SNMP ID: 2.8.10.4.2
Telnet path: /Setup/IP-Router/Firewall/Actions
In the actions table, firewall actions are combined as any combination of conditions, limits, packet actions and other measures.
Possible values:
A firewall action comprises of a condition, a limit, a packet action and other measures. In the actions table, firewall actions are made up of combinations of any of the following elements.
Conditions
Condition | Description | Object-ID |
---|---|---|
Connect filter | The filter is active if there is no physical connection to the destination of the packet | @c |
DiffServ filter | The filter is active if the packet contains the specified Differentiated Services Code Point (DSCP) | @d |
Internet-Filter | The filter is active if the packet was received, or is to be sent, via the default route | @i |
VPN-Filter | The filter is active if the packet was received, or is to be sent, via a VPN connection | @v |
Limits
Each firewall action can be associated with a limit, which triggers the action if it is exceeded. Action chains can be formed by combining multiple limits for a filter Limit objects are generally initiated with %L, followed by:
- Relation: connection-related (c) or global (g)
- Type: Data rate (d), number of packets (p), or packet rate (b)
- Limit value
- Other parameters (e.g., time and size)
The following limits are available:
Limit | Description | Object-ID |
---|---|---|
Data (abs) | Absolute number of kilobytes over the connection, after which the action is performed | %lcd |
Data (rel) | Number of kilobytes per second, minute, hour over the connection, after which the action is performed | %lcds, %lcdm, %lcdh |
Packet (abs) | Absolute number of packets over the connection, after which the action is performed | %lcp |
Packet (rel) | Number of packets per second, minute, hour, or absolute over the connection, after which the action is performed | %lcps, %lcpm, %lcph |
Global data (abs) | Absolute number of kilobytes sent to or received from the destination computer, after which the action is performed | %lgd |
Global data (rel) | Number of kilobytes per second, minute, or hour sent to or received from the destination computer, after which the action is performed | %lgds, %lgdm, %lgdh |
Global packet (abs) | Absolute number of packets sent to or received from the destination computer, after which the action is performed | %lgp |
Global packet (rel) | Number of packets per second, minute, or hour sent to or received from the destination computer, after which the action is performed | %lgps, %lgpm, %lgph |
Receive option | Limit applies to the receive direction only (in combination with the above limitations). Examples are given in the object ID column | %lgdsr, %lcdsr |
Transmit option | Limit applies to the transmit direction only (in combination with the above limitations). Examples are given in the object ID column | %lgdst, %lcdst |
Quality-of-Service-Objects
Another limit object is the Quality-of-service object (or QoS object) that allows you to define a minimum throughput or a minimum bandwidth, either per connection or globally. It is possible to specify any of the limits that apply to the normal limit objects, such as connection-related or global minimums, absolute or time-dependent (relative) minimums, and packet- or data-related minimums. The same conventions apply as for the limit objects.
- All packets that pass through a filter with a QoS object are transmitted preferentially by the device (corresponding to a 'low delay' flag set in the TOS field of the IP header) as long as the quantity of transmitted packets or data is less than the specified threshold.
- If the threshold is exceeded, the actions behind the QoS object are executed. This combination of QoS and limit objects can be used to set a minimum and maximum bandwidth for a service.
For example, the description below results in a minimum bandwidth of 32 kbps per connection and a maximum bandwidth of 256 kbps for all connections:
%a %qcds32%a %lgds256%d
In this case we can avoid explicitly specifying the accept action, either as the main action or as the triggered action, and the description be abbreviated as follows:
%qcds32 %lgds256%d
If the minimum and maximum bandwidths of a channel should be the same, then the drop action can be specified directly in the QoS object (abbreviated notation):
%qcds32%d
In this case, a minimum bandwidth of 32 kbps is reserved and, at the same time, all packets that are to be transmitted above this bandwidth are dropped. This formulation is thus synonymous with %a %qcds32%a %lgds32%d.
The following objects are available:
QoS object | Description | Object-ID |
---|---|---|
Reserve minimum and maximum bandwidth | Reserves the specified bandwidth according to the other parameters, either globally or per connection | %q |
Force minimum or maximum bandwidth | Forces the specified bandwidth. If the requested bandwidth is unavailable, the device refuses the connection. | %qf |
Packet actions
Packet action | Description | Object-ID |
---|---|---|
Accept | The packet is accepted. | %a |
Reject | The packet is rejected with a corresponding error message. | %r |
Drop | The packet is dropped silently. | %d |
External check | The packet is passed another module for an external check. The %x follows the identifier of the module performing the check. Possible values:
|
%x |
Other measures
Apart from packet actions, the firewall can perform other actions once the limits have been reached. For example, the firewall can send notifications over various channels, or block ports or hosts for a certain period.
The following measures are available:
Countermeasures | Description | Object-ID |
---|---|---|
Syslog | Provides a detailed message via Syslog. | %s |
Sends an e-mail to the administrator. | %m | |
SNMP | Sends an SNMP trap | %n |
Close port | Closes the destination port of the packet for a configurable time | %p |
Deny host | Blocks the sender address of the packet for a configurable time | %h |
Disconnect | Disconnects the physical connection to the remote site over which the packet was received or is to be sent. | %t |
Zero-limit | Resets the limit counter (see below) to 0 when the trigger threshold is exceeded | %z |
Fragmentation | Forces the fragmentation of all packets not matching the rule. | %f |
Default: Blank