERR: There is no free space in rules directory error.

...

Recommended open rule update source

https://sslbl.abuse.ch/	SSL Blacklist contains lists of 'bad' SSL certificates, i.e. certificates in respect of which the fact of their use by malware and botnets has been established. The lists contain SHA1 fingerprints of public keys from SSL certificates.
https://feodotracker.abuse.ch/	Feodo Tracker – list of management servers for the Feodo Trojan. Feodo (also known as Cridex or Bugat) is used by cybercriminals to steal sensitive information in the field of electronic banking (credit card information, logins/passwords) from users' computers. Currently, there are four versions of the Trojan (versions A, B, C and D), mainly distinguished by the infrastructure of control servers.
https://rules.emergingthreats.net/open/suricata/rules/botcc.rules	These rules describe well-known botnets and control servers. Sources: Shadowserver.org, Zeus Tracker, Palevo Tracker, Feodo Tracker, Ransomware Tracker.
https://rules.emergingthreats.net/open/suricata/rules/ciarmy.rules	These rules describe malicious hosts by the classification of the www.cinsarmy.com project.
https://rules.emergingthreats.net/open/suricata/rules/compromised.rules	These rules describe well-known compromised and malicious hosts. Sources: Daniel Gerzo’s BruteForceBlocker, The OpenBL, Emerging Threats Sandnet, SidReporter Projects.
https://rules.emergingthreats.net/open/suricata/rules/drop.rules	These rules describe spammer hosts/networks by the classification of the www.spamhaus.org project.
https://rules.emergingthreats.net/open/suricata/rules/dshield.rules	These rules describe malicious hosts by the classification of the www.dshield.org project.
https://rules.emergingthreats.net/open/suricata/rules/emerging-activex.rules	These rules contain signatures for using ActiveX content.
https://rules.emergingthreats.net/open/suricata/rules/emerging-attack_response.rules	Rules that detect host behavior after successful attacks.
https://rules.emergingthreats.net/open/suricata/rules/emerging-chat.rules	These rules describe signs of accessing popular chat rooms.
https://rules.emergingthreats.net/open/suricata/rules/emerging-current_events.rules	Temporary rules awaiting possible inclusion in permanent rule lists.
https://rules.emergingthreats.net/open/suricata/rules/emerging-dns.rules	These rules contain signatures of vulnerabilities in the DNS protocol, signs of the use of DNS by malware, and incorrect use of the DNS protocol.
https://rules.emergingthreats.net/open/suricata/rules/emerging-dos.rules	These rules contain DOS attack signatures.
https://rules.emergingthreats.net/open/suricata/rules/emerging-exploit.rules	These rules contain exploit signatures.
https://rules.emergingthreats.net/open/suricata/rules/emerging-ftp.rules	These rules contain signatures of vulnerabilities in the FTP protocol, signs of incorrect use of the FTP protocol.
https://rules.emergingthreats.net/open/suricata/rules/emerging-games.rules	These rules describe the signs of reference to popular game sites: World of Warcraft, Starcraft, etc.
https://rules.emergingthreats.net/open/suricata/rules/emerging-icmp.rules	These rules contain signatures of incorrect use of the ICMP protocol.
https://rules.emergingthreats.net/open/suricata/rules/emerging-icmp_info.rules	These rules contain signatures of ICMP information messages.
https://rules.emergingthreats.net/open/suricata/rules/emerging-imap.rules	These rules contain signatures of vulnerabilities in the IMAP protocol, signs of incorrect use of the IMAP protocol.
https://rules.emergingthreats.net/open/suricata/rules/emerging-inappropriate.rules	These rules describe signs of accessing unwanted resources.
https://rules.emergingthreats.net/open/suricata/rules/emerging-info.rules	These rules contain different vulnerabilities signatures.
https://rules.emergingthreats.net/open/suricata/rules/emerging-malware.rules	These rules contain signatures of malware that uses the HTTP protocol in their work.
https://rules.emergingthreats.net/open/suricata/rules/emerging-misc.rules	These rules contain different vulnerabilities signatures.
https://rules.emergingthreats.net/open/suricata/rules/emerging-mobile_malware.rules	These rules contain malware signatures for mobile platforms.
https://rules.emergingthreats.net/open/suricata/rules/emerging-netbios.rules	These rules contain signatures of vulnerabilities in the NetBIOS protocol, signs of incorrect use of the NetBIOS protocol.
https://rules.emergingthreats.net/open/suricata/rules/emerging-p2p.rules	These rules describe signs of access to P2P networks (Bittorrent, Gnutella, Limewire).
https://rules.emergingthreats.net/open/suricata/rules/emerging-policy.rules	These rules describe unwanted network activity (access to MySpace, Ebay).
https://rules.emergingthreats.net/open/suricata/rules/emerging-poprules	These rules contain signatures of vulnerabilities in the POP3 protocol, signs of incorrect use of the POP3 protocol.
https://rules.emergingthreats.net/open/suricata/rules/emerging-rpc.rules	These rules contain signatures of vulnerabilities in the RPC protocol, signs of incorrect use of the RPC protocol.
https://rules.emergingthreats.net/open/suricata/rules/emerging-scada.rules	These rules contain vulnerability signatures for SCADA systems.
https://rules.emergingthreats.net/open/suricata/rules/emerging-scan.rules	These rules describe signs of activity associated with network scanning (Nessus, Nikto, portscanning).
https://rules.emergingthreats.net/open/suricata/rules/emerging-shellcode.rules	These rules describe signs of activity associated with attempts to gain shell access as a result of exploits.
https://rules.emergingthreats.net/open/suricata/rules/emerging-smtp.rules	These rules contain signatures of vulnerabilities in the SMTP protocol, signs of incorrect use of the SMTP protocol.
https://rules.emergingthreats.net/open/suricata/rules/emerging-sql.rules	These rules contain vulnerability signatures for SQL DBMS.
https://rules.emergingthreats.net/open/suricata/rules/emerging-telnet.rules	These rules contain signatures of vulnerabilities in the Telnet protocol, signs of incorrect use of the Telnet protocol.
https://rules.emergingthreats.net/open/suricata/rules/emerging-tftp.rules	These rules contain signatures of vulnerabilities in the TFTP protocol, signs of incorrect use of the TFTP protocol.
https://rules.emergingthreats.net/open/suricata/rules/emerging-trojan.rules	These rules contain signs of network activity of Trojans.
https://rules.emergingthreats.net/open/suricata/rules/emerging-user_agents.rules	These rules contain signs of suspicious and potentially dangerous HTTP clients (identified by the values in the User-Agent HTTP header).
https://rules.emergingthreats.net/open/suricata/rules/emerging-l.rules	These rules contain vulnerability signatures for VoIP protocol.
https://rules.emergingthreats.net/open/suricata/rules/emerging-web_client.rules	These rules contain vulnerability signatures for web clients.
https://rules.emergingthreats.net/open/suricata/rules/emerging-web_server.rules	These rules contain vulnerability signatures for web servers.
https://rules.emergingthreats.net/open/suricata/rules/emerging-web_specific_apps.rules	These rules contain vulnerability exploitation signatures for WEB applications.
https://rules.emergingthreats.net/open/suricata/rules/emerging-worm.rules	These rules describe signs of network worm activity.

