A10 4.1.1-P11 DCFW

ACOS 4.1.
1-P11
Data Center and Gi/SGi Firewall Configuration
Guide
for A10 Thunder® Series and AX™ Series
29 May 2019
© 2019 A10 NETWORKS, INC. CONFIDENTIAL AND PROPRIETARY- ALL RIGHTS RESERVED
Information in this document is subject to change without notice.
PATENT PROTECTION
A10 Networks products are protected by patents in the U.S. and elsewhere. The following website is provided to satisfy the virtual pat-
ent marking provisions of various jurisdictions including the virtual patent marking provisions of the America Invents Act. A10 Net-
works' products, including all Thunder Series products, are protected by one or more of U.S. patents and patents pending listed at:
https://www.a10networks.com/company/legal-notices/a10-virtual-patent-marking
TRADEMARKS
A10 Networks trademarks are listed at:
https://www.a10networks.com/company/legal-notices/a10-trademarks
CONFIDENTIALITY
This document contains confidential materials proprietary to A10 Networks, Inc. This document and information and ideas herein may
not be disclosed, copied, reproduced or distributed to anyone outside A10 Networks, Inc. without prior written consent of A10 Net-
works, Inc.
A10 NETWORKS INC. SOFTWARE LICENSE AND END USER AGREEMENT

Software for all A10 Networks products contains trade secrets of A10 Networks and its subsidiaries and Customer agrees to treat Soft-
ware as confidential information.
Anyone who uses the Software does so only in compliance with the terms of the End User License Agreement (EULA), provided later in
this document or available separately. Customer shall not:
1. Reverse engineer, reverse compile, reverse de-assemble, or otherwise translate the Software by any
means.
2. Sub-license, rent, or lease the Software.
DISCLAIMER
This document does not create any express or implied warranty about A10 Networks or about its products or services, including but not
limited to fitness for a particular use and non-infringement. A10 Networks has made reasonable efforts to verify that the information
contained herein is accurate, but A10 Networks assumes no responsibility for its use. All information is provided "as-is." The product
specifications and features described in this publication are based on the latest information available; however, specifications are sub-
ject to change without notice, and certain features may not be available upon initial product release. Contact A10 Networks for current
information regarding its products or services. A10 Networks’ products and services are subject to A10 Networks’ standard terms and
conditions.
ENVIRONMENTAL CONSIDERATIONS
Some electronic components may possibly contain dangerous substances. For information on specific component types, please con-
tact the manufacturer of that component. Always consult local authorities for regulations regarding proper disposal of electronic com-
ponents in your area.
FURTHER INFORMATION
For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest A10 Networks loca-
tion, which can be found by visiting www.a10networks.com.
Table of Contents
Configuring the Firewall .............................................................................................................. 7

Overview of the Stateful Firewall...........................................................................................7
Firewall Benefits ............................................................................................................................................8
Benefits of Standalone FW ..................................................................................................................8
Benefits of DCFW ...................................................................................................................................8
Benefits of Gi/SGi-FW ...........................................................................................................................9
Hardware-related Benefits of A10 Thunder Firewall ......................................................................9
Firewall Features ...........................................................................................................................................9
Firewall Features (General) ............................................................................................................... 10
DCFW Features ................................................................................................................................... 10
Gi/SGi-FW Features ............................................................................................................................ 10
Supported CGN Technologies for Gi/SGi-FW ...................................................................................... 11
Known Issues and Limitations ................................................................................................................ 12
Known Issues for Standalone FW ................................................................................................... 12
Known Issues for DCFW .................................................................................................................... 12
Known Issues for Gi/SGi-FW ............................................................................................................ 12
Firewall Functionality ...........................................................................................................13
How the Firewall Works ............................................................................................................................ 13
Firewall Traffic Flow .................................................................................................................................. 14
Configuration Elements .......................................................................................................15
Composition of the Firewall rule-set ...................................................................................................... 16
Rule-set ........................................................................................................................................................ 17
Rules ............................................................................................................................................................. 19
Match Criteria ............................................................................................................................................. 20
Actions ......................................................................................................................................................... 22
TCP Window Checks ............................................................................................................23
Security Zones......................................................................................................................25
Configuring Application Layer Gateway..............................................................................26
Hairpinning Support .............................................................................................................28
Firewall Statistics .................................................................................................................29
Support for High Availability with VRRP-A..........................................................................29
Firewall Rule-Sets for Gi/SGi-FW ................................................................................................ 31

Overview................................................................................................................................31
Processing Rules..................................................................................................................32
Sample Configurations ............................................................................................................................. 32
Action Permit ....................................................................................................................................... 32
Application CGNv6 .............................................................................................................................. 33
page 3
ACOS 4.1.1-P11 Data Center and Gi/SGi Firewall Configuration Guide
Contents
Application CGNv6 LSN-LID .............................................................................................................. 33

Application CGNV6 LSN-LID Conflicting Rules ............................................................................. 34
Application CGNv6 Fixed NAT .......................................................................................................... 35
Application CGNv6 Fixed NAT and lsn-lid Conflict ....................................................................... 35
Application Forward .................................................................................................................................. 36
Firewall Logging ......................................................................................................................... 39

Overview................................................................................................................................39
Configuring the External Logging Server .............................................................................................. 40
Where Firewall Logs Are Sent ................................................................................................................. 40
System Logging Host Configuration ..................................................................................................... 40
Firewall Logging Elements ....................................................................................................................... 41
Firewall Logging Partition Availability .................................................................................................... 41
Firewall Logging Template ....................................................................................................................... 41
Binding Firewall Logging Template Globally ........................................................................................ 42
HTTP Logging Support ............................................................................................................................. 42
How HTTP Logging Works ................................................................................................................ 42
Configuration ....................................................................................................................................... 42
Configuring Firewall Logging ...............................................................................................44
Sample Firewall Configuration ............................................................................................44
Sample Firewall Log Messages ...........................................................................................46
Session Open Log ...................................................................................................................................... 46
Session Close Log ..................................................................................................................................... 46
Deny Log ...................................................................................................................................................... 46
Choosing CEF or ASCII Format ............................................................................................47
CEF-formatted Log Messages ................................................................................................................ 47
ASCII-formatted Log Messages .............................................................................................................. 52
Configuring RADIUS Support for Firewall .................................................................................. 55

Framed IPv6 Prefix Support in RADIUS Table ....................................................................55
Supported Topologies ............................................................................................................................... 56
Firewall Only Partition ............................................................................................................................... 56
CGN and Firewall Partition ...................................................................................................................... 57
Deploying Data Center Firewall .................................................................................................. 59

Sample Topology for DCFW .................................................................................................60
DC Firewall Configuration with SLB Deployment ...............................................................61
Show Running Config for DCFW ..........................................................................................72
Deploying Gi/SGi-Firewall ........................................................................................................... 81

Sample Topology for Gi/SGi-FW ..........................................................................................82
Gi/SGi-FW Configuration with CGN Deployment ................................................................83
High-level Configuration ........................................................................................................................... 83
CLI Configuration ....................................................................................................................................... 83
Show Running Config for Gi/SGi-FW...................................................................................87
page 4
Contents
Config Commands: Firewall ....................................................................................................... 89

Firewall Global Configuration Commands ..........................................................................90
fw active-rule-set .......................................................................................................................... 91
fw alg .............................................................................................................................................. 92
fw alg-processing ......................................................................................................................... 93
fw apply-changes ......................................................................................................................... 94
fw disable-ip-fw-sessions ........................................................................................................... 95
fw helper-sessions ....................................................................................................................... 96
fw listen-on-port-timeout ............................................................................................................ 97
fw logging ...................................................................................................................................... 98
fw permit-default-action ............................................................................................................. 99
fw radius server ..........................................................................................................................100
fw server ......................................................................................................................................102
fw service-group .........................................................................................................................103
fw session-aging ........................................................................................................................104
fw tcp-window-check ................................................................................................................107
fw template logging ...................................................................................................................108
fw urpf ..........................................................................................................................................114
fw vrid ...........................................................................................................................................115
cgnv6 sctp permit-payload-protocol ......................................................................................116
cgnv6 sctp rate-limit ..................................................................................................................116
rule-set ..........................................................................................................................................117
zone ..............................................................................................................................................118
Rule-Set Configuration Commands.................................................................................. 120
remark ..........................................................................................................................................121
rule ................................................................................................................................................122
sampling-enable ......................................................................................................................... 126
session-statistic ......................................................................................................................... 126
Firewall show and clear Commands ................................................................................ 127
show fw full-cone-sessions ......................................................................................................128
show fw radius server ...............................................................................................................128
show fw radius table .................................................................................................................130
show fw resource-usage ..........................................................................................................131
show fw server ...........................................................................................................................131
show fw status ...........................................................................................................................132
show fw system-status ............................................................................................................133
show rule-set ...............................................................................................................................134
clear fw full-cone-sessions .......................................................................................................135
clear fw radius server statistics ..............................................................................................135
clear fw radius table ..................................................................................................................136
clear sessions fw helper-sessions ..........................................................................................136
Troubleshooting Your Firewall Deployment ............................................................................. 137

My IPv4 packets are getting dropped ..................................................................................................137
TCP window check issues .....................................................................................................................137
My IPv6 packets are getting dropped ..................................................................................................138
page 5
Contents
My rule-set changes were not applied .................................................................................................138

VRRP-A does not work with firewall enabled .....................................................................................139
ALG does not work ..................................................................................................................................140
Other miscellaneous issues ...................................................................................................................140
page 6
Configuring the Firewall
This chapter covers the following topics:
• Overview of the Stateful Firewall
• Firewall Functionality
• Configuration Elements
• Configuring Application Layer Gateway
• Firewall Statistics
• Support for High Availability with VRRP-A
Overview of the Stateful Firewall

The firewall is a stateful Layer 4 firewall that supports the ability to filter incoming traffic at Layer 1-4,
meaning traffic is filtered based on the source and destination IP addresses, in combination with the
source and destination port numbers and IP protocol.
The firewall maintains information about the status of network TCP connections and stores this infor-
mation in memory. The information that is saved includes the source and destination IP address and
ports, as well as packet sequence. Incoming flow are compared with the information in this frequently-
updated table, and filtering decisions are made to allow (or exclude) packets based on whether their is
already a previous connection.
The firewall can be deployed in the following manners:
• Standalone Firewall – The firewall can be deployed by itself, acting as a standalone security
device.
• Data Center Firewall – The firewall can be deployed in the same partition as an Application Deliv-
ery Controller (ADC). When used with DCFW, the primary purpose of the firewall is to expose and
protect the services and internal servers.
• Gi/SGi Firewall – The firewall can be deployed in the same partition as Carrier Grade NAT (CGN),
which is the IP-based interface between the GGSN and a public data network. When used with
CGN, the primary purpose of the firewall is to shield mobile subscribers and service providers
from attacks and data tampering.
This Overview section covers the following topics:
page 7
• Firewall Benefits
• Firewall Features
• Known Issues and Limitations
Firewall Benefits
ACOS offers a firewall that can be deployed as a data center firewall (DCFW) or as a firewall that is
deployed in the same partition as CGN, or “general IP interface” firewall (Gi/SGi-FW). The benefits of
each type of firewall deployment are listed below.
• Benefits of Standalone FW
• Benefits of DCFW
• Benefits of Gi/SGi-FW
• Hardware-related Benefits of A10 Thunder Firewall
Benefits of Standalone FW
Firewalls offer enhanced security for network PCs by preventing hackers from infecting devices with
malicious software, such as viruses, worms, spyware and other threats. A firewall enables network
administrators to dictate which computers can connect to the public internet and can help prevent
users from accessing potentially malicious resources that could infect their device and other devices
on the network.
The ACOS firewall is a stateful firewall that operates at layers 1-4 of the OSI model. The firewall moni-
tors incoming and outgoing packets and collects information about the source and destination
address and port. The firewall also retains information about the state of the packet, meaning it tracks
whether or not the packet belongs to an active connection.
The firewall can be configured to deny or permit packets based on how the properties of these packets
align with the match criteria in the firewall’s active ruleset.
Firewalls can prevent malware from accessing the internet-connected devices on your network, pre-
venting damage to devices and theft of sensitive information.
Benefits of DCFW
Data centers firewalls offer a wide range of services for a variety of applications, such as HTTP, mobile,
Voice over IP (VoIP), streaming video, not to mention the needs of mobile users and social media. To
meet the growing demand for such a wide array of services and applications, data centers require tre-
mendous scalability and throughput.
To achieve this high scalability, and in order to make packet classification decisions faster and simpler,
the ACOS data center firewall device offers a Layer 4 stateful DCFW.
page 8
The DCFW has a highly scalable classification algorithm which can reduce the burden placed on other
backend services. The firewall provides a layer of security prior to traffic reaching the load balancer
(SLB device), and it offers the benefits of consolidating functions in one device.
Benefits of Gi/SGi-FW
Gi/SGi-FW utilizes a stateful firewall to protect subscribers and LTE service providers from DDoS
attacks and data tampering. Gi/SGi-FW enables mobile carriers to achieve high firewall connection
rates and throughput.
By leveraging the capabilities of integrated Carrier-Grade Network Address Translation (CGNAT), the
lifespan of the equipment in legacy IPv4 networks is extended. In addition, this technology can offer
helps with IPv4 preservation, and the IPv6 transition technologies smooth the transition to IPv6.
Hardware-related Benefits of A10 Thunder Firewall

A10 Thunder firewall offers the following hardware-related benefits that are specific to firewall perfor-
mance:
• High throughput – Coupled with high density 1 GbE, 10 GbE, 40 GbE, and 100 GbE port options,
Thunder appliances meet the highest networking bandwidth demands.
• High connection performance (100+ Gbps) and high scalability – The A10 Thunder line
of appliances fits all size networks with entry-level models starting at 5 Gbps and moving up to a
153 Gbps high-performance appliance, for the most demanding data center performance
requirements.
• Large number of concurrent connections – The A10 Thunder appliances can handle a high
number of concurrent connections, with high-end Thunder 6635(S) SPE models capable of offer-
ing millions of connections per second (CPS) and requests per second (RPS). For the latest num-
bers, please see the latest data sheet, available on A10 Networks website: https://
www.a10networks.com/sites/default/files/A10-DS-15109-EN.pdf
• Low latency – In addition to scaling up to 153 Gbps, the A10 Thunder appliances are powered
by ACOS software, which brings a unique combination of shared memory accuracy and effi-
ciency, 64-bit scalability, and advanced flow processing, to provide low-latency, high throughput,
thus increasing the speed and performance of the network.
Firewall Features
The features of each type of firewall deployment are listed below.
• Firewall Features (General)
• DCFW Features
• Gi/SGi-FW Features
page 9
Firewall Features (General)

The list below includes general firewall features that are common to DCFW and Gi/SGi-FW deploy-
ments:
• The firewall is a Layer 4 stateful firewall that protects control-plane and data-plane communica-
tions.
• Stateful packet inspection is performed for connection-oriented protocols.
• Maintaining state information for packet flows improves performance, since the firewall does
not need to look up the state information for every packet in a flow.
• The firewall supports objects with both IPv4 and IPv6 addresses.
• The firewall supports application layer gateway (ALG) protocols, such as DNS, FTP, TFTP, SIP,
and ICMP.
Support for ALG protocols applies to firewalls in standalone deployments, as well as DCFW and
Gi/SGi-FW deployments.
DCFW Features
The list below highlights the features that are specific to data center firewalls:
• The data center firewall supports SLB topologies.
• The data center firewall supports common event format (CEF) logging. When the firewall applies
an action (deny/reset/permit) to a new connection request, a log is generated.
• The data center firewall can be deployed within application delivery partitions (ADP/L3V).
• The data center firewall supports up to eight ACOS devices in a VRRP-A cluster for high availabil-
ity.
• The data center firewall supports rule matching based on priority.
• The data center firewall supports up to 128k rules in a rule-set, on high-end platforms.
• The data center firewall uses existing ACL configuration objects (for example, obj-group).
• The data center firewall support for Named Objects, such as SLB VIPs and real servers.
• The data center firewall supports rule-based statistics.
Gi/SGi-FW Features
The following Gi/SGi-FW features are available:
• Gi/SGi-FW leverages Carrier Grade NAT (CGNAT) that scales IPv4 networks with transparent
NAT available and allows external users to initiate connections to NAT clients.
page 10
• Gi/SGi-FW supports migration to IPv6 and supports hybrid IPv4 and IPv6 networks by translating
between the two technologies.
• Gi/SGi-FW offers DDoS protection for NAT pools against destructive DDoS attacks.
• Gi/SGi-FW supports IP anomaly detection that checks for over 30 IP packet anomalies or com-
bines anomaly detections with IP Black Lists for granular attack mitigation.
• Gi/SGi-FW supports connection rate limiting by detecting and blocking attack traffic using IP-
based connection rate limiting and system-wide connection limits.
• Gi/SGi-FW offers IPsec VPN in mobile networks that prevents eavesdropping, authenticate eNo-
deBs, and secure communications over wireless and WiFi networks.
• Gi/SGi-FW supports common event format (CEF) logging, such that when the firewall applies an
action (deny/permit/reset) to a new connection request, a log is generated.
Supported CGN Technologies for Gi/SGi-FW

The following CGN technologies are supported with Gi/SGi-FW:
• LSN (NAT44) & NAT64
• FTP, TFTP, RTSP, PPTP, SIP, DNS (for NAT44 only), and ICMP ALG support
• Fixed NAT - NAT44 & NAT64
• FTP, TFTP, RTSP, PPTP, SIP, DNS (for NAT 44 only), and ICMP ALG support
• Integrated DDoS functionalities
• IP Anomaly Filtering
• Selective Filtering for CGN NAT Pools
• CGN NAT Pool IP Blacklisting
• Session rate limiting for CGN
• CEF logging format support for CGN traffic logging (HTTP logging and include-radius-attribute
not supported)
• Separate logging template for Firewall logging
• A new CLI show fw resource-usage helper-sessions to display helper session statistics for fire-
wall
page 11
Known Issues and Limitations

The known limitations for each type of firewall deployment are listed below.
• Known Issues for Standalone FW
• Known Issues for DCFW
• Known Issues for Gi/SGi-FW
Known Issues for Standalone FW

Below are limitations or known issues associated with the Thunder firewall in a standalone deploy-
ment:
• TBD
Known Issues for DCFW

Below are limitations or known issues associated with the data center firewall feature:
• DCFW will always takes precedence over other security configurations, such as ACL, NAT, and so
on. (Bug 301153)
• Only one firewall rule-set (or “policy”) can be attached globally, or to a zone or interface.
• Destination Zone for SLB VIP traffic is always “any”.
• VLAN or Virtual Ethernet configurations in one zone cannot be re-used in another zone.
• When a DCFW rule-set is activated, it takes about 10 seconds for the rule-set to become acti-
vated.
• Layer 2 DCFW setup requires a rule to allow Link-Local address.
Known Issues for Gi/SGi-FW

