2.8.10.4.2 Description

SNMP ID: 2.8.10.4.2

Telnet path: /Setup/IP-Router/Firewall/Actions

In the actions table, firewall actions are combined as any combination of conditions, limits, packet actions and other measures.

Possible values:

A firewall action comprises of a condition, a limit, a packet action and other measures. In the actions table, firewall actions are made up of combinations of any of the following elements.

Conditions

Table 1. Conditions for firewall actions
Condition	Description	Object-ID
Connect filter	The filter is active if there is no physical connection to the destination of the packet	`@c`
DiffServ filter	The filter is active if the packet contains the specified Differentiated Services Code Point (DSCP)	`@d`
Internet-Filter	The filter is active if the packet was received, or is to be sent, via the default route	`@i`
VPN-Filter	The filter is active if the packet was received, or is to be sent, via a VPN connection	`@v`

Note: If no further action is specified for the “Connect" or “Internet” filter, a combination of these filters is implicitly adopted with the “Reject” action.

Limits

Each firewall action can be associated with a limit, which triggers the action if it is exceeded. Action chains can be formed by combining multiple limits for a filter Limit objects are generally initiated with %L, followed by:

Relation: connection-related (c) or global (g)
Type: Data rate (d), number of packets (p), or packet rate (b)
Limit value
Other parameters (e.g., time and size)

The following limits are available:

Table 2. Limits for firewall actions
Limit	Description	Object-ID
Data (abs)	Absolute number of kilobytes over the connection, after which the action is performed	`%lcd`
Data (rel)	Number of kilobytes per second, minute, hour over the connection, after which the action is performed	`%lcds, %lcdm, %lcdh`
Packet (abs)	Absolute number of packets over the connection, after which the action is performed	`%lcp`
Packet (rel)	Number of packets per second, minute, hour, or absolute over the connection, after which the action is performed	`%lcps, %lcpm, %lcph`
Global data (abs)	Absolute number of kilobytes sent to or received from the destination computer, after which the action is performed	`%lgd`
Global data (rel)	Number of kilobytes per second, minute, or hour sent to or received from the destination computer, after which the action is performed	`%lgds, %lgdm, %lgdh`
Global packet (abs)	Absolute number of packets sent to or received from the destination computer, after which the action is performed	`%lgp`
Global packet (rel)	Number of packets per second, minute, or hour sent to or received from the destination computer, after which the action is performed	`%lgps, %lgpm, %lgph`
Receive option	Limit applies to the receive direction only (in combination with the above limitations). Examples are given in the object ID column	`%lgdsr, %lcdsr`
Transmit option	Limit applies to the transmit direction only (in combination with the above limitations). Examples are given in the object ID column	`%lgdst, %lcdst`

Note: If an action is specified without a limit, a packet limit is used that is immediately exceeded on the first packet.

Quality-of-Service-Objects

Another limit object is the Quality-of-service object (or QoS object) that allows you to define a minimum throughput or a minimum bandwidth, either per connection or globally. It is possible to specify any of the limits that apply to the normal limit objects, such as connection-related or global minimums, absolute or time-dependent (relative) minimums, and packet- or data-related minimums. The same conventions apply as for the limit objects.

QoS objects are invoked by the token %q, and they are only different from limit objects in that they initially have an implicit "accept" action, i.e. after the threshold has been exceeded the packets that follow are still accepted.

All packets that pass through a filter with a QoS object are transmitted preferentially by the device (corresponding to a 'low delay' flag set in the TOS field of the IP header) as long as the quantity of transmitted packets or data is less than the specified threshold.

If the threshold is exceeded, the actions behind the QoS object are executed. This combination of QoS and limit objects can be used to set a minimum and maximum bandwidth for a service.

For example, the description below results in a minimum bandwidth of 32 kbps per connection and a maximum bandwidth of 256 kbps for all connections:

%a %qcds32%a %lgds256%d

In this case we can avoid explicitly specifying the accept action, either as the main action or as the triggered action, and the description be abbreviated as follows:

%qcds32 %lgds256%d

If the minimum and maximum bandwidths of a channel should be the same, then the drop action can be specified directly in the QoS object (abbreviated notation):

%qcds32%d

In this case, a minimum bandwidth of 32 kbps is reserved and, at the same time, all packets that are to be transmitted above this bandwidth are dropped. This formulation is thus synonymous with %a %qcds32%a %lgds32%d.

The following objects are available:

Table 3. QoS objects for firewall actions
QoS object	Description	Object-ID
Reserve minimum and maximum bandwidth	Reserves the specified bandwidth according to the other parameters, either globally or per connection	`%q`
Force minimum or maximum bandwidth	Forces the specified bandwidth. If the requested bandwidth is unavailable, the device refuses the connection.	`%qf`

Packet actions

Table 4. Packet actions for firewall actions
Packet action	Description	Object-ID
Accept	The packet is accepted.	`%a`
Reject	The packet is rejected with a corresponding error message.	`%r`
Drop	The packet is dropped silently.	`%d`
External check	The packet is passed another module for an external check. The `%x` follows the identifier of the module performing the check. Possible values: `%xc` for the content filter, followed by a previously defined content-filter profile, e.g. `%xcCF-BASIC-PROFILE`.	`%x`

Note: These packet actions can be combined with one another in any way. For nonsensical or ambiguous actions (such as Accept + Drop), the more secure one is taken - “Drop" in this example.

Other measures

Apart from packet actions, the firewall can perform other actions once the limits have been reached. For example, the firewall can send notifications over various channels, or block ports or hosts for a certain period.

The following measures are available:

Table 5. Other measures for firewall actions
Countermeasures	Description	Object-ID
Syslog	Provides a detailed message via Syslog.	`%s`
E-mail	Sends an e-mail to the administrator.	`%m`
SNMP	Sends an SNMP trap	`%n`
Close port	Closes the destination port of the packet for a configurable time	`%p`
Deny host	Blocks the sender address of the packet for a configurable time	`%h`
Disconnect	Disconnects the physical connection to the remote site over which the packet was received or is to be sent.	`%t`
Zero-limit	Resets the limit counter (see below) to 0 when the trigger threshold is exceeded	`%z`
Fragmentation	Forces the fragmentation of all packets not matching the rule.	`%f`

Note: When the “Close port” action is run, an entry is made in a block list with which all packets sent to the respective computer and port are dropped. For the “Close port” object, a block time in seconds, minutes or hours can be specified. This is noted directly behind the object ID. This time is made up of the identifier for the time unit (h, m, s for hour, minute, second) as well as the actual time specification. For example, %pm10 blocks the port for 10 minutes. "Minutes" is used as the unit if no time unit is specified. (%p10 is therefore equivalent to %pm10)

Note: If the “Deny host” action is run, the sender of the packet is entered into a block list. From this moment on, all packets received from the blocked computer are dropped. The "Deny host” object can also be given a block time, formed as described for the “Close port” option.

Note: The "fragmentation" action can be applied directionally (e.g. %ft512 fragments transmitted packets and %fr512 fragments received packets to 512 bytes) or, instead of hard fragmentation, it can reduce the PTMU only (%fp512 reduces the PMTU to 512 bytes). The PMTU reduction can also be defined depending on direction (%fpt512, %fpr512). The "Fragmentation" action applies at all times, irrespective of whether a limit has been exceeded or not.

Default: Blank