IPS/IDS configuration example with rules autoupdate

...

Блок кода
esr(config)# security ips esr(config-ips)# logging remote-server 192.168.10.1 esr(config-ips)# logging update-interval 15 esr(config-ips)# policy OFFICE esr(config-ips)# enable

Scroll Pagebreak

The device will be used only as a security gateway, for this allocate the IPS/IDS service all available resources:

...

Basic user rules configuration algorithm

Step	Description	Command	Keys
1	Specify a name and enter the configuration mode of the set of user rules.	esr(config)# security ips-category user-defined <WORD>	<WORD> – user rule set name, set by the string of up to 32 characters.
2	Define a description of a set of user rules (optional).	esr(config-ips-category)# description <DESCRIPTION>	<DESCRIPTION> – description, set by the string of up to 255 characters.
3	Create a rule and switch to its configuration mode.	esr(config-ips-category)# rule <ORDER>	<ORDER> – rule number, takes values of [1..512].
4	Specify rule description (optional).	esr(config-ips-category-rule)# description <DESCRIPTION>	<DESCRIPTION> – description, set by the string of up to 255 characters.
5	Specify the given rule force.	esr(config-ips-category-rule)# action { alert \| reject \| pass \| drop }	alert – traffic is allowed and the IPS/IDS service generates a message; reject – traffic is prohibited. If it is TCP traffic, a TCP-RESET packet is sent to the sender and recipient, for the rest of the traffic type, an ICMP-ERROR packet is sent. IPS/IDS service generates a message; pass – traffic transfer is permitted; drop – traffic is prohibited and the IPS/IDS service generates a message.
6	Set name of IP protocol for which the rule should work.	esr(config-ips-category-rule)# protocol <PROTOCOL>	<PROTOCOL> – take values: any/ip/icmp/http/tcp/udp When specifying the 'any' value, the rule will work for any protocols
7	Set sender IP addresses for which the rule should work.	esr(config-ips-category-rule)# source-address {ip <ADDR> \| ip-prefix <ADDR/LEN> \| object-group <OBJ_GR_NAME> \| policy-object-group { protect \| external } \| any }	<ADDR> – sender IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; <ADDR/LEN> – sender IP subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and LEN takes values of [1..32]. <OBJ_GR_NAME> – name of IP addresses profile that contains sender IP address, set by the string of up to 31 characters. protect – sets sender addresses, protect addresses defined in IPS/IDS policy; external – sets external addresses defined in IPS/IDS policy as sender addresses. When specifying the 'any' value, the rule will be triggered for any source IP address.
8	Set the profile of sender TCP/UDP ports for which the rule should work. For protocol icmp value, source-port can only be any.	esr(config-ips-category-rule)# source-port {any \| <PORT> \| object-group <OBJ-GR-NAME> }	<PORT> – number of sender TCP/UDP port, takes values of [1..65535]. <OBJ_GR_NAME> – sender TCP/UDP ports profile name, set by the string of up to 31 characters. When specifying the 'any' value, the rule will work for any sender TCP/UDP port.
9	Set destination IP addresses for which the rule should trigger.	esr(config-ips-category-rule)# destination-address {ip <ADDR> \| ip-prefix <ADDR/LEN> \| object-group <OBJ_GR_NAME> \| policy-object-group { protect \| external } \| any }	<<ADDR> – recipient IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; <ADDR/LEN> – recipient IP subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and LEN takes values of [1..32]. <OBJ_GR_NAME> – name of IP addresses profile that contains recipient IP address, set by the string of up to 31 characters. protect – sets recipient addresses, protect addresses defined in IPS/IDS policy; external – sets external addresses defined in IPS/IDS policy as recipient addresses. When specifying the 'any' value, the rule will work for any sender IP address.
10	Set the profile of destination TCP/UDP ports for which the rule should work. For protocol icmp value, destination-port can only be any.	esr(config-ips-category-rule)# destination-port {any \| <PORT> \| object-group <OBJ-GR-NAME> }	<PORT> – number of destination TCP/UDP port, takes values of [1..65535]. <OBJ_GR_NAME> – recipient TCP/UDP ports profile name, set by the string of up to 31 characters. When specifying the 'any' value, the rule will be triggered for any source TCP/UDP port.
11	Set traffic direction for which the rule should trigger.	esr(config-ips-category-rule)# direction { one-way \| round-trip }	one-way – traffic is transmitted in one direction. round-trip – traffic is transmitted in both directions.
12	Define the message that IPS/IDS will record to the log when this rule will trigger.	esr(config-ips-category-rule)# meta log-message <MESSAGE>	<MESSAGE> – text message, specified by a string of up to 129 characters.
13	Define the traffic classification which will record to the log when this rule will trigger (optional).	esr(config-ips-category-rule)# meta classification-type { not-suspicious \| unknown \| bad-unknown \| attempted-recon \| successful-recon-limited \| successful-recon-largescale \| attempted-dos \| successful-dos \| attempted-user \| unsuccessful-user \| successful-user \| attempted-admin \| successful-admin \| rpc-portmap-decode \| shellcode-detect \| string-detect \| suspicious-filename-detect \| suspicious-login \| system-call-detect \| tcp-connection \| trojan-activity \| unusual-client-port-connection \| network-scan \| denial-of-service \| non-standard-protocol \| protocol-command-decode \| web-application-activity \| web-application-attack \| misc-activity \| misc-attack \| icmp-event \| inappropriate-content \| policy-violation \| default-login-attempt }	not-suspicious – not suspicious traffic; unknown – unknown traffic. bad-unknown – potentially bad traffic. attempted-recon – information leak attempt. successful-recon-limited – information leak. successful-recon-largescale – large-scale information leak. attempted-dos – denial of service attempt. successful-dos – denial of service. attempted-user – attempt to obtain user privileges. unsuccessful-user – unsuccessful attempt to obtain user privileges. successful-user – successful attempt to obtain user privileges. successful-admin – successful attempt to obtain admin privileges. successful-admin – successful attempt to obtain admin privileges. rpc-portmap-decode – RPC request decoding. shellcode-detect – executable code detected. string-detect – suspicious string detected. suspicious-filename-detect – suspicious filename was detected. suspicious-login – attempt to log in using a suspicious username was deteceted. system-call-detect – system call was detected. tcp-connection – TCP connection was detected. trojan-activity – network Trojan was detected. unusual-client-port-connection – the client used an unusual port. network-scan – network scan was detected. denial-of-service – denial of service attack was detected. non-standard-protocol – custom protocol or event was detected. protocol-command-decode – encryption attempt was detected. web-application-activity – access to a potentially vulnerable web application. web-application-attack – attack on web application. misc-activity – other activity. misc-attack – other attacks. icmp-event – general ICMP event. inappropriate-content – inappropriate content was detected. policy-violation – potential breach of corporate privacy. default-login-attempt – login attempt using a standard login/password.