Below are limitations or known issues associated with the Gi/SGi-Firewall feature:
• If you configure port- and protocol-based idle-timeout values that are not in multiples of 60 sec-
onds, then ACOS will round them up or down in multiples of 60 seconds. This modification is
apparent in the output in the “show session” command. For example, an idle-timeout value of 150
seconds will appear in the output as 120 seconds. (Bug 343612)
• Sending an ICMP ping packet to an Ethernet interface fails if the destination zone is “local-type”
and if the source is not in the permitted list. However, if an ICMP packet is sent to a loopback
address or to a VE, then it works. This is expected behavior. (Bug 343528)
page 12
Firewall Functionality
• When an ICMP ping packets is sent to a VIP (and explicitly allowed by the FW rule) then the ses-
sion will not be created in the session table. This behavior is by design. (Bug 341680)
• If you create a zone with the name “any”, you will not be able to later delete this zone. This limita-
tion exists because ACOS auto-creates a zone called “any”, but the zone does not appear in the
output of the “show running” CLI command. Therefore, if you manually create a zone called “any”,
it will be visible in the output, but because it has the same name as the system-generated zone,
you will not be able to delete it. (Bug 338089)
• When using Gi/SGi-FW with NAT64, the client denies the packets. This problem can occur if the
client is sending packets to an IPv6 address and these v6 packets are converted to an IPv4
address. However, the route to the IPv4 destination address is not there after v6/v4 translation
has occurred. The firewall module is independent and does not know about the v6/v4 address
translation, and since the route to the IPv6 destination address is not there, ACOS drops the
packets. (Bug 335998)
• IPv6 packets with a destination address matching the NAT64 prefix will not be L3-forwarded by
the ACOS device. Such packets must be handled by NAT64 or they will get dropped. (Bug
333193)
• Adding an explicit deny rule at the end of the rule-set, without specifically allowing traffic destined
for the ACOS device, will cause the dynamic routing protocols, VRRP-A, and aVCS to no longer
work.
(Bugs 332707 and 300685)
• An object can be deleted while it is still being modified in another admin session. (Bug 332161)
This section contains the following topics:
• How the Firewall Works
• Firewall Traffic Flow
How the Firewall Works

When the firewall is enabled, incoming traffic is first checked against the firewall rule-set1. The rules
within that rule-set are used to filter traffic:
1. A firewall “rule-set” is equivalent to a “firewall policy”.
page 13
• If traffic does not match the criteria established within the rules of the firewall rule-set, then it is
denied.
• If traffic matches the criteria established within the rules of the rule-set, then the pre-configured
rule will act upon the traffic according to the actions, (for example, deny, permit, reset, and/or
log).
NOTE: Only the “permitted” traffic can establish a session with the SLB/CGN
module. Traffic that does not match any rules in the rule-set is dropped
before a session can be established.
When the firewall rule-set is activated, and when the firewall receives client requests, it makes classifi-
cation decisions based on whether traffic matches criteria in the firewall rule-set. If the traffic matches,
then the firewall applies the action associated with that rule and either permits or denies the packet. If
the packet is permitted, then other ACOS features, such as SLB or CGN, are invoked to perform load
balancing or v4/v6 translation, or other tasks.
By filtering traffic before it gets to the SLB/CGN modules, the firewall can reduce security threats while
simultaneously improving the performance of your network.
Firewall Traffic Flow

Figure 1 illustrates basic operation of a firewall. This highly simplified example shows traffic flowing
through a data center within an SLB deployment.
NOTE: See Figure 7 on page 82 for a similar topology diagram for Gi/SGi-FW in
a CGN deployment.
page 14
Configuration Elements
FIGURE 1 Traffic flow through firewall (DCFW + SLB)
ϮͿůŝĞŶƚƌĞƋƵĞƐƚŝƐĐŽŵƉĂƌĞĚǁŝƚŚƌƵůĞƐŝŶ
ĨŝƌĞǁĂůůƌƵůĞͲƐĞƚ͗
ΕdƌĂĨĨŝĐƚŚĂƚĚŽĞƐŶŽƚŵĂƚĐŚŝƐĚƌŽƉƉĞĚ͘
ϭͿůŝĞŶƚƐĞŶĚƐĂ ΕdƌĂĨĨŝĐƚŚĂƚŵĂƚĐŚĞƐŚĂƐĂŶ͞ĂĐƚŝŽŶ͟ĂƉƉůŝĞĚ
ƌĞƋƵĞƐƚƚŽs/WĂƚ ;ĚĞŶǇͬƉĞƌŵŝƚͬƌĞƐĞƚͬůŽŐͿ͘
ϯͿdƌĂĨĨŝĐǀĂůŝĚĂƚĞĚďǇ
ϭϬ͘ϭϬ͘ϭϬ͘ϭϬ ĨŝƌĞǁĂůůŵĂǇďĞƐĞŶƚƚŽƚŚĞ
&tн^>
ůŝĞŶƚ ^>ŵŽĚƵůĞ͕ǁŚŝĐŚůŽĂĚ
ďĂůĂŶĐĞƐƚŚĞƌĞƋƵĞƐƚƚŽƚŚĞ
ƐĞƌǀĞƌĂƚϮϬ͘ϮϬ͘ϮϬ͘ϮϬ
^>s/WĂƚ
ϭϬ͘ϭϬ͘ϭϬ͘ϭϬ
ĞƐƚŝŶĂƚŝŽŶ
ƐĞƌǀĞƌĂƚ
ϮϬ͘ϮϬ͘ϮϬ͘ϮϬ
The traffic flow activity (in green) represents the packet flow from a standard client to a backend
server:
1. The client sends a request to the VIP at 10.10.10.10.

2. The request is intercepted by the firewall, and it is compared with the rules in the firewall rule-set.
• If the traffic does not match at least one rule in the rule-set, the traffic is dropped.
• If the traffic matches1 the criteria in one of the rules, an action2 associated with that rule is
applied.
3. The action applied by the firewall rule could be to permit, deny, or reset the session, and/or log the
activity.
Assuming the associated action is to permit the traffic, the request is sent to the ACOS SLB mod-
ule, and is load balanced to the server at 20.20.20.20.
A typical firewall rule-set includes the following elements:
1.
See “Match Criteria” on page 20 for a discussion of how the match criteria within rules work.
2. See “Actions” on page 22 for a discussion of how the actions associated with the match criteria in rules work.
page 15
• Rule-set
• Rules
• Match Criteria
• Actions
Composition of the Firewall rule-set

Figure 2 shows the relationship between the configuration elements in a firewall rule-set.
FIGURE 2 Configuration elements in a firewall rule-set
Inbound traffic is processed by the first rule (“Rule 1”). If no match is found,
ZƵůĞͲƐĞƚ the traffic goes to the next rule, and so on, until a match is found. While the
rules have no sequence numbers, you can change the order in which the
rules process inbound traffic by re-arranging the order using the GUI or CLI.
ZƵůĞϭ
ZƵůĞϮ ZƵůĞϯ ĐƚŝŽŶƐ
DĂƚĐŚĐƌŝƚĞƌŝĂ ĞŶǇ
ZƵůĞϯ
ĐƚŝŽŶƐ WĞƌŵŝƚ
ZƵůĞŶ ZĞƐĞƚ
Notes:
• The firewall rule-set includes several rules.
• The Rules in a rule-set contain Match Criteria, such as source and destination IPs, ports, object
groups, and protocols.
• The rules contain one or more Actions that can be applied to incoming packets.
page 16
Rule-set
The firewall rule-set is the top-level building block used to configure the firewall. The rule-set contains
one or more rules. Each rule acts like an “if/then” statement, containing match criteria and an action
that will be applied to traffic if there is a match.
NOTE: This section offers a general description of firewall rule-set behavior. For
information about rule-sets that is specific to Gi/SGi-FW deployments,
see “Firewall Rule-Sets for Gi/SGi-FW” on page 31.
Details:
• The firewall rule-set must be activated with the fw active-rule-set command before any rules
can be enforced on inbound traffic.
• It may take approximately 10 seconds for the rule-set to become active.
• When no rule-set is active, all traffic will be allowed to pass because no firewall rules are applied
to the incoming traffic.
• If a firewall rule-set is active and no rules are defined, the default action is implicit deny.
Using the GUI
NOTE: In release 4.1.1-P2 and prior, DCFW can be configured from the GUI but
Gi/SGi-FW cannot be configured from the GUI.
To activate the firewall rule-set using the GUI:
1. Navigate as follows: Security > DC Firewall.

2. By default, the Rulesets tab is already highlighted. (If not, select the Rulesets tab.)
A window appears with the configured rule-sets displayed in a table format.
3. Select the Create button at the far right. A pop-up modal appears, similar to that shown below:
page 17
FIGURE 3 Activating the firewall rule-set using the GUI
4. In the Create Ruleset window, enter the following:

a. Enter the name in the Ruleset Name field.
b. Select the Make Active checkbox.
NOTE: Although multiple rule-sets can be defined, only one rule-set can be
active at a time.
NOTE: It may take approximately 10 seconds for the rule-set to become active.
c. (Optional) Click the Session Aging drop-down menu and select a pre-configured session aging
template. The aging template allows you to define the TCP, UDP, and ICMP session timers.
5. Click Create to save your changes. The new firewall rule-set appears in the table.
Using the CLI
A firewall rule-set can be created and then globally activated using the CLI as described below:
1. Create a rule-set using the following CLI command1. You can optionally add a rule with actions and
match criteria:
rule-set rule-set-name
rule rule-name
1. See “rule-set” on page 117 for details.
page 18
action permit
source ipv4-address address
2. (Optional) Create the session-aging template1. You can optionally add timeout periods for various
protocols:
fw session-aging session-aging-template-name
udp idle-timeout seconds
tcp half-open-idle-timeout seconds
3. Activate the firewall rule-set with the following CLI command2:

fw active-rule-set rule-set-name
Rules
Rules are the “if/then” statements inside a rule-set. For example, a possible rule could convey the fol-
lowing:
“if incoming traffic matches the source address 192.169.10.10, then permit the session to pass
through the firewall.”
Rules are applied to traffic from the traffic initiator (client) to the responder (most likely a server). This
is also known as the forward direction of traffic. Traffic in the reverse direction (i.e., from server to cli-
ent) is presumed to be safe, and therefore it is not necessary to define rules to process traffic coming
from the servers.
NOTE: Each rule has an administrative status (enable or disable). When the sta-
tus for a rule is set to “disable,” the rule exists within the rule-set, but that
rule is not acted upon.
Here is a list of criteria that can be used to filter incoming sessions:
• Match Criteria (or Match “Filters”)
• Source/Destination Zone – This can be a source zone, where a zone contains one or more
physical interfaces, or VLANs.
• Source/Destination Addresses – IPv4 or IPv6 addresses (either a list or a range of addresses)
1. See “fw session-aging” on page 104 for details.
2. See “fw active-rule-set” on page 91 for details.
page 19
• Source/Destination Port – Either a list or a range of ports.

• Destination VIP name – The name or IP associated with a destination VIP on the ACOS device.
• Source/Destination Configuration Object – This can be a real server, virtual server, generic
object, or object-group.
Match Criteria
Below are the list of match criteria that can be used to filter incoming sessions:
1. Source/destination object-groups
Network object groups can be referenced in rules to match a group of IPv4/IPv6 addresses or
group of subnets, etc. For example, All subnets in Engineering or all hosts on the 2nd floor of a
building, etc.
2. Source/destination subnets (both IPv4 and IPv6)
3. Source/destination zones
4. Destination VIP name – Internally this will translate to the VIP IP address. If the associated firewall
action is to permit traffic that matches the VIP, then further actions will be taken by the SLB mod-
ule after the traffic has passed through the firewall.
5. Service object-group – Service object groups can also be used in a rule as the match criteria to fil-
ter incoming traffic. Service object groups contain a set of TCP or UDP services that can be
grouped together. Note that if match criteria are not specified in the service object-group, all traffic
will drop, since the default is “unmatched”.
6. Any of the following service protocols:
• TCP
• UDP
• ICMP
• Protocol ID (followed by specific IP protocol number)
For TCP and UDP, the ACOS device can specify the source or destination port range. Similarly, for
more granular ICMP and ICMPv6 services, ACOS can specify an ICMP type and ICMP codes, as
described in the tables below.
The ICMP Types that can be used as match filters in a rule are described in Table 1.
TABLE 1 Definition of ICMP Types as match criteria

Type Element Description
<0-254> <0-254> ICMP type number
any-type any-type Any ICMP type
page 20
TABLE 1 Definition of ICMP Types as match criteria

Type Element Description
Type 0 echo-reply echo reply (used for ICMP “ping”)
Type 3 dest-unreachable destination unreachable
Type 4 source-quench source quench
Type 5 redirect redirect message
Type 8 echo-request echo request
Type 11 time-exceeded time exceeded
Type 12 parameter-problem parameter problem
Type 13 timestamp timestamp
Type 14 timestamp-reply timestamp reply
Type 15 info-request information request
Type 16 info-reply information reply
Type 17 mask-request address mask request
Type 18 mask-reply address mask reply
The ICMPv6 Types that can be used as match filters in a rule are described in Table 2.
TABLE 2 Definition of ICMPv6 Types as match criteria

Element Description
any-type Any ICMPv6 type
Type 1 Destination-unreachable
Type 2 Packet-too-big
Type 3 Time-exceeded
Type 4 Parameter-problem
Type 128 Echo-request
Type 129 Echo-reply
Type 133 Router-solicitation
Type 134 Router-advertisement
Type 135 Neighbor-solicitation
Type 136 Neighbor-advertisement
Type 137 Redirect-message
The ICMP Codes that can be used as match filters in a rule are described in Table 3.
TABLE 3 Definition of ICMP Codes as match criteria

Code Element Description
any-code any-code Any ICMP code
Code 0 network-unreachable Destination network unreachable
Code 1 host-unreachable Destination host unreachable
page 21
TABLE 3 Definition of ICMP Codes as match criteria

Code Element Description
Code 2 proto-unreachable Destination protocol unreachable
Code 3 port-unreachable Destination port unreachable
Code 4 frag-required Fragmentation required
Code 5 route-failed Source route failed
The ICMPv6 Codes that can be used as match filters in a rule are described in Table 4.
TABLE 4 Definition of ICMPv6 Codes as match criteria

Type Code Description
Type 1 Code 0 No-route-to-destination
Type 1 Code 3 Address-unreachable
Type 1 Code 4 Port-unreachable
Type 4 Code 1 Unrecognized-next-header
Type 4 Code 2 Unrecognized-option
Actions
If incoming traffic matches criteria in a rule, then the action in that rule may be applied to that traffic.
The actions that can be applied to traffic matching criteria in the rule-set are described in Table 5.
TABLE 5 Definition of actions in a rule-set

Element Description
Deny Silently denies the client request by dropping the packet without notifying the client.
Permit Permits the traffic to pass through the firewall unimpeded.
Reset Resets the TCP session, and sends an error message to notify the client. The reset
option only applies to TCP traffic. Other protocol types will be silently dropped.
Log (Optional) Logs the action applied for each connection.
NOTE: For additional CGN-specific actions, see “Firewall Rule-Sets for Gi/SGi-
FW” on page 31.
NOTE: If an action is not specified in the configuration, then the default behavior
is to deny the traffic.
page 22
TCP Window Checks
TCP Window Checks

TCP Window Checks are a security function that can be used to ensure TCP packets are within the
advertised window by tracking the sequence numbers and acknowledgment of traffic in both direc-
tions. Packets that are outside the advertised window will be denied.
If TCP Window Checks are not already enabled, you can do so using the GUI:
1. Navigate as follows: Security > DC Firewall > Global.

A window appears similar to that shown below:
FIGURE 4 Configuring TCP Window Checks using the GUI
2. Select the TCP Window Check checkbox to enable the feature.

3. Click Update to save your changes.
Using the CLI
If TCP Window Checks are not already enabled, you can do so using the CLI:
1. Use the following command to enable TCP window checks:

fw tcp-window-check enable
2. (Optional) Use the following command to enable baselining and rate calculation for packets out-
side the TCP window:
fw tcp-window-check sampling-enable outside-window
3. (Optional) Use the following command to disable TCP window checks:

fw tcp-window-check disable
page 23
TCP Window Checks
NOTE: See “fw tcp-window-check” on page 107 for more information about the
above commands.
page 24
Security Zones
Security Zones
Security zones (or “zones”) are Layer 1 and 2 match criteria for the rules in a firewall rule-set.
Firewall rules can be configured to contain security zones. For example, you might have a source zone
or a destination zone in the same rule-set.
A source zone could be set up for an interface that is facing the internal network, and a separate zone
could be configured for the interface that is facing the external or public network. In this way, each
security zone has a security disposition, such as being trusted, untrusted, or somewhere in between.
A zone comprises one or more physical interfaces or virtual interfaces (or “VLANs”).
Zones can be used to create logical boundaries around each interface. In the same way that multiple
servers can be added to a service group for ease of configuration, a zone can be set up to include sev-
eral interfaces that could be used to handle similar types of traffic.
Details:
• A zone can include multiple interfaces, but an interface can only belong to one zone.
• The same interface cannot belong to multiple zones.
• Zones can be configured in DCFW, Gi/SGi-FW and standalone firewall deployments.
Example of Zone Use
If the goal is to protect traffic from “internet to branch,” you could categorize the physical interfaces or
virtual interfaces into two zones, each consisting of several interfaces/VLANs.
zone branchside
interface ve 19
network ipv4 2.2.2.0/24
zone internet
interface ethernet 1 to 5
zone v6network
interface ve 20
network ipv6 2001::1/64
If a source or destination zone is not specified in the rule, then the zone applies as a wildcard match,
meaning it will have a positive match for all traffic received from a source or destination.
page 25
Configuring Application Layer Gateway

NOTE: The firewall supports ALG protocols in standalone deployments, as well
as DCFW and Gi/SGi-FW deployments.
In order for various Application Layer Gateway (ALG1) protocols, such as FTP and SIP to function cor-
rectly through a firewall, the application must be aware of the combination of an IP address and port
number that will allow incoming packets. The firewall monitors the control traffic for an FTP or SIP ses-
sion, which the application will use to open up port mappings, in what is known as a “firewall pinhole”.
These firewall pinholes are created dynamically, on an as-needed basis. In this way, legitimate traffic
from various applications that would have otherwise been blocked can easily pass through the fire-
wall’s security checks.
ALGs perform the following services:
• They can allow client applications to use dynamic TCP or UDP ports to establish communica-
tions with the various well-known ports that are used by the server applications. The firewall con-
figuration might allow for a very limited number of well-known ports, but without the presence of
an ALG, the ports would be blocked or perhaps the network admin would need to explicitly open
up a large number of well-known ports in the firewall, which would make the network vulnerable
to attacks on those ports.
• An ALG can also synchronize data for a session between two hosts. As the hosts exchange data,
they could, for example, use an FTP application. This connection could use separate connections
to pass traffic containing the commands used to regulate the flow and exchange of data
between an end user and the distant server. If a large file is being transferred, then the control
connection could remain idle for a long time. However, an ALG could prevent the control connec-
tion from being timed out by network devices before the large file transfer has completed.
NOTE: ALGs protocols are enabled by default for traffic on well-known ports.
Thus, FTP or SIP traffic may traverse the firewall as long as the traffic is
using the well-known port (for example, port 21 for FTP and port 5060 for
SIP). The procedure below shows how to disable this default behavior so
that traffic will be denied, even if the ALG protocol is using its well-known
port.
To configure ALG support using the GUI:
1. Navigate as follows: Security > DC Firewall > Global.