14	Set DSCP code value for which the rule should work (optional).	esr(config-ips-category-rule)# ip dscp <DSCP>	<DSCP> – DSCP code value, takes values in the range of [0..63].
15	Set the packet lifetime (TTL) value for which the rule will trigger (optional).	esr(config-ips-category-rule)# ip ttl <TTL>	<TTL> – TTL value, takes values in the range of [1..255].
16	Set number of IP for which the rule should work (optional). Applicable only for protocol any value.	esr(config-ips-category-rule)# ip protocol-id <ID>	<ID> – IP identification number, takes values of [1..255].
17	Set ICMP CODE value for which the rule should trigger (optional). Applicable only for protocol icmp value.	esr(config-ips-category-rule)# ip icmp code <CODE>	<CODE> – ICMP CODE value, takes a value in the range [0..255].
17		esr(config-ips-category-rule)# ip icmp code comparison-operator { greater-than \| less-than }	Comparison operator for ip icmp code value: greater-than – greater than.. less-than – less than..
18	Set ICMP ID value for which the rule should trigger (optional). Applicable only for protocol icmp value.	esr(config-ips-category-rule)# ip icmp id <ID>	<ID> – ICMP ID value, takes a value in the range [0..65535].
19	Set ICMP Sequence-ID value for which the rule should trigger (optional). Applicable only for protocol icmp value.	esr(config-ips-category-rule)# ip icmp sequence-id <SEQ-ID>	<SEQ-ID> – ICMP Sequence-ID value, takes a value in the range [0..4294967295].
20	Set ICMP TYPE value for which the rule should trigger (optional). Applicable only for protocol icmp value.	esr(config-ips-category-rule)# ip icmp type <TYPE>	<TYPE> – ICMP TYPE value, takes a value in the range [0..255].
20		esr(config-ips-category-rule)# ip icmp type comparison-operator { greater-than \| less-than }	Comparison operator for ip icmp type value: greater-than – greater than.. less-than – less than..
21	Set TCP Acknowledgement-Number value for which the rule should trigger (optional). Applicable only for protocol tcp value.	esr(config-ips-category-rule)# ip tcp acknowledgment-number <ACK-NUM>	<ACK-NUM> – TCP Acknowledgement-Number value, takes a value in the range [0..4294967295].
22	Set TCP Sequence-ID value for which the rule should trigger (optional). Applicable only for protocol tcp value.	esr(config-ips-category-rule)# ip tcp sequence-id <SEQ-ID>	<SEQ-ID> – TCP Sequence-ID value, takes a value in the range [0..4294967295].
23	Set TCP Window-Size value for which the rule should trigger (optional). Applicable only for protocol tcp value.	esr(config-ips-category-rule)# ip tcp window-size <SIZE>	<SIZE> – TCP Window-Size value, takes a value in the range [0..65535].
24	Set HTTP protocol keywords for which the rule will trigger (optional). Applicable only for protocol http value.	esr(config-ips-category-rule)# ip http { accept \| accept-enc \| accept-lang \| client-body \| connection \| content-type \| cookie \| file-data \| header \| header-names \| host \| method \| protocol \| referer \| request-line \| response-line \| server-body \| start \| start-code \| start-msg \| uri \| user-agent }	See the Suricata 4.X documentation for the meaning of the keywords. https://suricata.readthedocs.io/en/suricata-4.1.4/rules/http-keywords.html
25	Set HTTP protocol URI LEN keyword value for which the rule will trigger0 (optional). Applicable only for protocol http value.	esr(config-ips-category-rule)# ip http urilen <LEN>	<LEN> – takes values in the range of [0.. 65535].
25		esr(config-ips-category-rule)# ip http urilen comparison-operator { greater-than \| less-than }	Comparison operator for ip http urilen value: greater-than – greater than.. less-than – less than..
26	Set the value of the content of packages (Payload content) for which the rule will trigger (optional).	esr(config-ips-category-rule)# payload content <CONTENT>	<CONTENT> – text message specified by a string of up to 1024 characters.
27	Do not distinguish between uppercase and lowercase letters in the description of package contents (optional). Only applicable in conjunction with the payload content command.	esr(config-ips-category-rule)# payload no-case
28	Set how many bytes from the beginning of the contents of the packet will be checked (optional). Only applicable in conjunction with the payload content command.	esr(config-ips-category-rule)# payload depth <DEPTH>	<DEPTH> – the number of bytes from the beginning of the packet contents, takes a value in the range [1 .. 65535]. By default, the entire contents of the package are checked.
29	Set the number of offset bytes from the beginning of the contents of the packet to check (optional). Only applicable in conjunction with the payload content command.	esr(config-ips-category-rule)# payload offset <OFFSET>	<OFFSET> – the number of offset bytes from the beginning of the packet contents, takes a value in the range [1 .. 65535]. By default, it is checked from the beginning of the content.
30	Set the size of the contents of packets for which the rule will trigger (optional).	esr(config-ips-category-rule)# payload data-size <SIZE>	<SIZE> – packet content size, takes values in the range of [0.. 65535].
30		esr(config-ips-category-rule)# payload data-size comparison-operator { greater-than \| less-than }	Comparison operator for payload data-size value: greater-than – greater than.. less-than – less than.
31	Specify the threshold number of packets at which the rule will trigger (optional).	esr(config-ips-category-rule)# threshold count <COUNT>	<COUNT> – number of packets, takes values in the range of [1.. 65535].
32	Specify the time interval for which the threshold number of packets is considered (Mandatory if threshold count is enabled).	esr(config-ips-category-rule)# threshold second <SECOND>	<SECOND> – time interval in seconds, takes values in the range of [1.. 65535].
33	Specify at the sender or recipient address thresholds will be considered. (Mandatory if threshold count is enabled).	esr(config-ips-category-rule)# threshold track { by-src \| by-dst }	by-src – read threshold value for packets with the same IP sender. by-dst – read threshold value for packets with the same IP recipient.
34	Specify threshold handling method.	esr(config-ips-category-rule)# threshold type {threshold \| limit \| both }	threshold – display a message every time a threshold is reached. limit – issue a message no more than <COUNT> times per time interval <SECOND>. both – threshold and limit combination. A message will be generated if during the <SECOND> time interval there were <COUNT> or more packets matching the rule conditions, and the message will be sent only once during the <SECOND> time interval.
35	Activate rule.	esr(config-ips-category-rule)# enable