A window appears similar to that shown below:
1. “ALG” may also be referred to as “Application-Level Gateway”.
page 26
FIGURE 5 Configuring ALG Support using the GUI
2. Select the checkbox for the desired ALG protocols and port numbers to disable them. By selecting
the checkbox for a protocol and its well-known port number, all ALG traffic of that type and port
number will be dropped.
You can choose to disable the following ALG protocols (on their associated well-known ports):
• Disable FTP ALG default port 21
• Disable TFTP ALG default port 69
• Disable SIP ALG default port 5060
• Disable DNS ALG default port 53
• Disable RTSP ALG default port 554 (Not supported in DCFW deployments for 4.1.1)
• Disable PPTP ALG default port 1723 (Not supported in DCFW deployments for 4.1.1)
• Disable ICMP ALG which allows ICMP errors to pass through the firewall
3. Click Update to save your changes.
NOTE: If an application is using SIP or FTP, and the ALG is disabled on the fire-
wall, then the application will most likely cease to function. You can later
clear the checkbox to
re-enable ALG processing by the firewall for this protocol/port combina-
tion.
page 27
Hairpinning Support
To enable ALG on non-default ports using the CLI:
If desired, you can optionally enable ALG traffic to pass through the firewall on a non-default port. To do
so:
1. Use the following command to create an object-group for a service.

ACOS(config)# object-group service service-group-name
2. At the object-group service level, specify the desired protocol (for example, UDP or TCP). Since this
next command allows us to specify the match criteria, you should indicate whether the match
should occur on a range of port numbers, or only if the port number of the incoming traffic is equal
to, greater than, or less than a designated port number.
ACOS(config-service:service-1)# udp eq port-num
3. Specify the non-default port number. (For example, you could specify the match to occur on port
1813, which is typically used for RADIUS traffic and is not the default for port DNS/UDP).
ACOS(config-service:service-1)# udp eq 1813
4. On the same line, enter the “alg” keyword, followed by the ALG protocol you want to allow to pass.
ACOS(config-service:service-1)# udp eq 1813 alg dns
CLI Example
The following example allows UDP/DNS traffic to pass through the firewall on its non-default port
1813. Typically, DNS traffic would be sent to the well-known port 53, but in our example, the traffic is
only allowed to pass through if it the traffic is sent to port 1813 (which would typically be used for
RADIUS):
ACOS(config)# object-group service SG1

ACOS(config-service:SG1)# udp eq 1813 alg dns
ACOS(config-service:SG1)# exit
ACOS(config)# exit
Hairpinning Support
ACOS supports hairpin filtering for inside-to-inside communication (or outside-to-inside communica-
tion) of the firewall by creating a matching full-cone session.
page 28
Firewall Statistics
ACOS creates a full-cone session if there is a firewall rule match that occurs with action “permit listen-
on-port”. When ACOS creates the full-cone session, the corresponding hairpin session does not have to
“re-match” the criteria in the firewall rule, and the session is allowed by ACOS device.
This is similar to how matching works ALG (i.e., ACOS allows free passage for the control- and data-
sessions). Whenever a full-cone or hairpin session is created and freed, the ACOS device increments
the counters for TCP and UDP. Full-cone sessions will increment the Outbound counter and hairpin
sessions will increment the Inbound counter, as seen in the output from the show fw full-cone-ses-
sions command.
NOTE: For firewall-only cases, when the listen-on-port option is enabled, full-
cone sessions are created for IPv4 and IPv6 packets only for UDP or TCP
traffic only. For each full-cone and hairpin session, counters should be
displayed.
For information, see the rule and show fw full-cone-sessions commands.
Firewall Statistics
The ACOS firewall tracks the number of hits for each rule, as well as the number of requests that are
implicitly denied, due to not matching the criteria in any of the rules within a rule-set.
You can display this information using the show rule-set CLI command. For information about using
this command, see “Firewall show and clear Commands” on page 127.
Support for High Availability with VRRP-A
The firewall supports VRRP-A for high availability with up to 8 devices in a VRRP-A configuration.
You can specify a VRID group in the per-partition firewall global parameters. Firewall sessions will be
synchronized to the standby units.
Notes:
• For DCFW to operate properly with VRRP-A, you must configure a “vrrp-a interface” for each
VRRP-A peer, and each VRRP-A peer must be reachable over only one subnet.
page 29
Support for High Availability with VRRP-A
• For more information about the CLI command used to add the firewall to a VRRP-A cluster, see
“fw vrid” on page 115.
• For a comprehensive discussion of VRRP-A, see the document Configuring VRRP-A High Availabil-
ity.
page 30
Firewall Rule-Sets for Gi/SGi-FW
This chapter describes how to configure firewall rule-sets for Gi/SGi-FW.
Overview
A rule-set contains firewall rules, and these rules control what type of traffic is allowed to enter the fire-
wall, and which traffic will be denied. This filtering process is accomplished by configuring rules in the
rule-set, and each rule can be configured with an action, such as permit or deny.
For example, you could configure a rule with the action to “permit” a certain type of traffic associated
with a specified application. If packets entering the firewall match the rule, they will be permitted to tra-
verse the firewall.
The rule can be configured to perform generic functions, such as “forward” or “cgnv6”, or it can be set
up to perform more advanced functions, such as “cgnv6 lsn-lid 2” or “cgnv6 fixed-nat”.
NOTE: By default, a “permit” rule that has no specified application will L3-for-
warded and will create a firewall session. In other words, it is treated the
same as a permit rule with an application specified as “forward”.
For a rule without an application associated with it, use the command fw permit-default-action
{next-service-mode | forward} to change the default behavior of the rule.This command changes the
way a packet will be processed by matching a rule that contains “action permit”.
• next-service-mode means that the packet will be processed according to the applications config-
ured in order.
• forward means that the packet will be L3 forwarded and will create a firewall session.
NOTE: These CLI commands are only supported in Gi/SGi-FW partitions and do
not apply to DCFW.
The allowed applications are listed as follows:
• cgnv6 – Handles packets matching this rule by checking against any configured CGNv6 applica-
tions. If no CGNv6 application found to match packet is denied.
• cgnv6 lsn-lid xxxx – Uses specified LSN LID to perform NAT on packets matching this rule. If
LSN LID not found packet gets dropped.
page 31
Processing Rules
NOTE: Packets must come in on a NAT inside interface and go out through a NAT outside inter-
face.
• cgnv6 fixed-nat – Applies Fixed NAT on any packet matching this rule. If no matching Fixed
NAT configuration is found, packet gets dropped.
• forward – Handles packets matching this rule as Firewall sessions.
Processing Rules
• When a packet matches a rule which does not have an application associated with it, the default
behavior is to treat it as a transparent session. To change this default behavior, use the fw per-
mit-default-action next-service-mode command to configure the packets to be processed
according to the most appropriate of the various applications configured.
• When a packet matches a cgnv6 rule, the packet will be processed according to the “cgnv6”
applications configured if and only if it satisfies all the necessary conditions. A packet not match-
ing any CGNv6 configurations will get dropped.
• When a packet matches a cgnv6 lsn-lid xxx rule, the packet will be processed according to the
specified LSN LID. It is not necessary to configure an LSN class-list. However, the packet must
come in on a NAT inside interface. When an LSN LID is not found, the packet will get dropped.
• When a packet matches a cgnv6 fixed-nat rule, the packet will be processed by Fixed NAT. The
packet must come in on a NAT inside interface. When no matching Fixed NAT configuration is
found, the packet will get dropped.
• When a packet matches a forward rule, the packet will be handled as a firewall session.
Sample Configurations
Action Permit
The following is a sample configuration when there is no application specified after the action permit
command. The packet is processed in L3-forward mode and a firewall session is created.
!
rule-set firewall
rule 1
action permit
source ipv4-address 12.10.10.0/24
source zone any
dest ipv4-address 9.9.9.173/32
page 32
Processing Rules
dest zone any

service any
!
Application CGNv6
The following is a sample configuration when a packet matching the rule that will be processed by a
CGNv6 application. If the traffic does not match the CGNv6 rule, the packet will get dropped.
!
class-list lsn
0.0.0.0/0 lsn-lid 1
!
cgnv6 lsn inside source class-list lsn
!
cgnv6 nat pool p3 9.9.9.50 9.9.9.50 netmask /24 vrid 31
!
cgnv6 lsn-lid 1
source-nat-pool p3
!
rule-set firewall
rule 1
action permit cgnv6
source zone any
dest zone any
service any
!
Application CGNv6 LSN-LID

The following is a sample configuration when a valid LSN-LID is specified to perform NAT on packets
matching this rule, regardless of whether an LSN class-list is configured or not. If no LSN LID is found,
the packet will get dropped.

!
!
cgnv6 lsn-lid 1
source-nat-pool p3
!
cgnv6 lsn-lid 2
source-nat-pool p4
page 33
Processing Rules
!
rule-set firewall
rule 1
action permit cgnv6 lsn-lid 2
source zone any
dest zone any
service any
!
Application CGNV6 LSN-LID Conflicting Rules

The following is a sample configuration when a firewall rule action conflict with another rule. To resolve
the conflict, a “first-come, first-served” sequence is executed to assign a NAT address to the user.

!
!
cgnv6 lsn-lid 1
source-nat-pool p3
!
cgnv6 lsn-lid 2
source-nat-pool p4
!
rule-set firewall
rule 1
source zone any
dest zone any
service any
rule 4
source zone any
dest ipv4-address any
dest zone any
service any
!
page 34
Processing Rules
NOTE: In this example, the NAT inside source static address is problematic.
Also, lsn-lid 2 under rule 1 and lsn-lid 1 under rule 4 are assigned to
the same user. The LSN LID to be used for the user is determined by
which rule is matched by the inside user first. Only one LSN LID can be
used for the same inside user.
Application CGNv6 Fixed NAT

The following is a sample configuration when Fixed NAT is specified to perform packets matching this
rule. If no Fixed NAT configuration is found, the packet will get dropped. An entry “Fixed NAT Conf not
Found” will be displayed in the output of the show cgnv6 fixed-nat statistics command.
!
cgnv6 fixed-nat inside 12.10.10.172 12.10.10.172 netmask /24 nat 9.9.9.67 9.9.9.67 netmask
/24 vrid 31
!
rule-set firewall
rule 1
action permit cgnv6 fixed-nat
source zone any
dest zone any
service any
!
Application CGNv6 Fixed NAT and lsn-lid Conflict

The following is a sample configuration when the rules for the same inside user are configured to use
both Fixed NAT and LSN-LID for different services.
!
class-list lsn
0.0.0.0/0 lsn-lid 1
!
cgnv6 lsn inside source class-list lsn
!
!
!
cgnv6 fixed-nat inside 12.10.10.172 12.10.10.172 netmask /24 nat 9.9.9.67 9.9.9.67 netmask
/24 vrid 31
!
cgnv6 lsn-lid 1
page 35
Processing Rules
source-nat-pool p3
!
cgnv6 lsn-lid 2
source-nat-pool p4
!
rule-set firewall
rule 1
source zone any
dest zone any
service any
rule 4
source ipv4-address 12.10.10.172.32
source zone any
dest zone any
service any
!
NOTE: In this example, cgnv6 fixed-nat under rule 1 and cgnv6 lsn-lid 1
under rule 4 are assigned to the same inside user to use both Fixed NAT
and LSN-LID for different services. This is a valid configuration and the
same user can make use of different NAT technologies for different ser-
vices.
Application Forward
The following is a sample configuration when the rule is configured to process the packet in L3-forward
mode and a firewall session will be created.

!
!
cgnv6 lsn-lid 1
source-nat-pool p3
!
cgnv6 lsn-lid 2
source-nat-pool p4
!
page 36
Processing Rules
rule-set firewall
rule 1
action permit forward
source zone any
dest zone any
service any
rule 4
source zone any
dest zone any
service any
!
NOTE: In this example, forward under rule 1 and cgnv6 lsn-lid 1 under rule 4
are assigned to the same user. This is a valid configuration and the same
inside user will either be treated as a firewall session and Layer 3 for-
warded or use LSN LID 2 for NAT, based on the destination address.
page 37
Processing Rules
page 38
Firewall Logging
This chapter describes how to create firewall logging templates and covers the following topics:
• Overview
• Configuring Firewall Logging
• Sample Firewall Configuration
• Sample Firewall Log Messages
• Choosing CEF or ASCII Format
Overview
Firewall logging is an optional action that can be applied to any rule. When you enable logging on a rule,
log messages are generated whenever a session is created, destroyed, or denied.
The firewall cannot store log messages locally, due to the high volume of firewall logs. Therefore, only
external syslog servers are supported. External system logging configuration is required for any syslog
messages to be sent to an external server.
This overview section covers the following topics:
• Configuring the External Logging Server
• Where Firewall Logs Are Sent
• System Logging Host Configuration
• Firewall Logging Elements
• Firewall Logging Partition Availability
• Firewall Logging Template
• Binding Firewall Logging Template Globally
• HTTP Logging Support
page 39
Overview
Configuring the External Logging Server

The firewall creates a high volume of log messages. These messages must be directed to an external
logging server.
NOTE: If you configure multiple logging hosts, requests will be sent using round-
robin.
The logging host must be configured to accept syslog messages, and it must be reachable from within
the partition's routing domain. The logging host must not be on the management network.
Where Firewall Logs Are Sent

Firewall log messages consist of the following basic event types:
• Configuration events – These messages indicate that a configuration change has occurred. Typ-
ically, this type of firewall event is generated when you configure a firewall rule or other setting.
Firewall configuration logs are sent following successful configuration of system logging. Fire-
wall configuration logs are included as part of the system logs, and these configuration logs are
only sent out after using the logging host command. See the “logging host” command in the CLI
Reference for details on setting up basic system logging.
• When the firewall configuration log is sent to the remote log server, it will also appear in the
log buffer.
• By default, only configuration events are logged to the local logging buffer on ACOS.
• Data events – These event types indicate that a firewall session has been created or destroyed.
Session logs for data events can be sent using either of two logging commands (logging host or
fw logging).
• Data events are not logged by default. Due to the potentially high volume of data event mes-
sages, these are only accessible using external logging servers. You can configure the fire-
wall to use a single logging server or a group of logging servers.
• To set up firewall logging for data events, use the fw logging command. (See “fw logging” on
page 98 for details.)
NOTE: If an external logging server is not set up, then firewall configuration
events are logged locally, and data events will not be logged.
System Logging Host Configuration

The firewall uses system logging host configuration to obtain the syslog server information. This
approach may be limiting, because the system logging host configuration is used for device system
logging.
page 40
Overview
However, because firewall logs are verbose and occur at high frequency, the ACOS device can separate
log messages associated with firewall activity from log messages related to general device configura-
tion.
NOTE: ACOS will use a logging host if one has been configured. This host must
also have a custom logging template configured and must be bound to
the firewall rule-set.
Firewall Logging Elements

The key building blocks of a firewall logging configuration are:
• firewall logging servers
• firewall service groups
• firewall logging templates
Firewall Logging Partition Availability

Firewall logging is available in the following partitions:
• Firewall partition
• SLB-Firewall partition
• CGN-Firewall partition
Firewall Logging Template

The only available server selection method in the firewall logging template is source IP hash based.
Limitations:
• Within any given partition, configuring an SLB template with the same name as a firewall tem-
plate is not permitted.
• The only option currently available under the firewall logging template is to configure the service
group.
• Only a firewall service group can be bound to a firewall logging template.
• UDP and TCP are the firewall service-group types that can be bound to a firewall logging tem-
plate.
page 41
Overview
Firewall logs are sent out using the Common Event Format (CEF). For more information, see “Choosing
CEF or ASCII Format” on page 47.
Binding Firewall Logging Template Globally

In order for firewall logs to be sent using the firewall logging template, the firewall logging template
must be bound globally.
See “fw logging” on page 98 for more information.
HTTP Logging Support

In previous releases, firewall logging was restricted to the ability to send logs for events such as when a
session was created or deleted, or when a client request was denied or reset. This level of logging
works well for simpler DCFW deployments, but with the introduction of GiFW, which combines a fire-
wall with CGN, a more advanced set of logging capabilities is required. To support the additional
requirements, release 4.1.1-P2 adds support for HTTP Logging.
HTTP Logging can be used to send logging information for CGN-based events, such as this partial list:
• log http-request url
• include-http l4-session-info
• rule http-requests dest-port 80
For a full list of options supported by HTTP logging, see the include-http, log http-requests, and rule
http-requests options under the fw template logging command.
How HTTP Logging Works

Upon receiving a TCP packet ACOS first matches against the configured rule-set to check if it is permit-
ted. ACOS then does a destination port lookup to decide if HTTP logging is required for the session.
Configuration
HTTP logging is enabled on a destination port basis and is configured in the firewall logging template.
The following sample configuration shows how to enable HTTP logging on ports 80 and 880:
ACOS(config)# fw template logging log1

ACOS(config-logging)# log http-request url
ACOS(config-logging)# rule http-requests dest-port 80
ACOS(config-logging)# rule http-requests dest-port 880
page 42
Overview
NOTE: HTTP Logging requires that log messages be sent in ASCII format.
Therefore, you must change the log message format from CEF to ASCII
for HTTP Logging to work. For more information, see Choosing CEF or
ASCII Format.
NOTE: For a comprehensive discussion of HTTP logging, please refer to the

“Logging HTTP Headers” section in the 2.8.2-P6 Traffic Logging Guide for
IPv6 Migration.
page 43
Configuring Firewall Logging
Configuring Firewall Logging

NOTE: The service group (slb or cgnv6) cannot share the same name as a fire-
wall service group.
NOTE: With the introduction of “Support for TCP Logging for GiFW” in 4.1.1-P2,
the firewall logging configuration below could be modified to work with
UDP or TCP. For TCP, simply replace “udp” with “tcp”, as shown below.
The following commands configure the firewall server:
ACOS(config)# fw server syslog 15.15.15.91

ACOS(config-real server)# port 514 udp (or tcp)
ACOS(config-real server-node port)# exit
The following commands configure the firewall service group:
ACOS(config)# fw service-group syslog1 udp (or tcp)

ACOS(config-fw svc group)# member syslog 514
ACOS(config-fw svc group)# exit
The following commands configure the firewall logging template:
ACOS(config)# fw template logging fw_logging

ACOS(config-logging)# service-group syslog1
The following command binds the firewall logging template globally:
ACOS(config)# fw logging fw_logging
Sample Firewall Configuration

ACOS(config)# rule-set test
ACOS(config-rule set:test)# rule 2
ACOS(config-rule set:test-rule:2)# action permit cgnv6
ACOS(config-rule set:test-rule:2)# source ipv4-address 3.3.3.0/24
ACOS(config-rule set:test-rule:2)# source zone any
ACOS(config-rule set:test-rule:2)# dest ipv4-address any
ACOS(config-rule set:test-rule:2)# dest zone any
ACOS(config-rule set:test-rule:2)# service object-group alg
page 44
Sample Firewall Configuration

ACOS(config-rule set:test-rule:3)# dest ipv4-address 15.15.15.90/32
ACOS(config-rule set:test-rule:3)# service proto-id 47
ACOS(config-rule set:test-rule:4)# service udp
ACOS(config-rule set:test-rule:5)# source ipv4-address any
ACOS(config-rule set:test-rule:5)# dest ipv4-address any
ACOS(config-rule set:test-rule:5)#service icmp type dest-unreachable code port-unreachable
ACOS(config-rule set:test-rule:6)# action permit cgnv6 log
ACOS(config-rule set:test-rule:6)#service icmp type echo-request
ACOS(config)# fw server syslog1 15.15.15.91