Scroll Pagebreak

Basic user rules configuration example

...

Extended user rules configuration algorithm

Step

Description

Command

Keys

1

Specify a name and enter the configuration mode of the set of user rules.

esr(config)# security ips-category user-defined <WORD>

<WORD> – user rule set name, set by the string of up to 32 characters.

2

Define a description of a set of user rules (optional).

esr(config-ips-category)# description <DESCRIPTION>

<DESCRIPTION> – description, set by the string of up to 255 characters.

3

Create extended rule and switch to its configuration mode.

esr(config-ips-category)# rule-advanced <SID>

<SID> – rule number, takes values of [1..4294967295].

4

Specify rule description (optional).

esr(config-ips-category-rule-advanced)# description <DESCRIPTION>

<DESCRIPTION> – description, set by the string of up to 255 characters.

5

Specify the given rule force.

esr(config-ips-category-rule-advanced)# rule-text <LINE>

<CONTENT> – text message in SNORT 2.X/Suricata 4.X format, specified by a string of up to 1024 characters.

Примечание
When writing rules,only double quotes (symbol ") must be used in the text of the rule, and the rule itself must be enclosed in single quotes (symbol ').

6

Activate a rule.

esr(config-ips-category-rule-advanced)# enable

Extended user rules configuration example

...