ACOS(config-real server)# port 514 udp
ACOS(config-real server)# exit
ACOS(config)# fw service-group syslog1 udp

ACOS(config-fw svc group)# member syslog1 514
ACOS(config-fw svc group-member:514)# exit
ACOS(config-fw svc group)# exit
ACOS(config)# fw template logging fw_logging

ACOS(config-logging)# service-group syslog1
ACOS(config-logging)# exit
ACOS(config)# fw logging fw_logging
page 45
Sample Firewall Log Messages
Sample Firewall Log Messages
Session Open Log

Sep 30 15:21:39 2016 vThunder CEF:0|A10 NETWORKS|Thunder Series Unified Application Service
Gateway|4.1|FW 100|Session opened|1|proto=TCP act=Permit rt=4299774764 src=192.168.101.50
spt=59298 dst=192.168.201.51 dpt=80 deviceInboundInterface=ethernet1 deviceOutboundInter-
face=ethernet2 cs1=fw-policy cs2=any cs6=p1 cs1Label=Rule Set Name cs2Label=Rule Name cs6La-
bel=Partition Name
Session Close Log

Gateway|4.1|FW 101|Session closed|1|proto=TCP act=Permit rt=4299775272 src=192.168.101.50
face=ethernet2 cs1=fw-policy cs2=any cs6=p1 cs3=Normal in=14617 out=761 cn1=10 cn2=13 cn3=2
cs1Label=Rule Set Name cs2Label=Rule Name cs3Label=Reason cn1Label=Packets TX cn2La-
bel=Packets RX cn3Label=Session Duration Seconds cs6Label=Partition Name
Deny Log
Gateway|4.1|FW 102|Session denied|5|proto=TCP act=Deny rt=4300658279 src=192.168.101.50
spt=59302 dst=192.168.201.51 dpt=80 deviceInboundInterface=ethernet1 cs1=fw-policy cs2=any
cs6=p1 cs1Label=Rule Set Name cs2Label=Rule Name cs6Label=Partition Name
page 46
Choosing CEF or ASCII Format

By default, the firewall log messages are sent in Common Event Format (CEF), which is an open stan-
dard used by other security appliances and network devices.1 However, beginning with ACOS 4.1.1-P2,
log messages can be sent in ASCII, which is an A10-defined custom text format.
ASCII formatted log messages can include additional information that cannot be conveyed using stan-
dard CEF log messages. For example, the following CGN logging options are supported when using
ASCII formatted log messages:
• Inclusion of RADIUS attributes in log messages
• Support for HTTP logging
• Inclusion of timestamp resolution
• Inclusion of the byte count in log messages
• Ability to set the firewall logging facility
Use with the following commands to specify which format to use:
ACOS(config)# fw template logging name

ACOS(config-logging)# format {ascii | cef}
For more information, see the fw template logging command.
CEF-formatted Log Messages

Firewall log messages that use CEF format contain the following fields:
Timestamp | host| CEF:version|device-vendor|device-product|

device-version|Signature ID (or “module”)|Name (or “event-type”)|Severity|CEF-extension
1. Log messages are transported using syslog, but the format of the log messages can be CEF of ASCII.
page 47
Table 6 describes the fields that may appear in the firewall logs of CEF-formatted messages
TABLE 6 Firewall log fields in CEF-formatted messages

Field Description
Timestamp Date and time the log was generated, in the following format: Mon Day hh:mm:ss
Year
Host Name (or IP) of the firewall device.
CEF version CEF version.
device-vendor Vendor name, “A10 NETWORKS”.
device-product Thunder Series Unified Application Service Gateway
device-version For example, “4.1”
signature-id (a.k.a., “module”) The signature-id is a unique identifier for each of the different event types. This
can be a string or an integer, and it is used to identify the type of event that is
being reported.
The signature-id field has prefix “FW” before a numbered code, such as “FW
100”.
name (a.k.a., “event-type”) The name field is a description of the FW event-type. For example:
• Session opened
• Session closed
page 48
TABLE 6 Firewall log fields in CEF-formatted messages

Field Description
Severity The Severity field indicates the severity of the event in the range of 0 to 10. 0 is
the lowest and 10 is the highest.
CEF-extension The CEF extension for FW uses the following elements:
(an extension is a collection • proto – TCP, UDP, ICMP, ICMPv6, IP, GRE, RTSP and OTHER
of key-value pairs) • act – Action taken by the firewall device:
• Permit
• Deny
• Reset
• rt – “rt” or “receiptTime” is a timestamp representing the time at which the
event related to the activity was received. The format is MMM dd yyyy
HH:mm:ss (e.g., Jan 21 1980), or “rt” can also be expressed as the number of
milliseconds since the epoch.
• src – Source IP of the request or response.
• spt – Source protocol port of the request or response.
• dst – Destination IP of the request or response.
• dpt – Destination protocol port of the request or response.
• deviceInboundInterface – Interface upon which the data or packet
entered the device.
• deviceOutboundInterface – Interface upon which the data or packet
exited the device.
• cs1 and cs1Label – The name of the rule-set.
• cs2 and cs2Label – The name of the rule within the rule-set.
• cs4 and cs4Label – The name of the source zone.
• cs5 and cs5Label – The name of the destination zone.
• cs6 and cs6Label – The name of the partition. (Note: This field is N/A if the
event is invoked in the shared partition)
• cn1 and cn1Label – Packets transferred from source to destination.
Appears in close event only.
• cn2 and cn2Label – Packets transferred from destination to source.
• cn3 and cn3Label – Session duration (in seconds) since open event.
• c6a2 and c6a2Label – IPv6 source address.
• c6a3 and c6a3Label – IPv6 destination address.
• flexNumber1 and flexNumber1Label – ICMP/ICMPv6 type.
• flexNumber2 and flexNumber2Label – ICMP/ICMPv6 code.
page 49
The following section shows a sample FW log message in CEF format for a UDP session that is being
opened.
Gateway|4.1|FW 100|Session opened|1|proto=TCP act=Permit rt=4299774764 src=192.168.101.50
face=ethernet2 cs1=fw-policy cs2=any cs6=p1 cs1Label=Rule Set Name cs2Label=Rule Name cs6La-
bel=Partition Name
Table 7 labels each field that appears in the above log message.
TABLE 7 FW log example (CEF) opening session

Field Value
Timestamp Sep 30 15:21:39 2016
Host vThunder
CEF version 0
device-vendor A10 NETWORKS
device-product Thunder Series Unified Application Service Gateway
device-version 4.1
signature-id FW 100
(module)
name (event-type) Session opened
Common Event 1
Format
page 50
TABLE 7 FW log example (CEF) opening session

Field Value
Protocol TCP
CEF-extension act=Permit
(i.e., key-value
pairs) rt=4299774764
src=192.168.101.50
spt=59298
dst=192.168.201.51
dpt=80
deviceInboundInterface =ethernet1
deviceOutboundInterface =ethernet2
cs1=fw-policy
cs2=any
cs6 =p1
cs1Label =Rule Set Name
cs2Label =Rule Name
cs6Label =Partition Name
page 51
ASCII-formatted Log Messages

This sample firewall ASCII-formatted log message shows an IPv4 UDP session:
LOCAL0.INFO: Jan 2 17:04:18 AX2500 FW-UDP-H: 3.3.3.89:58219<-->15.15.15.90:14000 ACT=PER-

MIT RT=4295164466 IN-INTF=ve301 OUT-INTF=ve401 POLICY=fw-only RULE=2 FWD_BYTES=180
REV_BYTES=0 FWD_PKTS=3 REV_PKTS=0 DUR=10\r\n
Table 8 defines the fields that appear in the above ASCII-formatted log message.
TABLE 8 FW log example (ASCII format) IPv4 UDP session

Field Value
Host LOCAL0.INFO:
Timestamp Jan 2 17:04:18
device-product AX2500
Application-Protocol- FW-UDP-H
EventType
For firewall logs, event type can be:
• G – session OPEN
• H – session CLOSE
• I – session DENY
• J – session RESET
Src IP/port 3.3.3.89:58219
Dst IP/port 15.15.15.90:14000
ASCII-extension (i.e., ACT= PERMIT
key-value pairs)
RT= 4295164466
IN-INTF=ve301
OUT-INTF=ve401
POLICY=fw-only
RULE=2
FWD_BYTES=180
REV_BYTES=0
FWD_PKTS=3
REV_PKTS=0
DUR=10\r\n
page 52
page 53
page 54
Configuring RADIUS Support for Firewall
Framed IPv6 Prefix Support in RADIUS Table

When a firewall rule-set configured with firewall logging is being applied to a rule, log messages are
generated whenever a session is created, destroyed, or denied. This rule controls what type of traffic is
allowed to enter the firewall, and which traffic will be denied. While sending firewall logs, RADIUS attri-
butes can be added to the firewall log messages.
ACOS is configured to act as a RADIUS server so that it can receive RADIUS accounting requests that
include the client RADIUS attributes.
When client’s AAA server sends out RADIUS accounting packet that has the Framed IP and (/or)
Framed IPv6 Prefix to ACOS, ACOS intercepts the packet, creates a RADIUS table entry based on the IP
and IPv6 Prefix. When the inside user creates a data connection either from the IP or from IPv6 address
(from the prefix), ACOS then includes the RADIUS attributes while sending the log messages.
The ACOS device acts as a RADIUS server. ACOS acts as a RADIUS server intercepting RADIUS
accounting request messages sent to the Interface / Floating IPs configured on ACOS. To create a
RADIUS server configuration for Firewall deployment, use the fw radius server command.
When configuring the Firewall RADIUS server or CGNV6 RADIUS server, use the framed-ipv6-prefix
command to specify the Framed IPv6 Prefix as a RADIUS attribute for RADIUS accounting requests.
The following combination are possible in a RADIUS packet:
• Framed IPv4 address and Framed IPv6 prefix — ACOS accepts the packet and creates the
RADIUS entries based on the IPv4 address and the IPv6 prefix.
• Framed IPv4 address and Framed IPv6 address — ACOS accepts the packet and create the
RADIUS entries based on the IPv4 address and the IPv6 address.
• Framed IPv6 address and Framed IPv6 prefix — ACOS accepts the packet and creates 1 record
with ipv6 address.
• Framed IPv6 address and Framed IPv6 prefix are present.
The Framed IPv6 prefix attribute in the RADIUS packet contains the prefix with the configured prefix
length. When the configured prefix length on the RADIUS server does not match with the incoming pre-
fix length, then the packet will be dropped.
When the prefix length is changed in the RADIUS server, the existing RADIUS table must be explicitly
cleared.
page 55
NOTE: The value of the Framed IPv6 Prefix is configurable. If the configured pre-
fix is changed, the RADIUS table must be explicitly cleared to remove the
previously learned RADIUS table entries.
NOTE: ACOS accepts the RADIUS accounting packets only when the packet is
destined to the ACOS Interface IP or Floating IP.
Supported Topologies
RADIUS support is available with the following topologies:
• FW only scenarios
• CGN and Firewall scenarios
• L3Vs
Firewall Only Partition
The following configuration configures Framed IPv6 Prefix support for RADIUS table in FW only parti-
tion.
1. These command creates an ip-list to be used by other FW commands. The IPs associated to the
ip-list are the ones of which RADIUS packets will be accepted.
ACOS(config)# ip-list client
ACOS(config-ip-list)# 5.5.5.100
ACOS(config-ip-list)# exit
2. These commands create a RADIUS server configuration and specify the RADIUS attributes for
ACOS to receive from external RADIUS servers in response to RADIUS Accounting requests:
ACOS(config)# fw radius server
ACOS(config-radius-server)# remote ip-list client
ACOS(config-radius-server)# secret a10
ACOS(config-radius-server)# attribute inside-ip number 8
ACOS(config-radius-server)# attribute msisdn number 31
ACOS(config-radius-server)# attribute imei vendor 10415 number 20
ACOS(config-radius-server)# attribute imsi vendor 10415 number 1
ACOS(config-radius-server)# attribute custom1 NAS-IP-Address value hexadecimal number 4
ACOS(config-radius-server)# attribute custom2 Connection_PVC vendor 22610 number 43
ACOS(config-radius-server)# attribute custom3 xDSL_number vendor 22610 number 44
ACOS(config-radius-server)# attribute inside-ipv6-prefix prefix-length 64 number 97
ACOS(config-radius-server)# attribute inside-ipv6 vendor 22610 number 29
ACOS(config-radius-server)# accounting start replace-entry
ACOS(config-radius-server)# accounting stop delete-entry-and-sessions
page 56
ACOS(config-radius-server)# accounting interim-update replace-entry
3. These commands configure a firewall logging template:

ACOS(config)# fw template logging fw-log
ACOS(config-logging)# include-radius-attribute msisdn sessions
ACOS(config-logging)# include-radius-attribute imei sessions
ACOS(config-logging)# include-radius-attribute imsi sessions
ACOS(config-logging)# include-radius-attribute custom2 sessions
ACOS(config-logging)# include-radius-attribute custom1 sessions
ACOS(config-logging)# include-radius-attribute framed-ipv6-prefix prefix-length 64
ACOS(config-logging)# format ascii
4. These commands configure a firewall rule-set:

ACOS(config)# rule-set 1
ACOS(config-rule set:1)# rule 1
ACOS(config-rule set:1-rule:1)# action permit log
ACOS(config-rule set:1-rule:1)# source ipv4-address 5.5.5.100/32
ACOS(config-rule set:1-rule:1)# source zone any
ACOS(config-rule set:1-rule:1)# dest ipv4-address 6.6.6.100/32
ACOS(config-rule set:1-rule:1)# dest ipv4-address 6.6.6.101/32
ACOS(config-rule set:1-rule:1)# service any
5. This command activates the firewall function using the specified rule-set:
ACOS(config)# fw active-rule-set 1
CGN and Firewall Partition
The following configuration configures Framed IPv6 Prefix support for RADIUS table in CGN and FW
partition.
1. Enter the following command to create an IP list for client RADIUS servers:
ACOS(config)# ip-list RADIUS_IP_LIST
ACOS(config-ip list)# 40.40.40.1 to 40.40.40.2
ACOS(config-ip list)# exit
2. The following commands configure RADIUS server parameters for ACOS:

ACOS(config)# cgnv6 lsn radius server
ACOS(config-lsn radius)# remote ip-list RADIUS_IP_LIST
ACOS(config-lsn radius)# listen-port 1813
ACOS(config-lsn radius)# attribute inside-ip number 8
ACOS(config-lsn radius)# secret a10
ACOS(config-radius-server)# attribute inside-ip number 8
ACOS(config-radius-server)# attribute msisdn number 31
page 57
ACOS(config-radius-server)# attribute imei vendor 10415 number 20

ACOS(config-radius-server)# attribute imsi vendor 10415 number 1
ACOS(config-radius-server)# attribute custom1 NAS-IP-Address value hexadecimal number 4
ACOS(config-radius-server)# attribute custom2 Connection_PVC vendor 22610 number 43
ACOS(config-radius-server)# attribute custom3 xDSL_number vendor 22610 number 44
ACOS(config-radius-server)# attribute inside-ipv6-prefix prefix-length 64 number 97
ACOS(config-radius-server)# attribute inside-ipv6 vendor 22610 number 29
ACOS(config-radius-server)# accounting start replace-entry
ACOS(config-radius-server)# accounting stop delete-entry-and-sessions
ACOS(config-radius-server)# accounting interim-update replace-entry
3. These commands configure a logging template
ACOS(config)# cgnv6 template logging log
ACOS(config-logging:log)# log http-requests url
ACOS(config-logging:log)# log sessions
ACOS(config-logging:log)# include-radius-attribute msisdn sessions
ACOS(config-logging:log)# include-radius-attribute imei sessions
ACOS(config-logging:log)# include-radius-attribute imsi sessions
ACOS(config-logging:log)# include-radius-attribute custom2 sessions
ACOS(config-logging:log)# include-radius-attribute custom1 sessions
ACOS(config-logging:log)# include-radius-attribute framed-ipv6-prefix prefix-length 64
ACOS(config-logging:log)# include-http referer
ACOS(config-logging:log)# include-http user-agent
ACOS(config-logging:log)# include-http header1 GET
ACOS(config-logging:log)# include-http l4-session-info
ACOS(config-logging:log)# include-http method
ACOS(config-logging:log)# include-http request-number
ACOS(config-logging:log)# include-http file-extension
ACOS(config-logging:log)# rule http-requests dest-port 80
ACOS(config-logging:log)# rule http-requests log-every-http-request
ACOS(config-logging:log)# rule http-requests max-url-len 200
ACOS(config-logging:log)# rule http-requests include-all-headers
ACOS(config-logging:log)# rule http-requests disable-sequence-check
ACOS(config-logging:log)# batched-logging-disable
ACOS(config-logging:log)# service-group cgn-log-group
page 58
Deploying Data Center Firewall
This chapter provides an example of a Data Center Firewall deployment.
The following are covered:
• Sample Topology for DCFW
• DC Firewall Configuration with SLB Deployment
• Show Running Config for DCFW
page 59
Sample Topology for DCFW
Sample Topology for DCFW

Figure 6 illustrates the topology for a basic sample use case of DC Firewall with an SLB deployment.
FIGURE 6 Sample Data Center Firewall topology diagram for basic use case (FW + SLB)
Untrusted zone is the exter-

nal 10.16.x.x network.
The global segment is like a

“DMZ” and could contain a
VPN or remote desktop
server.
Trusted zone is the

172.16.x.x network. This
includes the Syslog servers.
Notes:
• The “untrusted zone” is the external network, near the top of the diagram, while the “trusted zone”
is the internal network, near the bottom of the diagram, and includes the syslog servers.
• The middle contains a “global segment” (DMZ) with an SSH-based server (e.g., VPN or RDP) for
remote access.
• See “DC Firewall Configuration with SLB Deployment” on page 61 for the CLI commands used to
configure the Data Center Firewall in this environment.
page 60
DC Firewall Configuration with SLB Deployment

The section below describes the process required to configure DCFW in a simple deployment consist-
ing of Firewall + SLB.
Configuration Steps at a High Level
The high-level steps to setting up a basic data center firewall deployment (FW with SLB). More granular
instructions can be found in the CLI sample configuration below.
1. Set up the interfaces, VLANs and ACLs configurations.

2. (Optional) Perform VRRP-A configurations if high availability is needed for multiple ACOS device(s).
3. Set up the real servers, service groups, and VIPs (for SLB deployment).
4. (Optional) Create a zone for the firewall, which may include the physical interface(s) of the ACOS
device.
5. Create a network object-group for specifying match criteria using Layer 3 parameters that will be
used for IPv4 firewall configurations.
6. Create a service object group for specifying matching match criteria using Layer 4 to layer 7
parameters.
7. Configure a firewall rule-set that contains a set of rules. Rules should contain the match criteria
and associated action.
8. Activate the rule-set with the “fw active-rule-set” command.
Configuration Steps at a Low Level
The steps above offer a high-level list of tasks that need to be performed to set up the DC Firewall.
However, the steps below provide a more granular view of the CLI commands that must be used to
configure DC Firewall within an SLB deployment.
1. Configure the ACLs to allow traffic to pass from the internal DNS servers at “172.16.162.11” and
“172.16.162.12” to reach the external “10.16.x.x” network. The ACL is set up to deny any other traf-
fic from this network.
ACOS(config)# access-list 101 permit ip host 172.16.162.11 any
ACOS(config)# access-list 101 permit ip host 172.16.162.12 any
ACOS(config)# access-list 101 deny ip any any
2. Use the “multi-config” command to support several simultaneous administrative sessions. The
“terminal” command sets the terminal parameters for the CLI session. In the example below, the
timeout is set to “0”, meaning the session will not timeout.
ACOS(config)# multi-config enable
page 61
ACOS(config)# terminal idle-timeout 0
3. Create a virtual LAN and specify the VLAN ID number using the “vlan” command. The VLAN config-
uration includes the tagged and untagged ports assigned to the VLAN, as well as the virtual ether-
net router, which is configured under the interface parameters.
ACOS(config)# vlan 21
ACOS(config-vlan:21)# tagged ethernet 16
ACOS(config-vlan:21)# router-interface ve 21
ACOS(config-vlan:21)# exit
ACOS(config-vlan:99)# untagged ethernet 1
4. Configure the host name for the ACOS device.

ACOS(config)# hostname ACOS
5. Configure the management interface with the desired IP and gateway.

ACOS(config)# interface management
ACOS(config-if:management)# ip address 192.168.229.16 255.255.255.0
ACOS(config-if:management)# ip default-gateway 192.168.229.1
ACOS(config-if:management)# exit
6. Use the “interface ethernet” command to configure the physical interfaces on the device. In the
example below, ethernet ports 1, 15, and 16 are enabled, while the remaining interfaces are not.
ACOS(config)# interface ethernet 1
ACOS(config-if:ethernet:1)# enable
ACOS(config-if:ethernet:1)# exit
page 62
7. Assign IP addresses to the VLANs using the “Virtual Ethernet (VE)” command.
ACOS(config)# interface ve 21
ACOS(config-if:ve:21)# ip address 21.0.255.243 255.255.0.0
ACOS(config-if:ve:21)# exit
8. Enable VRRP-A for the first ACOS DC firewall device. Set the device-id to 1, and the set-id for the
pair to 5.
Then, enable VRRP-A on the device using the “enable” command.
ACOS(config)# vrrp-a common
ACOS(config-common)# device-id 1
ACOS(config-common)# set-id 5
ACOS(config-common)# enable
9. The commands below configure VRRP-A for high availability, which can support up to 8 redundant
devices.
In the sample configuration below, we have configured several floating IPs to allow connectivity to
the ACOS devices from the external clients, the server in the global segment, the syslog for FW log-
ging server, and the HTTP/FTP and DNS servers on the internal network. The floating IPs can help
provide network stability by moving to the active device in the pair. Tracking options are used at
the blade level to dynamically reduce the priority value during failover.
ACOS(config)# vrrp-a vrid 1
ACOS(config-vrid:1)# floating-ip 172.16.162.244 <-- for internal HTTP/FTP/DNS servers
ACOS(config-vrid:1)# floating-ip 10.16.161.244 <-- for external (untrusted) clients
ACOS(config-vrid:1)# floating-ip 172.16.53.244 <-- for syslog external server
page 63
ACOS(config-vrid:1)# floating-ip 10.16.163.244 <-- for global segment (VPN/RDP server)

ACOS(config-vrid:1)# blade-parameters
ACOS(config-vrid:1-blade-parameters)# tracking-options
ACOS(config-vrid:1-blade-parameters-track...)# interface ethernet 15 priority-cost 100
ACOS(config-vrid:1-blade-parameters-track...)# interface ethernet 16 priority-cost 100
ACOS(config-vrid:1-blade-parameters-track...)# exit
10.The first command below configures the NAT pool “p1” with one IP address (“10.16.161.201”),
which is the IP that the internal HTTP/FTP or DNS servers will use to reach the external network.
The second command binds the pool “p1” to ACL “101”.
ACOS(config)# ip nat pool p1 10.16.161.201 10.16.161.201 netmask /24 gateway
10.16.161.254 vrid 1
ACOS(config)# ip nat inside source list 101 pool p1
11.The following command configures ethernet interface 1 as the VRRP-A interface, through which
the device can be reached for high availability synchronization.
ACOS(config)# vrrp-a interface ethernet 1
ACOS(config-ethernet:1)# exit
12.The command below configures a route from the internal HTTP/FTP/DNS servers to the external
network.
ACOS(config)# ip route 0.0.0.0 /0 10.16.161.254
13.The following commands are used to add the VLANs created above to zones. The zones can con-
tain an interface or a VLAN. Rather than adding all four VLANs to the same zones, an individual
zone is created for each VLAN. These zones will later be added to firewall rules as match criteria.
ACOS(config)# zone HA
ACOS(config-zone:zone-HA)# interface ethernet 1
ACOS(config-zone:zone-HA)# interface ve 99
ACOS(config-zone:zone-HA)# exit
ACOS(config)# zone Trust_Vlan_162
ACOS(config-zone:zone-Trust_Vlan_162)# vlan 162
ACOS(config-zone:zone-Trust_Vlan_162)# exit
ACOS(config)# zone Trust_Vlan_53
ACOS(config-zone:zone-Trust_Vlan_53)# vlan 53
ACOS(config-zone:zone-Trust_Vlan_53)# exit
ACOS(config)# zone Untrust
ACOS(config-zone:zone-Untrust)# vlan 161
ACOS(config-zone:zone-Untrust)# exit
ACOS(config)# zone dmz
ACOS(config-zone:zone-dmz)# vlan 163
ACOS(config-zone:zone-dmz)# exit
page 64
14.The following commands configure the real server “s001” and “s002”, with TCP on ports 80 and 21
(for HTTP and FTP). The next two servers, “s011” and “s012” are configured with port 53 (for DNS).
ACOS(config)# slb server s001 172.16.162.1
ACOS(config-real server)# port 21 tcp



15.The following commands configure service group “sg-1” (with real server “s001” and “s002” at port
80 for TCP/HTTP),
“sg-2” (with real server “s001” and “s002” at port 21 for TCP/FTP), and “sg-3” (with real servers
“s011” and “s012” at port 53 for UDP/DNS traffic).
ACOS(config)# slb service-group sg-1 tcp
ACOS(config-slb svc group)# member s001 80
ACOS(config-slb svc group-member:80)# exit
ACOS(config-slb svc group)# exit
ACOS(config)# slb service-group sg-2 tcp

ACOS(config)# slb service-group sg-3 udp
page 65

page 66
16.The following commands are used to create virtual servers “vip-161.111” and “vip-162.112” on the
ACOS device. The VIPs are intended to handle DNS requests. Next, we assign “VRID 1” to both VIPs
to create a logical binding for the shared VRRP-A elements. Similarly, we conifigure “vip-161.101”
at (.111) and “vip-161.102” to handle HTTP and FTP
traffic.
ACOS(config)# slb virtual-server vip-161.111_dns 10.16.161.111
ACOS(config-slb vserver)# vrid 1
ACOS(config-slb vserver)# port 53 dns-udp
ACOS(config-slb vserver-vport)# service-group sg-3
ACOS(config-slb vserver-vport)# exit
ACOS(config-slb vserver)# exit
ACOS(config)# slb virtual-server vip-161.112_dns 10.16.161.112

ACOS(config-slb vserver)# port 53 dns-udp
ACOS(config)# slb virtual-server vip_161.101_http_ftp 10.16.161.101

ACOS(config-slb vserver)# port 21 ftp
ACOS(config-slb vserver-vport)# ha-conn-mirror
ACOS(config-slb vserver)# port 80 tcp
ACOS(config)# slb virtual-server vip_161.102_http_ftp 10.16.161.102

ACOS(config-slb vserver)# port 21 ftp
ACOS(config-slb vserver)# port 80 tcp
17.Next, we configure the syslog server at (53.1), and set the severity level for sent logs to “informa-
tion” and above.
ACOS(config)# logging syslog information
page 67
ACOS(config)# logging host 172.16.53.1
18.Configure the network objects, which will be used as the match criteria in the rules. As shown by
the prefix in the object name (“obj_sv”), we are configuring network objects to represent the servers
on the internal “172.16.x.x” network. We also configure network objects to represent the server in
the DMZ and the VIPs on the ACOS devices.
ACOS(config)# object network obj_sv_162.11_dns
ACOS(config-network:obj_sv_162.11_dn)# 172.16.162.11/32
ACOS(config-network:obj_sv_162.11_dn)# exit
ACOS(config)# object network obj_sv_162.12_dns

ACOS(config-network:obj_sv_162.12_dn)# 172.16.162.12/32
ACOS(config-network:obj_sv_162.12_dn)# exit
ACOS(config)# object network obj_sv_162.1_http_ftp

ACOS(config-network:obj_sv_162.1_ht)# 172.16.162.1/32
ACOS(config-network:obj_sv_162.1_ht)# exit

ACOS(config)# object network obj_sv_163.5_ssh

ACOS(config-network:obj_sv_163.5_ssh)# 10.16.163.5/32
ACOS(config-network:obj_sv_163.5_ssh)# exit


19.Next, we create the network object groups for the server objects and VIP objects. Note the “fire-
wall” keyword, designates that this object belongs to a firewall and not an ACL. Additionally, the
“v4” keyword identifies this as an IPv4 object, as opposed to IPv6.
ACOS(config)# object-group network objg_sv_dns fw v4
ACOS(config-network:objg_sv_dns)# object obj_sv_162.11_dns
ACOS(config-network:objg_sv_dns)# object obj_sv_162.12_dns
ACOS(config-network:objg_sv_dns)# exit
ACOS(config)# object-group network objg_sv_http_ftp_tmp fw v4

ACOS(config-network:objg_sv_http_ftp)# virtual-server vip_161.101_http_ftp
ACOS(config-network:objg_sv_http_ftp)# virtual-server vip_161.102_http_ftp
page 68
ACOS(config-network:objg_http_ftp)# exit
ACOS(config)# object-group network objg_sv_http_ftp fw v4

ACOS(config-network:objg_sv_http_ftp)# object obj_vip_161.101_http_ftp
ACOS(config-network:objg_sv_http_ftp)# object obj_vip_161.102_http_ftp
ACOS(config-network:objg_sv_http_ftp)# exit
20.The following commands create an object group for services. While the “network” keyword allows
you to specify match criteria based on IP addresses, zones, VIPs and ports, the “services” keyword
enables you to specify match criteria for protocols. In the sample below, a match will occur for
incoming traffic on TCP/HTTP port 80 or 8080.
ACOS(config)# object-group service obj_srv_http
ACOS(config-service:obj_srv_http)# tcp eq 80
ACOS(config-service:obj_srv_http)# tcp eq 8080
ACOS(config-service:obj_srv_http)# exit
ACOS(config)# object-group service obj_srv_ftp

ACOS(config-service:obj_srv_ftp)# tcp eq 21 alg FTP
ACOS(config-service:obj_srv_ftp)# tcp eq 20021 alg FTP
ACOS(config-service:obj_srv_ftp)# exit
ACOS(config)# object-group service obj_srv_dns

ACOS(config-service:obj_srv_dns)# udp eq 53 alg DNS
ACOS(config-service:obj_srv_dns)# tcp eq 53 alg DNS
ACOS(config-service:obj_srv_dns)# exit
ACOS(config)# object-group service obj_srv_ssh

ACOS(config-service:obj_srv_ssh)# tcp eq 22
ACOS(config-service:obj_srv_ssh)# exit
21.The command below creates the rule-set “r1” and adds a collections rules named “10”, “15”, “110”,
and so on.
Sequence numbers in rules are hidden and non-configurable, but you can change the order in
which rules appear in the rule-set using the “insert-rule” option in the CLI or “move rule” option in
the GUI. At a more granular level, each rule contains match criteria and an action to be applied to
traffic that matches that criterion. For example, within rule “10”, the action is to permit any traffic
that matches the match criteria, which screens for traffic from source IP “172.16.99.242/32”,
source zone “HA”, and destination IP “224.0.0.210/32”). Traffic will be processed according to the
first rule for which there is a positive match.
ACOS(config)# rule-set r1
ACOS(config-rule set:r1)# rule 10
ACOS(config-rule set:r1-rule:10)# action permit
ACOS(config-rule set:r1-rule:10)# source ipv4-address 172.16.99.242/32
ACOS(config-rule set:r1-rule:10)# source zone HA
ACOS(config-rule set:r1-rule:10)# dest ipv4-address 224.0.0.210/32
page 69
ACOS(config-rule set:r1-rule:10)# exit

ACOS(config-rule set:r1-rule:15)# source ipv4-address 172.16.99.242/32
ACOS(config-rule set:r1-rule:15)# source zone HA
ACOS(config-rule set:r1-rule:15)# dest ipv4-address 172.16.99.243/32

ACOS(config-rule set:r1-rule:110)# action permit log
ACOS(config-rule set:r1-rule:110)# source zone Untrust
ACOS(config-rule set:r1-rule:110)# dest object-group objg_sv_http_ftp
ACOS(config-rule set:r1-rule:110)# service object-group obj_srv_http

ACOS(config-rule set:r1-rule:111)# dest object-group objg_sv_http_ftp
ACOS(config-rule set:r1-rule:111)# service object-group obj_srv_ftp

ACOS(config-rule set:r1-rule:115)# dest virtual-server vip-161.112_dns
ACOS(config-rule set:r1-rule:115)# service object-group obj_srv_dns

ACOS(config-rule set:r1-rule:130)# source object-group objg_sv_dns
ACOS(config-rule set:r1-rule:130)# source zone Trust_Vlan_162
ACOS(config-rule set:r1-rule:130)# dest zone Untrust
ACOS(config-rule set:r1-rule:130)# service object-group obj_srv_dns

ACOS(config-rule set:r1-rule:140)# dest zone Trust_Vlan_53

page 70
ACOS(config-rule set:r1-rule:141)# dest zone Trust_Vlan_162


ACOS(config-rule set:r1-rule:150)# dest object obj_sv_163.5_ssh
ACOS(config-rule set:r1-rule:150)# service object-group obj_srv_ssh
ACOS(config-rule set:r1)# exit
22.The command below associates the firewall with the VRID for high availability failover, but it is
unrelated to SLB.
ACOS(config)# fw vrid 1
23.The command below is used to configure a session aging template called “a1”, within which the
idle-timeout values are set for TCP, UDP, and ICMP sessions.
ACOS(config)# fw session-aging a1
ACOS(config-session-aging:a1)# tcp idle-timeout 12345
ACOS(config-session-aging:a1)# udp idle-timeout 89
ACOS(config-session-aging:a1)# icmp idle-timeout 9
24.The command below is used to activate the rule-set “r1”, and simultaneously binds the session-
aging template “a1” to this rule-set.
ACOS(config)# fw active-rule-set r1 session-aging a1
page 71
Show Running Config for DCFW

Output from the show running-config command shows the commands that must be entered for
DCFW to work correctly in a simple FW + SLB deployment scenario.
ACOS(config)# show running-config

!Current configuration: 2822 bytes
!Configuration last updated at 01:42:08 PST Tue Nov 10 2015
!Configuration last saved at 01:56:48 PST Tue Nov 10 2015
!64-bit Advanced Core OS (ACOS) version 4.1.0, build 249 (Nov-09-2015,05:26)
!
access-list 101 permit ip host 172.16.162.11 any
!
access-list 101 permit ip host 172.16.162.12 any
!
access-list 101 deny ip any any
!
multi-config enable
!
terminal idle-timeout 0
!
vlan 21
tagged ethernet 16
router-interface ve 21
!
vlan 53
tagged ethernet 16
!
vlan 99
untagged ethernet 1
!
vlan 161
tagged ethernet 15
!
vlan 162
tagged ethernet 16
!
vlan 163
tagged ethernet 16
page 72
!
hostname ACOS
!
interface management
ip address 192.168.229.16 255.255.255.0
ip default-gateway 192.168.229.1
!
interface ethernet 1
enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
enable
!
enable
!
!
page 73
!
!
!
interface ve 21
ip address 21.0.255.243 255.255.0.0
!
interface ve 53
ip address 172.16.53.243 255.255.255.0
!
interface ve 99
ip address 172.16.99.243 255.255.255.0
!
interface ve 161
ip address 10.16.161.243 255.255.255.0
!
interface ve 162
ip address 172.16.162.243 255.255.255.0
!
interface ve 163
ip address 10.16.163.243 255.255.255.0
!
vrrp-a common
device-id 1
set-id 5
enable
!
vrrp-a vrid 1
floating-ip 172.16.162.244
floating-ip 10.16.161.244
blade-parameters
tracking-options
interface ethernet 15 priority-cost 100
interface ethernet 16 priority-cost 100
!
ip nat pool p1 10.16.161.201 10.16.161.201 netmask /24 gateway 10.16.161.254 vrid 1
!
ip nat inside source list 101 pool p1
!
vrrp-a interface ethernet 1
page 74
!
ip route 0.0.0.0 /0 10.16.161.254
!
zone HA
interface ve 99
!
zone Trust_Vlan_162
vlan 162
!
zone Trust_Vlan_53
vlan 53
!
zone Untrust
vlan 161
!
zone dmz
vlan 163
!
slb server s001 172.16.162.1
port 21 tcp
port 80 tcp
!
slb server s002 172.16.162.2
port 21 tcp
port 80 tcp
!
slb server s011 172.16.162.11
port 53 udp
!
slb server s012 172.16.162.12
port 53 udp
!
slb service-group sg-1 tcp
member s001 80
member s002 80
!
slb service-group sg-2 tcp
member s001 21
member s002 21
!
slb service-group sg-3 udp
member s011 53
member s012 53
page 75
!
slb virtual-server vip-161.111_dns 10.16.161.111
vrid 1
port 53 dns-udp
service-group sg-3
!
slb virtual-server vip-161.112_dns 10.16.161.112
vrid 1
port 53 dns-udp
service-group sg-3
!
slb virtual-server vip_161.101_http_ftp 10.16.161.101
vrid 1
port 21 ftp
ha-conn-mirror
service-group sg-2
port 80 tcp
ha-conn-mirror
service-group sg-1
!
slb virtual-server vip_161.102_http_ftp 10.16.161.102
vrid 1
port 21 ftp
ha-conn-mirror
service-group sg-2
port 80 tcp
ha-conn-mirror
service-group sg-1
!
logging syslog information
!
logging host 172.16.53.1
!
object network obj_sv_162.11_dns
172.16.162.11/32
!
object network obj_sv_162.12_dns
172.16.162.12/32
!
object network obj_sv_162.1_http_ftp
172.16.162.1/32
!
object network obj_sv_162.2_http_ftp
172.16.162.2/32
page 76
!
object network obj_sv_163.5_ssh
10.16.163.5/32
!
object network obj_vip_161.101_http_ftp
10.16.161.101/32
!
object network obj_vip_161.102_http_ftp
10.16.161.102/32
!
object-group network objg_sv_dns fw v4
object obj_sv_162.11_dns
object obj_sv_162.12_dns
!
object-group network objg_sv_http_ftp_tmp fw v4
virtual-server vip_161.101_http_ftp
virtual-server vip_161.102_http_ftp
!
object-group network objg_sv_http_ftp fw v4
object obj_vip_161.101_http_ftp
object obj_vip_161.102_http_ftp
!
object-group service obj_srv_http
tcp eq 80
tcp eq 8080
!
object-group service obj_srv_ftp
tcp eq 21 alg FTP
tcp eq 20021 alg FTP
!
object-group service obj_srv_dns
udp eq 53 alg DNS
tcp eq 53 alg DNS
!
object-group service obj_srv_ssh
tcp eq 22
!
rule-set r1
rule 10
action permit
source zone HA
rule 15
page 77
action permit
source zone HA
rule 110
action permit log
source zone Untrust
dest object-group objg_sv_http_ftp
service object-group obj_srv_http
rule 111
action permit log
source zone Untrust
dest object-group objg_sv_http_ftp
service object-group obj_srv_ftp
rule 115
action permit log
source zone Untrust
dest virtual-server vip-161.112_dns
service object-group obj_srv_dns
rule 130
action permit log
source object-group objg_sv_dns
source zone Trust_Vlan_162
dest zone Untrust
service object-group obj_srv_dns
rule 140
action permit
dest zone Trust_Vlan_53
rule 141
action permit
dest zone Trust_Vlan_162
rule 150
action permit log
dest object obj_sv_163.5_ssh
service object-group obj_srv_ssh
!
fw vrid 1
!
fw session-aging a1
tcp idle-timeout 12345
udp idle-timeout 89
icmp idle-timeout 9
page 78
!
fw active-rule-set r1 session-aging a1
!
end
!Current config commit point for partition 0 is 0 & config mode is classical-mode
AX16(config)#
page 79
page 80
Deploying Gi/SGi-Firewall
This chapter provides an example of a Gi/SGi-Firewall deployment.
The following topics are covered:
• Sample Topology for Gi/SGi-FW
• Gi/SGi-FW Configuration with CGN Deployment
• Show Running Config for Gi/SGi-FW
page 81
Sample Topology for Gi/SGi-FW
Sample Topology for Gi/SGi-FW

Figure 7 illustrates the topology for a basic sample use case of Gi/SGi-FW with a CGN deployment.
FIGURE 7 Sample Gi/SGi-FW topology diagram for basic use case (FW + CGN)
Notes:
• See “Gi/SGi-FW Configuration with CGN Deployment” on page 83 for the CLI commands used to
configure the firewall in an environment similar to that shown above.
page 82
Gi/SGi-FW Configuration with CGN Deployment

The section below describes the configurations for Gi/SGi-FW in a simple deployment consisting of
Firewall + CGN.
High-level Configuration
This section provides high-level configuration steps to set up a basic Gi/SGi-FW. More granular CLI
commands are described in the next section.
1. Configure the server(s) to which the logs will be sent.