Basic configuration algorithm

Step	Description	Command	Keys
1	Go to the content provider configuration.	esr (config)# content-provider
2	Specify edm server IP address.	esr (config-content-provider)# host address <A.B.C.D \| WORD \| X:X:X:X::X>	<IP-ADDR> – IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; <IPV6-ADDR> – RADIUS server IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]. WORD(1-31) - DNS name of the server.
3	Set the port to connect to the edm server.	esr (config-content-provider)# host port <PORT>	<PORT> – number of sender TCP/UDP port, takes values of [1..65535].
4	Set the type and partition of the external device to create a crypto store.	esr (config-content-provider)# storage-device <DEVICE>	<DEVICE> – label and partition name on the external storage in the format of usb://Partion_name:/ mmc://Partion_name:/
5	Set the time to reboot the device after receiving the certificate.	esr (config-content-provider)# reboot immediately \| [time <HH:MM:SS>]	Restart the device after receiving the certificate. time <HH:MM:SS> – The time at which ESR will reboot <hours:minutes:seconds>.
6	Enable content provider.	enable
7	Set the interval for accessing the edm server in hours.	esr (config-content-provider)# upgrade interval <1-240>
8	Specify description (optional).	esr (config-content-provider)# description <LINE>	<LINE> (1-255) – string describing server.
9	Set device text name that is transmitted to the EDM-Issue server (optional).	esr (config-content-provider)# system-name <WORD>	<WORD> – name, set by the string of up to 255 characters.
10	Set text description that is transmitted to the EDM-Issue server (optional).	esr (config-content-provider)# location <WORD>	<WORD> – description, set by the string of up to 255 characters.
11	Create IP addresses lists which will be used during filtration.	esr (config)# object-group network <WORD>esr (config-object-group-network)# ip prefix <ADDR/LEN>	<WORD> – server name, set by the string of up to 32 characters. <ADDR/LEN> – subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32].
12	Enable service-ips on interface.	esr (config)# interface gigabitethernet 1/0/Xesr (config-if-gi)# service-ips enable
13	Create IPS/IDS security policy.	esr (config)# security ips policy WORD(1-31)	WORD(1-31)
14	Specify the IP address profile that IPS/IDS will protect.	esr(config-ips-policy)# protect network-group <OBJ-GROUP-NETWORK_NAME>	<OBJ-GROUP-NETWORK-NAME> – protected IP addresses profile name, set by the string of up to 32 characters.
15	Enter the vendor configuration section.	esr (config-ips-policy)# vendor kaspersky
16	Сonnect the required category.	esr (config-ips-vendor)# category WORD(1-64)	Phishing URL Data Feed – Phishing URL data streams Malicious URL Data Feed – Malicious URL data streams Botnet C&C URL Data Feed – Botnet C&C URL data streams Malicious Hash Data Feed – Malicious Hashes data streams Mobile Malicious Hash Data Feed – mobile Malicious Hashes data streams IP Reputation Data Feed – IP address data streams Mobile Botnet Data Feed – mobile Botnet data streams Ransomware URL Data Feed – Ransomware URL data stream Botnet C&C URL Exact Data Feed – Botnet C&C URL Exact data stream Phishing URL Exact Data Feed – Phishing URL Exact data stream Malicious URL Exact Data Feed – Malicious URL Exact data stream Iot URL Data Feed – IoT URL data stream
17	Specify rule type.	esr (config-ips-vendor-category)# rules action <ACTION>	<ACTION> - drop \| reject \| alert \| pass – actions to be applied to packages. alert – traffic is allowed and the IPS/IDS service generates a message; reject – traffic is prohibited. If it is TCP traffic, a TCP-RESET packet is sent to the sender and recipient, for the rest of the traffic type, an ICMP-ERROR packet is sent. IPS/IDS service generates a message; pass – traffic transfer is permitted; drop – traffic is prohibited and the IPS/IDS service generates a message.
18	Set the number of downloadable rules.	esr (config-ips-vendor-category)# rules count <number>	<number>
19	Enable category.	enable
20	Switch to the IPS/IDS configuration mode.	esr (config)# security ips
21	Assign IPS/IDS security policy.	esr(config-ips)# policy <NAME>	<NAME> – security policy name, set by the string of up to 32 characters.
22	Use all ESR resources for IPS/IDS (optional).	esr(config-ips)# perfomance max
23	Set remote server parameters for sending IPS/IDS service statistics in EVE format (elasticsearch) (optional).	esr(config-ips)# logging remote-server { <ADDR> \| <IPV6-ADDR> } [ <TRANSPORT> ] [ <PORT> ] [ source-address { <SRC-ADDR> \| <IPV6-SRC-ADDR> } ]	<ADDR> – sender IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; <IPV6-ADDR> – IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]; <TRANSPORT> – data transfer protocol, by default is UDP, takes the following values: TCP – data transfer via TCP; UDP – data transfer via UDP. <PORT> – number of sender TCP/UDP port, takes values of [1..65535], by default is 514; <SRC-ADDR> – IPv4 address of the router that will be used as the source IP address in the sent syslog packets. By default – the IPv4 address of the interface from which the packets are sent; <IPV6-SRC-ADDR> – IPv6 address of the router that will be used as the source IP address in the sent syslog packets. By default – the IPv6 address of the interface from which the packets are sent.
24	Set the interval for sending IPS/IDS service statistics in EVE (elasticsearch) format (optional).	esr(config-ips)# logging update-interval <INTERVAL>
25	Enable IPS/IDS.	esr(config- ips )# enable

Configuration example

Set the content-provider parameters – this is the address of the Eltex server. There must be network reachability between the content-provider server and the router.