2. Configure the service group for the servers.
3. Define a CGNv6 logging template, which NAT events to log and the format for the log messages.
4. Sets a configured LSN traffic logging template as the default template for all LSN pools.
5. Configure endpoint-independent mapping (EIM) support.
6. Configure endpoint-independent filtering (EIF) support.
7. Configure a named set of IP addresses for use by CGN or LSN.
8. Configure a LID for NAT64 and add the pool to it.
9. Configures the NAT64 prefix to be used.
10.Enables Fixed NAT for Gi/SGi-FW deployment.
11.Create a network object-group for specifying match criteria using Layer 3 parameters that will be
used for IPv4 firewall configurations.
12.Create a service object group for specifying matching match criteria using Layer 4 to layer 7
parameters.
13.Configure a firewall rule-set that contains a set of rules. Rules should contain the match criteria
and associated action.
14.Activate the rule-set with the “fw active-rule-set” command.
CLI Configuration
The following commands configure the server to which the logs are to be sent:
ACOS(config)# cgnv6 server ls1 9.9.9.173

ACOS(config-real server)# health-check-disable
ACOS(config-real server-node port)# health-check-disable
page 83

The following commands configure the service group of servers:
ACOS(config)# cgnv6 service-group logging udp

ACOS(config-cgnv6 svc group)# member ls1 514
ACOS(config-cgnv6 svc group)# exit
The following commands define a CGNv6 logging template. In the template, the commands also define
which NAT events to log and the format for the log messages:
ACOS(config)# cgnv6 template logging log

ACOS(config-logging:log)# log fixed-nat port-mappings both
ACOS(config-logging:log)# log port-mappings creation
ACOS(config-logging:log)# format binary
ACOS(config-logging:log)# service-group logging
ACOS(config-logging:log)# exit
The following command sets a configured LSN traffic logging template as the default template for all
LSN pools:
ACOS(config)# cgnv6 lsn logging default-template log
The following commands configure a named set of IP addresses for use by CGN or LSN:
ACOS(config)# cgnv6 nat pool p1 9.9.9.50 9.9.9.50 netmask/24 vrid 31
The following commands configure a LID for NAT64 and add the pool to it:
ACOS(config)# cgnv6 lsn-lid 1

ACOS(config-lsn-lid)# source-nat-pool p1
ACOS(config-lsn-lid)# exit
The following command configures the NAT64 prefix:
ACOS(config)# cgnv6 nat64 prefix 64:ff9b::/96
The following command enables Fixed NAT:
ACOS(config)# cgnv6 fixed-nat inside 3201::172 3201::172 netmask 96 nat 9.9.9.45 9.9.9.45
netmask /24 vrid
page 84
The following commands create a network object-group for specifying match criteria using Layer 3
parameters. The following example specifically creates a network object group that will be used for
IPv4 firewall configurations.
ACOS(config)# object-group network network1 fw v4

ACOS(config-network:network1)# 12.10.10.0/24
ACOS(config-network:network1)# exit
The following commands create a service object group for specifying matching match criteria using
Layer 4 to layer 7 parameters.
ACOS(config)# object-group service alg

ACOS(config-service:alg)# tcp eq 21 alg FTP
ACOS(config-service:alg)# icmp
ACOS(config-service:alg)# tcp range 1 65535
ACOS(config-service:alg)# udp eq 69 alg TFTP
ACOS(config-service:alg)# protocl-id 132
ACOS(config-service:alg)# udp eq 554 alg RTSP
ACOS(config-service:alg)# udp eq 53 alg DNS
ACOS(config-service:alg)# udp range 1 65535
ACOS(config-service:alg)# exit
The following commands configure a firewall rule-set that contains a set of rules. In this example, rule 1
specifies that any packets matching this rule must be handled by LSN configurations, whereas packets
matching rule 2 must be handled by Fixed NAT configurations. Packets matching rule 3 are permitted,
and no CGN configurations are applied to them.
ACOS(config)# rule-set firewall

ACOS(config-rule set:firewall)# rule 1
ACOS(config-rule set:firewall-rule:1)# action permit cgnv6 lsn-lid 1
ACOS(config-rule set:firewall-rule:1)# source object-group network1
ACOS(config-rule set:firewall-rule:1)# source zone inside
ACOS(config-rule set:firewall-rule:1)# dest ipv4-address any
ACOS(config-rule set:firewall-rule:1)# dest zone outside
ACOS(config-rule set:firewall-rule:1)# service object-group alg
ACOS(config-rule set:firewall-rule:1)# exit

ACOS(config-rule set:firewall-rule:2)# action permit cgnv6 fixed-nat
ACOS(config-rule set:firewall-rule:2)# ip-version v6
ACOS(config-rule set:firewall-rule:2)# source ipv6-address 3201::172/128
ACOS(config-rule set:firewall-rule:2)# source zone inside
ACOS(config-rule set:firewall-rule:2)# dest ipv6-address any
page 85
ACOS(config-rule set:firewall-rule:2)# dest zone any

ACOS(config-rule set:firewall-rule:2)# service any

ACOS(config-rule set:firewall-rule:3)# action permit
ACOS(config-rule set:firewall-rule:3)# source any inside
ACOS(config-rule set:firewall-rule:3)# dest any
The following command enables the firewall rule-set:
ACOS(config)# fw active-rule-set firewall
Notes:
• The firewall rule-set must be activated with the fw active-rule-set command before any rules
can be enforced on inbound traffic.
• When no rule-set is active, all traffic will pass, because no firewall rules are applied to the incom-
ing traffic.
• If a firewall rule-set is active and no rules are defined, then the default action is implicit deny.
• Each rule contains one or more match criteria and associated actions that can be applied to traf-
fic if there is a match.
page 86
Show Running Config for Gi/SGi-FW

Output from the show running-config command shows the commands that must be entered for Gi/
SGi-FW to work correctly in a simple FW + CGN deployment scenario.
ACOS(config)# show running-config

!Current configuration: 2822 bytes
!Configuration last updated at 01:42:08 PST Tue Sep 10 2016
!Configuration last saved at 01:56:48 PST Tue Sep 10 2016
!64-bit Advanced Core OS (ACOS) version 4.1.1, build 204 (Sep-14-2016,05:26)
!
zone inside
vlan 10
!
zone outside
vlan 20
!
cgnv6 server ls1 9.9.9.173
health-check-disable
port 514 udp
health-check-disable
!
cgnv6 service-group logging udp
member ls1 514
!
cgnv6 template logging log
log fixed-nat port-mappings both
log port-mappings creation
format binary
service-group logging
!
cgnv6 lsn logging default-template log
!
!
cgnv6 lsn-lid 1
source-nat-pool p1
!
cgnv6 nat64 prefix 64:ff9b::/96
!
cgnv6 fixed-nat inside 3201::172 3201::172 netmask 96 nat 9.9.9.45 9.9.9.45 netmask /24
vrid 31
!
object-group network allowed fw v4
page 87
12.10.10.0/24
!
object-group service alg
tcp eq 21 alg FTP
icmp
tcp range 1 65535
udp eq 69 alg TFTP
protocol-id 132
udp eq 554 alg RTSP
udp eq 53 alg DNS
udp range 1 65535
!
rule-set firewall
rule 1
source object-group allowed
source zone inside
dest zone outside
service object-group alg
rule 2
ip-version v6
source ipv6-address 3201::172/128
source zone inside
dest zone any
service any
!
fw active-rule-set firewall
page 88
Config Commands: Firewall
This chapter contains the following:
• Firewall Global Configuration Commands
• Rule-Set Configuration Commands
• Firewall show and clear Commands
page 89
Firewall Global Configuration Commands

This section describes the Firewall commands available in global configuration mode.
The following commands are available:
• fw active-rule-set
• fw alg
• fw alg-processing
• fw apply-changes
• fw disable-ip-fw-sessions
• fw helper-sessions
• fw listen-on-port-timeout
• fw logging
• fw permit-default-action
• fw radius server
• fw server
• fw service-group
• fw session-aging
• fw tcp-window-check
• fw template logging
• fw urpf
• fw vrid
• rule-set
• zone
page 90
fw active-rule-set
Description Activate the firewall function using the specified rule-set in an application
delivery partition. Only one rule-set may be active in a partition.
Syntax [no] fw active-rule-set name [session-aging template-name]
Parameter Description
active-rule-set Enable the firewall function using the rule-set specified for
name this partition. The rule-set must exist prior to activating.
(See “rule-set” on page 117.)
session-aging Bind the session-aging template (for TCP, UDP, and ICMP
template-name sessions) to the active rule-set. (See “fw session-aging” on
page 104.)
Default No default active rule-set.
Mode Configuration mode
Usage While ACOS supports creation of many rule-sets, only one rule-set can be
active at a time.
NOTE: It may take approximately 10 seconds for the “rule-set” to become

active.
Example This example shows how to activate firewall rule set “rule-set-1”:
ACOS(config)# fw active-rule-set rule-set-1

ACOS(config)#
page 91
fw alg
Description Configure application protocol inspection for common applications proto-
cols, such as FTP, TFTP, SIP, DNS and others, on their well-known ports.
Syntax [no] fw alg options
dns default-port-disable Change DNS ALG settings for default port 53.
ftp default-port-disable Change FTP ALG settings for default port 21.
icmp disable Disable ICMP ALG, which allows ICMP errors
to pass through the firewall.
pptp default-port-disable Change PPTP ALG settings for default port
1723.
rtsp default-port-disable Change RTSP ALG settings for default port
554.
sip default-port-disable Change SIP ALG settings for default port
5060.
tftp default-port-disable Change TFTP ALG settings for default port 69.
Default Application protocol inspection is enabled by default for the protocols listed
in the table above. If desired, you can use this command to disable this
behavior.
Usage ALG is enabled by default for these protocols, so traffic using common ALG
protocols, (for example, FTP or SIP), may traverse the firewall without being
inspected, as long as the traffic is using its associated well-known port.
However, this command can be used to block traffic on the well-known ports
for these protocols. To enable application protocol inspection on non-default
ports, you can specify them while creating a service-rule or service object-
group element.
Example The following example shows how to disable the ALG for DNS on its well-
known port 53:
ACOS(config)# fw alg dns default-port-disable

ACOS(config)#
page 92
fw alg-processing
Description Override the rules in a rule-set, to allow ALG traffic connections to be created,
regardless of configured firewall rules that would otherwise deny the con-
nection request.
Syntax [no] fw alg-processing options
honor-rule-set Honor the firewall rule-set (Default)
override-rule-set Override the firewall rule-set
Default By default, honor-rule-set is enabled.
Usage ALG protocols, such as FTP and SIP, require the firewall to open ports to
accept new connections.
By default, the firewall honors the existing rule-set, meaning the firewall will
permit new ALG connection requests only if the request satisfies the
explicitly configured firewall rules.
However, you can override this behavior, so that the firewall will ignore the
configured firewall rules in the active rule-set. In this case, the firewall will
allow the ALG connection to open the port, even if the configured rules in the
rule-set would otherwise prevent the connection from opening.
Example The following example shows how to override the rules in the rule-set to
allow ALG traffic to pass, regardless of whether those rules would deny the
request:
ACOS(config)# fw alg-processing override-rule-set

ACOS(config)#
page 93
fw apply-changes
Description Recompile the firewall rule-set immediately.
Syntax [no] fw apply-changes [forced]
Default N/A
Usage If you made any changes to the active rule-set, this command will push the
updated rule-set to the running-config to make it take effect immediately.
Changes to the rule-set could include modifications to any element

contained in the rule-set, such as a new rule, or changes to an object/object-
group contained within a rule, or changes to a a zone contained within a rule,
and so on.
If changes are made and the command is not executed, then the changes
will be eventually be applied after:
• an idle period of 10 seconds with no changes to the rule-set, OR

• after a maximum of 10 minutes of activity of constant changes in the
rule-set
• the forced option can be used to force immediate recompile
This is an operational command and thus will not be stored in the running -
config.
This command is partition-aware, meaning it will only apply to the partition in

which it is invoked. If this command is executed within the shared partition, it
will only take effect in the shared partition and will not impact the private
partitions which have a firewall rule-set.
Example The following example shows how to invoke a rule-set recompile:
ACOS(config)# fw apply-changes
ACOS(config)#
page 94
fw disable-ip-fw-sessions
Description Disable auto-creation of data sessions for non-TCP/UDP/ICMP protocols
that match a firewall permit rule.
Syntax [no] fw disable-ip-fw-sessions
Default N/A
Usage The DC Firewall will create an associated data session for all non-TCP/UDP/
ICMP protocols that match a firewall permit rule. Use this command to disa-
ble auto-creation of a separate data session.
Example The following example shows how to disable auto-creation of data sessions
for non-TCP/UDP/ICMP protocols.
ACOS(config)# fw disable-ip-fw-sessions
ACOS(config)#
page 95
fw helper-sessions
NOTE: This is an internal command and should only be used by A10 Networks
Technical Support for debugging purposes.
Description Configure firewall helper-sessions options (TAC use only).
Syntax [no] fw helper-sessions

{idle-timeout | limit | mode disable}
idle-timeout Set the firewall helper-sessions idle-timeout to a value ranging
from 1-255 minutes. Default is 1 minute.
limit Limit the number of helper sessions that can be created
(1-134217728).
mode disable Helper sessions mode is enabled by default. You can use mode
disable to disable the creation of any helper-sessions.
Use the “no” form of the command to re-enable the feature.
Usage Data Center Firewall can employ short-lived helper sessions to provide faster
rule lookups. This can be helpful in cases where traffic is repeatedly sent to
the same destination IP address and port from the same source IP address.
Use the idle-timeout and limit options to change the behavior of these
helper-sessions.
Example The following example sets the idle-timeout for firewall helper-sessions to 10
minutes:
ACOS(config)# fw helper-sessions idle-timeout 10
page 96
fw listen-on-port-timeout
Description Configure session’s Session Traversal Utilities for NAT (STUN) timeout.
Syntax [no] fw listen-on-port-timeout num
Default Configuration mode
Example The following example sets the idle-timeout for firewall helper-sessions to 10
minutes:
ACOS(config)# fw listen-on-port-timeout 60
page 97
fw logging
Description Bind an SLB logging template to the firewall.
Syntax fw logging template-name
Default No default logging template.
Usage The data center firewall creates a high volume of log messages for data
events, such as when a firewall session is created or destroyed. These log
messages are directed to an external logging server.
Use this fw logging command to create a firewall logging template.
For information on how to bind the firewall logging template to an active

rule-set, or for general information about configuring an external logging
host, see “Firewall Logging” on page 39.
Configuration events also generate log messages, but these are typically
sent to a different log server than the firewall data log messages. You can
set up where to send the config-change logs using the standard logging
host command. (See the “logging host” command in the CLI Reference for
details.)
Example The following example binds the logging template “temp-log1” to the firewall:
ACOS(config)# fw logging temp-log1

ACOS(config)#
page 98
fw permit-default-action
Description This command applies to Gi/SGi-FW only. For a rule that does not have an
application associated with it, this command changes the way ACOS pro-
cesses incoming traffic when a match occurs on a policy rule containing
“action permit”.
Syntax [no] fw permit-default-action {forward | next-service-mode}
forward The packet will be L3 forwarded and a firewall
session will be created.
next-service-mode The packet will be processed according to the
applications configured in order.
See “Processing Rules” on page 32 for more

information.
Default By default, a “permit” rule with no application specified is L3 forwarded and

will create a firewall session.
Usage This command only applies to Gi/SGi-FW partitions.
A rule-set containing firewall rules control what traffic is allowed to enter on

the firewall. Each rule can be configured with the “permit” action associated
with a selected application to be applied to packets matching the rule. The
rule can be configured as generically as “forward” or “cgnv6”, or exclusively
as “cgnv6 lsn-lid 2” or “cgnv6 fixed-nat”.
Example The following example shows how to configure ACOS such that the packet
will be forwarded at Layer 3 and will open a firewall session:
ACOS(config)# fw permit-default-action forward

ACOS(config)#
page 99
fw radius server
Description Configure the interaction with external RADIUS servers for firewall com-
mands.
Syntax [no] fw radius server
This command changes the CLI to the configuration level for the specified
RADIUS server, where the following commands are available.
Command Description
[no] accounting Configures actions for RADIUS accounting messages. The following
actions can be specified:
• interim-update – Actions for accounting Interim-Update messages. The

following options are available:
•ignore– Ignore the entry.
•append-entry– Append the AVPs to the existing entry.
•replace-entry – Replace the AVPs of the existing entry.
• on – Actions for accounting On messages.
• delete-entries-using-attribute – Delete entries matching attri-

bute in RADIUS table. The following options are available:
•msisdn – Clear using MSISDN
•imei – Clear using IMEI
•imsi – Clear using IMSI
• NAME<length:1-15> – Clear using customized attribute
• ignore – Ignore the request.
• start – Actions for accounting Start messages. The following options

are available:
•append-entry– Append the AVPs to the existing entry.
•replace-entry – Replace the AVPs of the existing entry.
• stop – Actions for accounting Stop messages.
•delete-entry– Delete the entry.
•delete-entry-and-sessions – Delete the entry and data sessions

assoicated.
page 100
Command Description
[no] attribute attr-name Specifies the RADIUS attributes for the ACOS device to receive from exter-
[[vendor vendor-id] nal RADIUS servers in response to RADIUS Accounting requests. The fol-
number attr-id] lowing attributes can be specified:
• inside-ipv6-prefix prefix-length num – Framed IPv6 address. Spec-

ify the prefix-length for the Framed IPv6 address.
• inside-ip – Inside client’s IPv4 address.
• inside-ipv6 – Inside client’s IPv6 address.
• imei – Inside client’s mobile number, as International Mobile Equipment

Identity (IMEI).
• imsi – Inside client’s mobile number, as International Mobile Subscriber

Identity (IMSI).
• msisdn – Inside client’s mobile number, as Mobile Station International

ISDN Number (MSISDN).
• custom1, custom2, custom3 – Additional attributes not covered by other

options
The vendor-id specifies the RADIUS vendor ID and can be 1-65535. The attr-
id specifies the RADIUS attribute ID and can be 1-255. These options, in
combination, allow you to specify any attribute to be used as the client’s
inside IP address, or MSIDSN, or IMEI, and so on. For example, if your
RADIUS server normally sends the MSIDSN attribute as attribute 31, you
could use the following command to configure the ACOS device to use the
same attribute value for MSIDSN: attribute msisdn number 31
[no] listen-port portnum Specifies the port number on which the external RADIUS server listen for
Accounting requests.
[no] remote Specifies the name of the IP list that contains the IP addresses of the exter-
nal RADIUS servers from which to obtain mobile numbers for traffic log-
ging. The following options are available:
• ip-list – IP list of remote clients.

• ipv4-list – IP list of IPv4 remote clients.
• ipv6-list – IP list of IPv6 remote clients.

[no] secret shared-secret Specifies the password string the external RADIUS servers and ACOS
device use to authenticate RADIUS traffic between them.
[no] vrid num Joins a VRRP-A failover group.
Default By default, no RADIUS servers are configured. When you use this command
to configure one, the server has the defaults listed in the table above.
Usage You can configure ACOS to use the same mechanism for inserting the
MSISDN values into HTTP request headers, that is used to insert the values
into FW log messages.
page 101
fw server
Description Configure a firewall logging server.
Syntax [no] fw server server-name [IPv6-addr | IPv4-addr | hostname]
Replace server-name with the name of the logging server, 1-127 characters.
Specify the IPv4 or IPv6 address, or hostname for the logging server.
server, where the following commands are available:
[no] health-check Enables health monitoring of the server. The
[monitor-name] monitor-name specifies the name of a config-
ured health monitor.
If you omit this command or you enter it with-

out the monitor-name option, the default
Layer 3 (ICMP) health monitor is used.
[no] health-check-disable Disables health monitoring of the server.
[no] port port-num Specifies the TCP or UDP port on which the
{tcp | udp} server listens for traffic.
enable | disable
Enables or disables the port.
[no] health-check [monitor-name]
Enables health monitoring of the port. The
monitor-name option specifies the name of a
configured health monitor.
If you omit the health-check command or

you enter it without the monitor-name option,
the default UDP health monitor is used.
[no] health-check-disable
Disables health monitoring of the port.
[no] sampling-enable type
Enables the baselining on the port.
[no] sampling-enable Enables baselining on the server.
type
[no] enable | disable Enables or disables the server.
Default There are no logging servers configured by default.
Usage This command creates a new real server. The CLI changes to the configura-
tion level for the server. The “no” form of this command removes an existing
page 102
real server. The IP address of the server can be in either IPv4 or IPv6 format,
or hostname.
Example The following example shows how to configure a logging server called “log-
serv1” at 1.2.3.4:
ACOS(config)# fw server log-serv1 1.2.3.4

ACOS(config-real server)#
fw service-group
Description Configure a service group for the firewall logging server.
Syntax [no] fw service-group group-name {tcp | udp}
Replace group-name with the name of the group, 1-127 characters.

Specify the application type for the service group (tcp or udp).
service group, where the following commands are available:
[no] health-check Enables health monitoring of the service
[monitor-name] group. The monitor-name specifies the name
of a configured health monitor.
[no] member Adds the external log server and port to the
server-name portnum service group.
[sampling-enable type]
The sampling-enable option enables base-
lining on the service group member.
[no] sampling-enable Enables baselining on the service group.
type
Default There are no service-groups configured by default.
Usage This command creates a new service group. The CLI changes to the configu-
ration level for the service group.
Example The following example adds TCP service-group called “sg1”:
ACOS(config)# fw service-group sg1 tcp

ACOS(config-fw svc group)#
page 103
fw session-aging
Description Configure the session-aging template for ICMP, TCP, and UDP protocols.
Syntax [no] fw session-aging name
This command changes the CLI to the configuration level for the designated
session-aging template, where the following commands are available.
Command Description
[no] icmp idle-timeout Configure idle-timeout for ICMP sessions. You can set the time-out to a value
seconds ranging from 2-15000 seconds. The default is 2 seconds.
[no] ip-others ip- Configure idle-timeout for sessions that are not TCP, UDP, or ICMP traffic. You
idle-timeout seconds can set the time-out to a value ranging from 1-2097151 seconds. The default is
30 seconds.
page 104
Command Description
[no] tcp Configure the following options for TCP sessions:
• force-delete-timeout num – Specifies the maximum time (in seconds) that

a session can remain in the system before being deleted. This option forces
deletion of any session that remain active beyond the specified number of
seconds. The timeout can be 1-31 seconds. The default for this option is off.
The alive-if-active option quickly terminates half-open TCP sessions on the vir-
tual port while allowing active sessions to continue without being terminated.
• force-delete-timeout-100ms num – The maximum time that a session

can remain in the system before being deleted. The timeout value is set in
100-millisecond units. You can assign a value ranging from 1-31 (multiplied
by the number of 100-ms units). The default for this option is off.
• half-close-idle-timeout num – Enables aging of half-closed TCP ses-

sions. A half-closed TCP session exists when the server sends a FIN but the
client does not reply with an ACK. You can set the timeout from 60-120 sec-
onds. The default for this option is off.
• half-open-idle-timeout num – Enables aging of half-open TCP sessions.

A half-open TCP session is one in which the client receives a SYN-ACK, but
does not reply with an ACK. You can set the timeout value to 1-60 seconds.
The default for this option is off.
• idle-timeout num – Specifies the number of seconds a connection can

remain idle before the ACOS device terminates it. You can specify 1-2097151
seconds (about 24 days). If you specify 31 seconds or higher, ACOS rounds up
to the next multiple of 60 seconds. The default is 600 seconds.
• port num – Enables configuration of port-based timeouts for TCP ports. You
can set the port num to a value from 1-65535. At this configuration point, the
following sub-options are available:
• force-delete-timeout – (see description above)
• force-delete-timeout-100ms – (see description above)
• half-close-idle-timeout – (see description above)
• half-open-idle-timeout – (see description above)
• idle-timeout – (see description above)
• [alive-if-active] – Half-open TCP sessions are terminated while allow-

ing active sessions to continue. The default for this option is off.
[no] udp Configure the following options for UDP sessions:
• idle-timeout num – Configure the idle-timeout (seconds) for UDP ses-

sions. You can set the time-out value to 1-2097151 seconds. The default is
120 seconds.
• port num – Enables configuration of port-based timeouts for UDP ports. You
can set the port num to a value from 1-65535. At this configuration point, the
following sub-options are available:
• idle-timeout – (see description above)
page 105
Default See table above for defaults.
Usage Configure the session-aging template for TCP, UDP, and ICMP protocols.
Preference for idle-timeouts when multiple types have been configured:
You can configure multiple different types of timeouts, such as protocol-

based and port-based idle-timeouts. There could also be an idle-timeout
configured under a rule in a rule-set. In such cases where a conflict may
occur, ACOS will select the idle-timeout values in the following order of
precedence:
1) Idle timeouts configured at the rule level will be used first.
2) ACOS will use the port-based idle-timeout (configured within the session-
aging template) if there is no rule level idle-timeout value configured.
3) ACOS will use the protocol-based idle-timeout value from the firewall
session-aging template if there is no rule-level timeout and no port-based
idle-timeout.
4) ACOS will use the system default idle-timeout value there is no timeout
configured at the rule level, nor at the port or protocol level within the firewall
session-aging template.
Note: All ALG data sessions will inherit the idle-timeout values from the
control session, even if the port being used has an idle-timeout value
configured in the firewall session-aging template.
Example The following example shows how to configure a session-aging template

called “name1”. The example sets the idle-timeout for ICMP to 10 seconds:
ACOS(config)# fw session-aging name1

ACOS(config-session-aging:name1)# icmp idle-timeout 10
ACOS(config-session-aging:name1)#
page 106
fw tcp-window-check
Description Enable or disable firewall TCP window check.
Syntax [no] fw tcp-window-check {enable | disable | sampling-enable}
enable This option enables the TCP window check function, mean-
ing packets outside the advertised window will be dropped.
(default)
disable This option disables the TCP window check function.
sampling-enable This option enables baselining and rate calculation for
{all | outside- counters. Specify one of these options:
window}
• all – applies to all packets
• outside-window – counter for packets that were

dropped for being outside the TCP window
For more information about sampling-enable, see

“Enabling Baselining and Rate Calculation” in the Command
Line Interface Reference.
Default See table above for defaults.
Usage TCP window checks enforce that TCP packets are within the advertised win-
dow (for traffic in both directions) by tracking the sequence and acknowledg-
ment numbers. Packets outside the advertised window are dropped.
Example The following example shows how to enable the tcp-window-check option
with baselining and rate calculation enabled for packets that were outside of
the advertised TCP window:
ACOS(config)# fw tcp-window-check enable

ACOS(config)# fw tcp-window-check sampling-enable outside-window
ACOS(config)#
page 107
fw template logging
Description Configure a firewall logging template.
Syntax [no] fw template logging temp-name
Replace temp-name with the name of the logging template, 1-63 characters.
page 108
page 109
logging template, where the following commands are available:
page 110
[no] facility options For the FW logging facility, specify one of the following options:
• kernel (0: Kernel)
• user (1: User-level
• mail (2: Mail)
• daemon (3: System daemons)
• security-authorization
(4: Sec/authorization)
• syslog (5: Syslog internal)
• line-printer (6: Line printer)
• news (7: Network news)
• uucp (8: UUCP subsystem)
• cron (9: Time-related)
• security-authorization-private
(10: Private security/authorization)
• ftp (11: FTP)
• ntp (12: NTP)
• audit (13: Audit)
• alert (14: Alert)
• clock (15: Clock-related)
• local0 (16: Local use 0) (default)
• local1 (17: Local use 1)
page 111
[no] format {ascii | cef} Specify the firewall logging format:
• ascii – A10 Text logging format (ASCII), used to support advanced

CGN logging options, such as include-radius and include-http.
• cef – Common Event Format for logging (default)
For more information, see Choosing CEF or ASCII Format.

[no] include-http options Include one or more of the following HTTP fields in http-request logs:
• cookie – Log HTTP Cookie Header
• file-extension – HTTP file extension
• l4-session-info – Log the L4 session information of the HTTP request
• method – Log the HTTP Request Method
• referer – Log HTTP Referer Header
• request-number – HTTP Request Number
• user-agent – Log HTTP User-Agent Header
• header1 – Log HTTP Header 1

[no] include-radius-attri- Include one or more of the following RADIUS attributes in logs:
bute options
• framed-ipv6-prefix – Include radius attributes for the prefix
• imei – Include IMEI
• imsi – Include IMSI
• insert-if-not-existing zero-in-custom-attr – Insert 0000 for standard and

custom attributes in log string
• msisdn – Include MSISDN
• custom1 – Customized attribute 1
• no-quote – No quotation marks for RADIUS attributes in logs

[no] log http-requests For client HTTP requests , you can enable logging for one of the following
{host | url} types of information:
• host – Host requested by the client
• url – URL requested by the client
page 112
[no] resolution {seconds | Specifies the precision of the timestamps in log messages.
10-milliseconds}
• Seconds – Log message timestamps are precise to within one whole
second. (default)
• 10-milliseconds – Log message timestamps are precise to within 1/100

second (10 milliseconds).
[no] rule http-requests The additional rules for FW logging events. Specify one of the following
options options:
• dest-port – Log only HTTP requests sent to specified dest port (Default:
none)
• disable-sequence-check – Disable http packet sequence check and do

not drop out of order packets
• include-all-headers – Include all configured headers despite absence in

HTTP request
• log-every-http-request – Log every HTTP request in an HTTP 1.1 session

(Default: Log the first HTTP request in a session)
• max-url-len – Max length of URL log

[no] service-group group- This option binds a service group to the logging template.
name
group-name is the name of the service group. (1-127 characters)
[no] severity options The minimum severity level for which log messages will be sent. Specify
one of the following options:
• 0 (emergency)
• 1 (alert)
• 2 (critical)
• 3 (error)
• 4 (warning)
• 5 (notification)
• 6 (information)
• 7 (debugging) (default)
[no] source-address {ipv Specify the source address of logging packet.
ipv4-add | ipv6 ipv6-add}
page 113
Default There are no logging templates configured by default.
Usage See “Firewall Logging” on page 39 for more information on configuring a log-
ging template.
Example The following example shows how to configure a firewall logging template
called “n1” with service-group “sg1”:
ACOS(config)# fw template logging n1

ACOS(config-logging)# service-group sg1
fw urpf
Description This command is used to enable Unicast Reverse Path Forwarding (URPF).
Syntax [no] fw urpf {enable | disabled | loose}
disabled This option disables URPF (Default)
strict ACOS will create a session only if the reverse
route to the IPv4 or IPv6 source address fol-
lows the same interface upon which the
packet was received.
loose ACOS will create a session if there is a reverse
route to the IPv4 or IPv6 source address.
Default URPF is disabled by default.
Example The following example shows how to configure strict URPF checks:
ACOS(config)# fw urpf strict

ACOS(config)#
page 114
fw vrid
Description Configure a VRID group number for VRRP-A redundancy.
Syntax [no] fw vrid vrid-group
[no] vrid vrid- Allow this ACOS device to join a VRRP-A group id.
group
vrid-group
The vrid-group can be a number ranging from 1-31.
Default No default
Usage For more information about adding the firewall to a group of ACOS devices
set up for VRRP-A redundancy, see Configuring VRRP-A High Availability.
Example The following example shows how to add this firewall to vrid-group 3:
ACOS(config)# fw vrid 3
ACOS(config)#
page 115
cgnv6 sctp permit-payload-protocol

Description Restrict which protocols are allowed in the SCTP DATA chunks.
Syntax [no] cgnv6 sctp permit-payload-protocol

{iua | m2ua | m3ua | sua | m2pa | h.323 | protocol-ID}
[no] {iua | m2ua Specify one of the following payload protocols:
| m3ua | sua |
m2pa | h.323 | • iua – IUA
protocol-ID}
• m2ua – M2UA
• m3ua – M3UA
• sua – SUA
• m2pa – M2PA
• h.323 – H.323
• protocol-ID – Specify an SCTP permitted payload

protocol ID, ranging from 1-63.
Default No default
NOTE: This command is only available on CFW platforms.
cgnv6 sctp rate-limit

Description Configure packet rate-limiting for SCTP sessions.
Syntax [no] cgnv6 sctp rate-limit {destination | source} ip-addr num
destination Configure SCTP destination rate-limiting.
source Configure SCTP source rate-limiting.
ip-addr Enter the IPv4 address.
num Enter the rate limit in packets per second. The value can
range from 1-2147483647.
Default No default
page 116
NOTE: This command is only available on CFW platforms.
rule-set
Description Configure a data center firewall rule-set.
Syntax [no] rule-set name
After using this command, the commands in “Rule-Set Configuration

Commands” on page 120 are available.
rule-set Create a new DC firewall rule-set.
name
To make a firewall rule-set active, see “fw active-rule-set” on
page 91.
Default No default name for new rule-sets.
Mode Global configuration mode
Usage Only one rule-set can be active at a time, although ACOS supports the config-
uration of multiple passive rule-sets.
Example The following example shows creation of the rule-set called “new-DCfirewall-
ruleset1”:
ACOS(config)# rule-set new-DCfirewall-ruleset1

ACOS(config-rule set:new-DCfirewall-r)#
page 117
zone
Description Configure a security zone.
Syntax [no] zone name
After using this command to create a new zone, the following commands
are available:
[no] zone Create a new zone.
name
[no] inter- The the following interface options are available:
face option
• ethernet port-num – The configured interface is a virtual
or physical Ethernet port with port-num ID. The port ID
takes a range of values that depends of the platform ACOS
is running on.
• lif logicalinterface-id – The configured interface is

a logical interface in a Software Defined Network (SDN) or
Overlay Network with interface-id ID. The logical interface
ID takes a range of values from 1 to 128.
• trunk num – The configured interface is a logical trunk

interface of the ACOS device. The trunk interface ID associ-
ates the interface with a trunk group and takes a range of
values from 1 to 4096.
• tunnel num – The configured interface is a tunnel. The

tunnel interface ID takes a range of values from 1 to 128.
• ve ve-num – The configured interface is a virtual Ethernet

Interface. The virtual Ethernet ID takes a range of values
that depends of the platform ACOS is running on.
page 118
[no] local- Prior to ACOS 4.1.1, configuring a rule with a destination IP
type address which is that of the ACOS device (such as a VIP),
required the destination zone to be zone type any.
If the destination is the ACOS device itself, then the packet was
not forwarded out the device and the resulting route lookup was
empty.
However, in ACOS 4.1.1 and later, you can send traffic to the
ACOS device itself by configuring the local-type command as
the destination zone criteria.
Designating a zone as a “local zone” removes the ability to

include interfaces, management interface, VLANs, tunnels, VEs,
and trunks in that local zone.
Details:
• When configuring a local zone as the destination zone crite-
ria, the destination IP address must be the IP address of the
ACOS device.
• Local zone is only available as part of the destination zone

criteria configuration, and you cannot configure a local zone
as the source zone criteria in rule-set rule.
• If a standard zone has already been configured in a rule-set

rule, it cannot later be changed to a local zone, or vice versa.
[no] vlan Configure a virtual LAN (VLAN) by replacing vlan-id with the ID
vlan-id to of the VLAN (2-4094), followed by the to command. Then spec-
vlan-id ify the vlan-id for the other vlan in this zone.
Default No default name for new zones.
Mode Global configuration mode
Usage A firewall zone acts can contain multiple interfaces, IP addresses, and sub-
nets. It offers a more convenient way to bind and manage many interfaces
under a firewall rule simultaneously.
NOTE: Do not create a zone with the name “any” or you will not be able to
later delete it. This limitation exists because ACOS auto-creates an invisible
zone called “any” (for internal purposes). This system-created zone will not
appear in the output of the “show running” CLI command. However, if you
manually create a zone called “any”, then the zone will be visible in the
output, but because it has the same name as the system-generated zone,
you will be unable to delete it.
page 119
Rule-Set Configuration Commands

This section describes the commands available in Rule-Set configuration mode.
To enter Rule-Set configuration mode, use the rule-set command:
ACOS(config)# rule-set sample-name

ACOS(config-rule set:sample-name)#
The following commands are available in Rule-Set configuration mode:
• remark
• rule
• sampling-enable
• session-statistic
page 120
remark
Description Configure notes for this rule-set.
Syntax [no] remark notes
notes Enter notes or remarks for this rule set. Notes can range from 1-
255 characters.
Mode Rule-set configuration mode.
Default There are no remarks configured by default.
page 121
rule
Description Configure a rule within a rule-set and change the position of that rule within
the rule-set.
Syntax [no] rule name

[insert-rule
{top | before target-rule | after target-rule | bottom}]
name Enter the name of the rule. This can range from 1-63 characters.
insert-rule Add a rule to a rule-set in a designated position:
By default, new rules are inserted at the bottom of the list,

meaning they will be ignored if traffic matches a request that
appears higher up in the rule-set.
You can insert a rule into one of the following specific positions:
• top – inserts the rule at the top position within the rule-set.
• before target-rule – inserts the rule before a designated

rule in the rule-set.
• after target-rule – inserts the rule after a designated rule
in the rule-set.
• bottom – inserts the rule at the bottom position in the rule-set.
Default There are no rules configured by default.
Usage The normal form of this command creates a new rule or edits an existing
rule within a rule-set. The no form of this command removes an existing rule.
This command changes the CLI to the configuration level for the rule, where
page 122
the following sub-commands are available.
Commands under rule-set

rule Description and Sub-commands
[no] action Action to be performed on the policy. Can be one of the following:
{
permit | • permit [forward] – permits the session, and optionally forwards the packet.
deny |
reset |
} • For Gi/SGi-FW configurations, the following sub-options are available:
[log] listen-on-port – enable hairpin filtering for inside-to-inside communica-
tion on the firewall.
cgnv6 – apply the CGNv6 policy, with the following options:
lsn-lid num – Apply a specific CGNv6 LSN LID, with num ID from 1-
1023.
fixed-nat – Apply CGNv6 Fixed NAT.
• deny – denies the session.
• reset – resets the session.
• log – logs the session.