...

Basic configuration algorithm

Step	Description	Command	Keys
1	Define DNS server IP address used for DNS names resolution.	esr(config)# domain name-server <IP>	<IP> – IP address of DNS server being used, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].
2	Enable DNS name resolution on the device.	esr(config)# domain lookup enable
3	Create IPS/IDS security policy.	esr(config)# security ips policy <NAME>	<NAME> – security policy name, set by the string of up to 32 characters.
4	Specify policy description (optional).	esr(config-ips-policy)# description <DESCRIPTION>	<DESCRIPTION> – description, set by the string of up to 255 characters.
5	Create IP addresses lists which will be used during filtration.	esr (config)# object-group network <WORD> esr (config-object-group-network)# ip prefix <ADDR/LEN>	<WORD> – server name, set by the string of up to 32 characters. <ADDR/LEN> – subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32].
6	Specify the IP address profile that IPS/IDS will protect.	esr(config-ips-policy)# protect network-group <OBJ-GROUP-NETWORK_NAME>	<OBJ-GROUP-NETWORK-NAME> – protected IP addresses profile name, set by the string of up to 32 characters.
7	Specify the profile of IP addresses that are external for IPS/IDS (optional).	esr(config-ips-policy)# external network-group <OBJ-GROUP-NETWORK_NAME>	<OBJ-GROUP-NETWORK-NAME> – external IP addresses profile name, set by the string of up to 32 characters.
8	Create a content filter category profile.	esr(config)# object-group content-filter <NAME>	<NAME> – name of the content filtering profile, specified as a string of up to 31 characters.
9	Set the description of the content filter categories profile (optional).	esr(config-object-group-content-filter)# description <DESCRIPTION>	<DESCRIPTION> – description, set by the string of up to 255 characters.
10	Set the content filtering category provider.	esr(config-object-group-content-filter)# vendor <CONTENT-FILTER-VENDOR>	<CONTENT-FILTER-VENDOR> – name of the content filtering category provider. In the current version of the software, only Kaspersky Lab can act as a content filtering category provider.
11	Set the necessary categories of content filtering.	esr(config-object-group-cf-kaspersky)# category <CATEGORY>	<CATEGORY> – category name.
12	Switch to the IPS/IDS configuration mode.	esr(config)# security ips
13	Assign IPS/IDS security policy.	esr(config-ips)# policy <NAME>	<NAME> – security policy name, set by the string of up to 32 characters.
14	Use all ESR resources for IPS/IDS (optional).	esr(config-ips)# perfomance max	By default, half of the available processor cores are allocated for IPS/IDS.
15	Set remote server parameters for sending IPS/IDS service statistics in EVE format (elasticsearch) (optional).	esr(config-ips)# logging remote-server { <ADDR> \| <IPV6-ADDR> } [ <TRANSPORT> ] [ <PORT> ] [ source-address { <SRC-ADDR> \| <IPV6-SRC-ADDR> } ]	<ADDR> – sender IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; <IPV6-ADDR> – IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]; <TRANSPORT> – data transfer protocol, by default is UDP, takes the following values: TCP – data transfer via TCP; UDP – data transfer via UDP. <PORT> – number of sender TCP/UDP port, takes values of [1..65535], by default is 514; <SRC-ADDR> – IPv4 address of the router that will be used as the source IP address in the sent syslog packets. By default – the IPv4 address of the interface from which the packets are sent; <IPV6-SRC-ADDR> – IPv6 address of the router that will be used as the source IP address in the sent syslog packets. By default – the IPv6 address of the interface from which the packets are sent.
16	Set the interval for sending IPS/IDS service statistics in EVE (elasticsearch) format (optional).	esr(config-ips)# logging update-interval <INTERVAL>	<INTERVAL> – IPS/IDS service statistics sending interval, set in minutes.
17	Enable IPS/IDS.	esr(config-ips )# enable
18	Enable IPS/IDS on the interface.	esr(config-if-gi)# service-ips enable
19	Specify a name and enter the configuration mode of the set of user rules.	esr(config)# security ips-category user-defined <WORD>	<WORD> – user rule set name, set by the string of up to 32 characters.
20	Define a description of a set of user rules (optional).	esr(config-ips-category)# description <DESCRIPTION>	<DESCRIPTION> – description, set by the string of up to 255 characters.
21	Create a rule and switch to its configuration mode.	esr(config-ips-category)# rule <ORDER>	<ORDER> – rule number, takes values of [1..512].
22	Specify rule description (optional).	esr(config-ips-category-rule)# description <DESCRIPTION>	<DESCRIPTION> – description, set by the string of up to 255 characters.
23	Specify the given rule force.	esr(config-ips-category-rule)# action { alert \| reject \| pass \| drop }	alert – traffic is allowed and the IPS/IDS service generates a message; reject – traffic is prohibited. If it is TCP traffic, a TCP-RESET packet is sent to the sender and recipient, for the rest of the traffic type, an ICMP-ERROR packet is sent. IPS/IDS service generates a message; pass – traffic transfer is permitted; drop – traffic is prohibited and the IPS/IDS service generates a message.
24	Set the IP protocol to HTTP.	esr(config-ips-category-rule)# protocol http
25	Set sender IP addresses for which the rule should work.	esr(config-ips-category-rule)# source-address {ip <ADDR> \| ip-prefix <ADDR/LEN> \| object-group <OBJ_GR_NAME> \| policy-object-group { protect \| external } \| any }	<ADDR> – sender IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; <ADDR/LEN> – sender IP subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and LEN takes values of [1..32]. <OBJ_GR_NAME> – name of IP addresses profile that contains sender IP address, set by the string of up to 31 characters. protect – sets sender addresses, protect addresses defined in IPS/IDS policy; external – sets external addresses defined in IPS/IDS policy as sender addresses. When specifying the 'any' value, the rule will be triggered for any source IP address.
26	Set the profile of source TCP ports for which the rule should work.	esr(config-ips-category-rule)# source-port {any \| <PORT> \| object-group <OBJ-GR-NAME> }	<PORT> – number of sender TCP/UDP port, takes values of [1..65535]. <OBJ_GR_NAME> – sender TCP/UDP ports profile name, set by the string of up to 31 characters. When specifying the 'any' value, the rule will work for any sender TCP/UDP port.
27	Set destination IP addresses for which the rule should trigger.	esr(config-ips-category-rule)# destination-address {ip <ADDR> \| ip-prefix <ADDR/LEN> \| object-group <OBJ_GR_NAME> \| policy-object-group { protect \| external } \| any }	<<ADDR> – recipient IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]; <ADDR/LEN> – recipient IP subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and LEN takes values of [1..32]. <OBJ_GR_NAME> – name of IP addresses profile that contains recipient IP address, set by the string of up to 31 characters. protect – sets recipient addresses, protect addresses defined in IPS/IDS policy; external – sets external addresses defined in IPS/IDS policy as recipient addresses. When specifying the 'any' value, the rule will work for any sender IP address.
28	Set the profile of destination TCP ports for which the rule should trigger. Normally TCP port 80 is used for the http protocol. In cases where web servers are used on non-standard ports need to write these ports too.	esr(config-ips-category-rule)# destination-port {any \| <PORT> \| object-group <OBJ-GR-NAME> }	<PORT> – number of destination TCP/UDP port, takes values of [1..65535]. <OBJ_GR_NAME> – recipient TCP/UDP ports profile name, set by the string of up to 31 characters. When specifying the 'any' value, the rule will be triggered for any source TCP/UDP port.
29	Set traffic direction for which the rule should trigger.	esr(config-ips-category-rule)# direction { one-way \| round-trip }	one-way – traffic is transmitted in one direction. round-trip – traffic is transmitted in both directions.
30	Define the message that IPS/IDS will record to the log when this rule will trigger.	esr(config-ips-category-rule)# meta log-message <MESSAGE>	<MESSAGE> – text message specified by a string of up to 129 characters.
31	Assign a content filter category profile	esr(config-ips-category-rule)# ip http content-filter <NAME>	<NAME> – name of the content filtering profile, specified as a string of up to 31 characters. any – rule will trigger for http sites of any category.
32	Activate a rule.	esr(config-ips-category-rule)# enable

Content filtering rules configuration example

...

Блок кода
esr(config)# security ips policy OFFICE esr(config-ips-policy)# description "My Policy" esr(config-ips-policy)# protect network-group LAN

Scroll Pagebreak

Allow IPS/IDS operation on the bridge gigabitethernet 1/0/2 interface:

...

Блок кода
esr(config-ips-category-rule)# source-port any

...

As the TCP destination port for the protocol http is usually used port 80, but Internet sites can also work on non-standard ports, so we specify any:

...

Basic configuration algorithm

Step	Description	Command	Keys
1	Configure router network name.	esr(config)# hostname <NAME>	<NAME> – up to 64 characters.
2	Assign domain name for the router.	esr(config)# domain name <NAME>	<NAME> – up to 255 characters.
3	Assign DNS server IP address used for DNS names resolution.	esr(config)# domain name-server <IP>	<IP> – in the format of AAA.BBB.CCC.DDD, where each part takes values from 0 to 255.
4	Enable DNS name resolution.	esr(config)# domain lookup enable
5	Create Antispam service profile	esr(config)# security antispam profile <NAME>	<NAME> - up to 31 characters.
6	Set the description of the Antispam service profile (optional).	esr(config-antispam-profile)# description <DESCRIPTION>	<DESCRIPTION> – up to 255 characters.
7	Set the marking type for e-mails that the Antispam service classifies as 'Spam'.	esr(config-antispam-profile)# mark-type <MARK-TYPE>	<MARK-TYPE> – the marking type of an email categorized as 'Spam'. Possible values: header – add the X-Spam header to email headers; subject – add the [SPAM] tag before the subject of the email.
8	Create the mail domain profile and mailbox addresses (optional).	esr(config)# object-group email <NAME>	<NAME> – up to 31 characters.
9	Set the description of the mail domain profile and mailbox addresses (optional).	esr(config-object-group-email)# description <DESCRIPTION>	<DESCRIPTION> – up to 255 characters.
10	Enter the mail domain or mailbox address into the profile (optional).	esr(config-object-group-email)# email <NAME>	<NAME> – up to 63 characters.
11	Create a rule in the Antispam service profile (optional).	esr(config-antispam-profile)# rule <ORDER>	<ORDER> – rule number, may take values from 1..100.
12	Set the description of the Antispam service profile rule (optional).	esr(config-antispam-profile)# description <DESCRIPTION>	<DESCRIPTION> – up to 255 characters.
13	Specify the profile of transmitter IP addresses for which the rule should work (optional).	esr(config-antispam-profile-rule)# sender ip <NAME>	<NAME> – up to 31 characters.
14	Set the profile of mail domains and mailbox addresses for which the rule should trigger (optional).	esr(config-antispam-profile-rule)# sender email <NAME>	<NAME> – up to 31 characters.
15	Specify the action for the rule.	esr(config-antispam-profile-rule)# action <ACTION>	<ACTION> – assigned action. Possible values: reject – further delivery of the letter is prohibited, the sender of the letter is sent a reply about the error.
16	Enable a rule in the Antispam service profile (optional).	esr(config-antispam-profile-rule)# enable
17	Create mail domain.	esr(config)# mailserver domain <DOMAIN-NAME>	<DOMAIN-NAME> - up to 31 characters.
18	Set the description of the email domain (optional).	esr(config-mailserver-domain)# description <DESCRIPTION>	<DESCRIPTION> – up to 255 characters.
19	Set the name of the email domain to be served.	esr(config-mailserver-domain)# mail domain <NAME>	<NAME> - up to 63 characters.
20	Set the IP address of the mail server for which the Antispam service on ESR acts as SMTP Proxy.	esr(config-mailserver-domain)# mail server ip <ADDR>	<ADDR> – in the format of AAA.BBB.CCC.DDD, where each part takes values from 0 to 255.
21	Set the Antispam service profile, the settings of which will be applied to the current email domain.	esr(config-mailserver-domain)# profile antispam <NAME>	<NAME> - up to 63 characters.
22	Enable mail domain.	esr(config-mailserver-domain)# enable
23	Proceed to the mail server configuration.	esr(config)# mailserver
24	Set the name of the email domain.	esr(config-mailserver)# domain <NAME>	<NAME> – up to 63 characters.
25	Specify certificates and keys for the TLS protocol (optional).	esr(config-mailserver)# tls keyfile <TYPE> <NAME>	<TYPE> – type of certificate or key file. Possible values: ca – certificate authority; server-key – private server key; server-crt – public server certificate; dh – Diffie-Hellman key. <NAME> – certificate file name, set by the string of up to 31 characters.
26	Enable TLS support on the mail server (optional). If TLS is enabled, the configuration must include a preset CA certificate, server private key and public server certificate.	esr(config-mailserver)# tls enable
27	Set the maximum size of email headers in KB (optional).	esr(config-mailserver)# headers max-size <SIZE>	<SIZE> - the maximum size of email headers in KB, takes values from 50 to 200.
28	Set the maximum email size in KB (optional).	esr(config-mailserver)# mail max-size <SIZE>	<SIZE> - the maximum email size in KB, takes values from 5120 to 51200.
29	Enable mandatory HELO or EHLO SMTP command when establishing an SMTP session (optional).	esr(config-mailserver)# smtp helo-required
30	Enable the VRFY SMTP command on the mail server during an SMTP session (optional).	esr(config-mailserver)# smtp vrfy-enable
31	Enable mail server.	esr(config-mailserver)# enable

Configuration example

Objective:

...

Блок кода
esr@eltex:~$ dig +noall +answer eltex-co.ru MX eltex-co.ru. 3548 IN MX 10 mail-gate.eltex-co.ru. esr@eltex:~$ dig +noall +answer mail-gate.eltex-co.ru A mail-gate.eltex-co.ru. 3453 IN A 95.171.220.11

...

Configure the network interfaces:

...

Дерево страниц

Сравнение версий

Старая версия 1

Новая версия Текущий

Ключ

Local authentication configuration algorithm

AAA configuration algorithm via RADIUS

AAA configuration algorithm via TACACS

Якорь
Алгоритм настройки AAA по протоколу LDAP
Алгоритм настройки AAA по протоколу LDAP
AAA configuration algorithm via LDAP

Example of authentication configuration using telnet via RADIUS server

Logging and network attacks protection configuration

Configuration algorithm

Description of attack protection mechanisms

Configuration example of logging and protection against network attacks

Configuration algorithm

Firewall configuration example

Configuration algorithm

Base configuration algorithm

Configuration algorithm for IPS/IDS rules autoupdate from external sources

Recommended open rule update source

IPS/IDS configuration example with rules autoupdate

Basic user rules configuration algorithm

Basic user rules configuration example

Extended user rules configuration algorithm

Extended user rules configuration example

Basic configuration algorithm

Configuration example

Basic configuration algorithm

Content filtering rules configuration example

Basic configuration algorithm

Configuration example

Objective:

Дерево страниц

История страницы

Сравнение версий

Старая версия 1

Новая версия Текущий

Ключ

Local authentication configuration algorithm

AAA configuration algorithm via RADIUS

AAA configuration algorithm via TACACS

ЯкорьАлгоритм настройки AAA по протоколу LDAPАлгоритм настройки AAA по протоколу LDAPAAA configuration algorithm via LDAP

Example of authentication configuration using telnet via RADIUS server

Logging and network attacks protection configuration

Configuration algorithm

Description of attack protection mechanisms

Configuration example of logging and protection against network attacks

Configuration algorithm

Firewall configuration example

Configuration algorithm

Base configuration algorithm

Configuration algorithm for IPS/IDS rules autoupdate from external sources

Recommended open rule update source

IPS/IDS configuration example with rules autoupdate

Basic user rules configuration algorithm

Basic user rules configuration example

Extended user rules configuration algorithm

Extended user rules configuration example

Basic configuration algorithm

Configuration example

Basic configuration algorithm

Content filtering rules configuration example

Basic configuration algorithm

Configuration example

Objective:

Якорь
Алгоритм настройки AAA по протоколу LDAP
Алгоритм настройки AAA по протоколу LDAP
AAA configuration algorithm via LDAP