[no] dest { Configure the destination match conditions, which can be one of the following:
ipv4-address
[ip-addr | any] | • ipv4-address – ip-addr can be an ipv4-address or any.
object obj-name |
object-group grp-name|
server srv-name | • object – specify the name of the network object.
virtual-server
srv-name | • object-group – specify the name of the network object group.
zone
[any | zone-name]} • server – specify the real server name.
• virtual server – specify the virtual server name.
• zone – bind the zone for destination matching.
Note: In release 4.1.1 and later, ACOS supports the ability to configure multiple
SRC/DST hosts, subnets, objects, object-groups, and services within a single
rule. However, only one source/destination zone can be configured per rule.
[no] idle-timeout num Enter num for the TCP/UDP idle-timeout. This value can range from 1-2097151
seconds.
In release 4.1.1 and later, ACOS offers the ability to configure idle-timeouts at the
rule level, and also at the per-port level (for TCP/UDP protocols under the fire-
wall session-aging template).
This enhancement may be helpful for long-lived protocols used for backups or
data replication, and it may help meet the needs of customers who require the
ability to configure different TCP/UDP ports with different timeout values, or
who need to be able to configure idle-timeout values under individual rules
within a rule-set.
Port-based timeouts and rule-based idle-timeouts are only available for TCP and
UDP, and can only be configured for destination ports.
For more information, see the fw session-aging command in this chapter.
page 123

[no] ip-version Set the IP version for this rule.
{v4 | v6}
• v4 – designates this as an IPv4 rule.
• v6 – designates this as an IPv6 rule.

[no] move-rule { Move a rule within a rule-set.
top |
before target-rule | By default, new rules appear at the bottom of the list, meaning they will be
after target-rule | ignored if traffic matches a request that appears higher up in the rule-set.
bottom
}
However, you can move a new rule into one of the following positions:
• top – moves the rule to the top position in the rule-set.
• before target-rule – moves the rule before a designated rule in the rule-set.
• after target-rule – moves the rule after a designated rule in the rule-set.
• bottom – moves the rule to the bottom position in the rule-set.
[no] remark comment Enter a comment or remark about this rule. Can be 1-255 characters.
[no] sampling-enable Enable baselining. Options are:
{all | hit-count}
• all – All
• hit-count – Hit count
page 124

[no] service { Service for the rule-set can consist of one or more of the following options:
any |
icmp [code | type] | • any – any
icmpv6 [code | type] |
object-group name | • icmp [code | type] – Specify the Internet Control Message Protocol code.
proto-id num | The ICMP Codes that can be used as match filters in a rule are described in
tcp {dst | src} | Table 3.
udp {dst | src} | The ICMPv6 Types that can be used as match filters in a rule are described in
} Table 2.
The ICMP Types that can be used as match filters in a rule are described in
Table 1.
• icmpv6 – Internet Control Message Protocol version 6
• object-group – Specify the service object-group name.
• proto-id – Specify the protocol ID (1-255).
• tcp – TCP. Specify dst or src and then specify the following sub-options:
• eq port-num – Equal to the port number (1-65535).
• gt port-num – Greater than the port number (1-65535).
• lt port-num – Lower than the port number (1-65535).
• range port-num – The starting port number (1-65535).
• udp – UDP. Specify dst or src and then specify the following sub-options:
• eq port-num – Equal to the port number (1-65535).
• gt port-num – Greater than the port number (1-65535).
• lt port-num – Lower than the port number (1-65535).
• range port-num – The starting port number (1-65535).

[no] source { Configure the source match conditions, which can be one or more of the follow-
ipv4-address ing:
[ip-addr | any] |
object obj-name | • ipv4-address – ip-addr can be an ipv4-address or any.
object-group grp-name|
server srv-name |
zone • object – specify the name of the network object.
[any | zone-name]}
• object-group – specify the name of the network object group.
• server – specify the real server name.
• zone – bind the zone for source matching

enable Enable this rule.
disable Disable this rule.
Example The following example shows how to configure a rule-set “rs1” and with the
rule called “new-rule” at the top of the list:
ACOS(config)# rule-set rs1
page 125
ACOS(config-rule set:rs1)# rule new-rule insert-rule top

ACOS(config-rule set:rs1-rule:new-rule)#
sampling-enable
Description Enable sampling for the specified rule-set.
NOTE: See “Enabling Baselining and Rate Calculation” in the Command Line Ref-
erence for more information.
session-statistic
Description Enable or disable session-based statistics for the specified rule-set.
Syntax session-statistic {enable | disable}
enable Enable session-based statistics for this rule-set.
disable Disable session-based statistics for this rule-set.
Example The following example shows how to enable session-based statistics for the
rule-set, “r1”:
ACOS(config)# rule-set r1
ACOS(config-rule set:r1)# session-statistic enable
page 126
Firewall show and clear Commands

The following show and clear commands are available in all modes:
• show fw full-cone-sessions
• show fw radius server
• show fw radius table
• show fw resource-usage
• show fw server
• show fw status
• show fw system-status
• show rule-set
• clear fw full-cone-sessions
• clear fw radius server statistics
• clear fw radius table
• clear sessions fw helper-sessions
page 127
show fw full-cone-sessions
Description View Firewall Full Cone session information.
Syntax show fw full-cone-sessions

[ipv4-address ipv-addr | ipv6-address ipv6-addr]
Mode All
Usage Use this command to display full-cone sessions created for hairpinning in
the firewall.
Example The following example shows sample output for the show fw full-cone-
sessions command:
ACOS(config)# show fw full-cone-sessions

Firewall - Full-cone Sessions:
Prot Inside Address Outbnd Inbnd CPU Age
------------------------------------------------------------------------------------------
UDP 100.100.100.1:9874 0 0 8 0
UDP 100.100.100.1:9917 0 0 7 120
UDP 100.100.100.1:9894 0 0 6 60
UDP 100.100.100.1:9898 0 0 10 60
UDP 100.100.100.1:9885 0 0 8 60
UDP 100.100.100.1:9950 1 0 7 -
UDP 100.100.100.1:9878 0 0 1 0
show fw radius server

Description View Firewall RADIUS server information.
Syntax show fw server {config | statistics}
Mode All
Example The following example shows sample output for the show fw radius server
config command:
ACOS# show fw radius server config

fw radius server
remote ip-list client
secret secret-encrypted 37O48xvi8uY8EIy41dsA5zwQjLjV2wDnPBCMuNXbAOc8EIy41dsA5zwQjLjV2wDn
attribute inside-ip number 8
attribute inside-ipv6-prefix prefix-length 97 number 97
attribute msisdn number 31
attribute imei vendor 10415 number 20
attribute imsi vendor 10415 number 1
page 128
attribute custom1 NAS-IP-Address value hexadecimal number 4

attribute custom2 Connection_PVC vendor 22610 number 43
attribute custom3 xDSL_number vendor 22610 number 44
accounting start replace-entry
accounting stop delete-entry-and-sessions
accounting interim-update replace-entry
Example The following example shows sample output for the show fw radius server
statistics command:
ACOS# show fw radius server statistics

FW RADIUS Server Statistics:
-------------------------------------------
MSISDN Received 0
IMEI Received 0
IMSI Received 0
Custom Attribute Received 0
RADIUS Request Received 0
RADIUS Request Dropped 0
RADIUS Request Bad Secret Dropped 0
RADIUS Request No Key Attribute Dropped 0
RADIUS Request Malformed Dropped 0
RADIUS Request Ignored 0
RADIUS Request Table Full Dropped 0
RADIUS Secret Not Configured Dropped 0
HA Standby Dropped 0
Framed IPV6 Prefix Length Mismatch 0
page 129
show fw radius table

Description View Firewall RADIUS table information.
Syntax show fw radius table

[brief | imei | imsi | inside-ip | msisdn | attr-name]
brief Shows the statistics only.
imei string Shows information associated with the IMEI.
imsi string Shows information associated with the IMSI.
inside-ip {inside-ip-addr | Shows information associated with the inside IP address.
inside-ipv6-addr}
msisdn Shows information associated with the MSISDN.
attr-name Show information associated with the customized attribute.
Mode All
Example The following command shows sample output for the show fw radius table
command:
ACOS# show fw radius table

FW RADIUS Table Statistics:
-------------------------------------------
Record Created 3
Record Deleted 2
Key Attribute MSISDN IMEI IMSI

NAS-IP-Address
Connection_PVC
xDSL_number
--------------------------------------------------------------------------
245.255.255.226 012345678 0123456789 0123456779
ffffe884
Total RADIUS Records Shown: 1
page 130
show fw resource-usage
Description Displays current resource usage and maximum resource limits.
Syntax show fw resource-usage

[object | object-group | rule-set | rule |
ip-range | helper-sessions]
Mode All
Example The following example shows sample output for the show fw resource-
usage command:
ACOS(config)# show fw resource-usage

Resource Current-Used Total
--------------------------------------------------
object 0 10000
object-group 0 1000
rule-set 0 40
rule 0 8000
zone 0 40
ip-range 0 40
helper-sessions 0 65536
NOTE: The helper-sessions parameter shows how many helper SMP sessions
are created and the maximum limit of the SMP sessions that could be
possible.
show fw server
Description View Firewall real server information.
Syntax show fw server server-name
Mode All
Example The following example shows sample output for the show fw server com-
mand:
ACOS (config)#show fw server

Total Number of Servers configured: 0
Total Number of Services configured: 0
ACOS (config)#
page 131
show fw status
Description View Firewall rule compilation status.
Syntax show fw status

[internal]
internal For use by A10 Networks Technical Support.
Mode All
Example The following example shows sample output for the show fw status com-
mand:
ACOS# show fw status

Current Active Rule-set : ruleset2
Previous Successful Compilation Attempt : 2016-03-11 06:59:39
Previous Successful Compilation Duration : Less than a millisecond
Most Recent Compilation Attempt : 2016-03-20 06:59:39
Most Recent Compilation Status : Successful
The following table describes the fields in the output above:
Field Description
Current Active Name of the currently active rule-set.
Rule-set
Previous Suc- Timestamp for the last successful compilation of this rule-set,
cessful Com- for example, the previous time the rules in the rule-set were
pilation rearranged.
Attempt
Previous Suc- Time required for the rule-set compilation to complete.
cessful Com-
pilation
Duration
Most Recent Timestamp (date and time) when this rule-set compilation was
Compilation attempted.
Attempt
Most Recent Status of most recent rule-set compilation:
Compilation
Status • In Progress
• Success
• Failed
page 132
show fw system-status
Description View the Firewall system status information for CPU usage, memory usage,
sessions used, and RADIUS table metrics.
Syntax show fw system-status
Mode All
Example The following example shows sample output for the show fw system-status
command:
AX5100#show fw system-status
CPU Usage:
----------
Control CPU 1 : 15%
Data CPU 1 : 0%
Data CPU 2 : 0%
Data CPU 3 : 0%
Data CPU 4 : 0%
Data CPU 5 : 0%
Data CPU 6 : 0%
Data CPU 7 : 0%
Data CPU 8 : 0%
Data CPU 9 : 0%
Data CPU 10 : 0%
Data CPU 11 : 0%
Data CPU 12 : 0%
Data CPU 13 : 0%
Data CPU 14 : 0%
Data CPU 15 : 0%
Data CPU avg : 0%
Memory Status:
--------------
Total Memory(KB): 24674588
Used Memory(KB) : 16727080
Free Memory(KB) : 7947508
Memory Usage : 67.7%
Sessions Status:
----------------
Data Sessions Used: 0
Data Sessions Free: 67010545
SMP Sessions Used : 0
SMP Sessions Free : 66519040
page 133
RADIUS Table Usage:

-------------------
RADIUS Entries Used: 0
RADIUS Entries Free: 6000000
show rule-set
Description View DC Firewall information for a rule-set.
Syntax show rule-set name

[rules-by-zone]
[from zone-name]
[to zone-name]
]
rules-by- View statistics for a rule-set based on zone. all traffic-maps, or
zone view a traffic-map for a specific service name.
from zone- Name of the zone from which traffic is coming.
name
to zone-name Name of the zone to which traffic is going.
Mode All
Example The following example shows sample output for the show rule-set com-
mand:
ACOS# show rule-set c1

Rule-Set-Name: c1
Rule-Set-Status:
Unmatched-Drops: 0 Action-Permit: 1114 Action-Deny: 0 Action-Reset: 0
--------------------------------------------------------------------------------------
Rule-Name Hit-Count Action Rule-Status
--------------------------------------------------------------------------------------
110 1 permit enable
120 0 permit enable
131 0 permit enable
132 0 deny enable
133 0 permit enable
134 0 deny enable
142 0 permit enable
20 1113 permit enable
25 0 permit enable
111 0 permit enable
page 134
151 0 permit enable

150 0 permit enable
The following table describes the fields in this output:
Field Description
Rule-Set- Name of the rule-set for which statistics are shown.
Name
Rule-Set-Sta- Status (active or inactive) for the rule-set.
tus
Unmatched- Unmatched-drops is the number of times a request did not
Drops match any of the criteria and was implicitly denied.
Action-Permit Number of requests that the firewall rule permitted.
Action-Deny Number of requests that the firewall rule denied.
Action-Reset Number of TCP requests that were reset by the firewall rule.
Rule-Name Name of the rule within the rule-set.
Hit-Count Number of requests that hit this rule.
Action Action associated with this rule.
Rule-Status Status of the rule (enabled or disabled).
clear fw full-cone-sessions
Description Clears Firewall full-cone session information.
Syntax clear fw full-cone-sessions [ipv4-address ipv-addr | ipv6-address

ipv6-addr]
Mode All
clear fw radius server statistics

Description Clears Firewall RADIUS server statistics.
Syntax clear fw radius server statistics
Mode All
page 135
clear fw radius table

Description Clears Firewall RADIUS table information.
Syntax clear fw radius table [imei | imsi | inside-ip | msisdn | attr-name]
imei string Clears information associated with the IMEI.
imsi string Clears information associated with the IMSI.
inside-ip {inside-ip-addr | Clears information associated with the inside IP address.
inside-ipv6-addr}
msisdn Clears information associated with the MSISDN.
attr-name Clears information associated with the customized attribute.
Mode All
clear sessions fw helper-sessions
NOTE: This is an internal command. It should only be used by A10 Networks

Technical Support for debugging purposes.
Description Clears firewall information for SMP helper sessions.
Syntax clear sessions fw helper-sessions

[ipv4 | ipv6]
ipv4 This is an optional parameter that allows you to clear only the
IPv4 SMP helper sessions.
ipv6 This is an optional parameter that allows you to clear only the
IPv6 SMP helper sessions.
Mode All
Usage If neither the ipv4 or ipv6 options are specified, then both IPv4 and IPv6 will
be cleared.
Example The following example clears the IPv4 SMP helper sessions:
ACOS(config)# clear sessions fw helper-sessions ipv4

ACOS(config)#
page 136
Troubleshooting Your Firewall Deployment
This chapter section covers the following troubleshooting scenarios:
• My IPv4 packets are getting dropped
• TCP window check issues
• My IPv6 packets are getting dropped
• My rule-set changes were not applied
• VRRP-A does not work with firewall enabled
• ALG does not work
• Other miscellaneous issues
My IPv4 packets are getting dropped

If this issue occurs, use the following approaches to diagnose and correct:
• Enable “debug fw” and search the output for DENY or UNMATCHED DENY, as shown in the sam-
ples below:
@134537 [DCFW] TCP 2.2.2.1:56275->3.3.3.1:80 fw_policy_action_fast_path policy match my-
rule-set rule-port80-drop rule ID=1 action=DENY
TCP 3.3.3.8:60803->3.3.3.1:80 fw_policy_action_fast_path UNMATCHED DENY
• For traffic on non-default ALG ports, check to see if the ALG flag has been configured for that
rule. For example:
service tcp src eq 2121 dst eq 2121 alg FTP
• For TCP, check if the session still exists, using the “show sessions” command.
TCP sessions may get deleted because of “force-delete-timeout” configuration in the firewall ses-
sion aging-template.
TCP window check issues

• If the packet is getting dropped after being permitted, use the “show counters” command shown
below to check if the packet was dropped due to TCP Window checks. For example:
firewall-Active(config)# show counters fw tcp-window-check
page 137
packet dropped for outside of tcp window 327719254
• Enable “debug fw” and check for any logs indicating that the drops were due to firewall TCP win-
dow checks. For example:
“DROP REV nseq=453D86F, wsize=7D78, plen=1B, seq=434A97D”
My IPv6 packets are getting dropped

• If IPv6 packets are being dropped, check that “ip-version v6” is configured under the rule that is
intended to match.
• IPv6 neighbor discovery packets are dropped by the firewall, unless there is a rule to permit such
traffic:
• Since neighbor discovery does not happen, end-to-end traffic never flows.
• One method of permitting such traffic to flow is to add a rule explicitly permitting ICMPv6
types/codes pertaining to neighbor discovery/router solicitation messages. For example:
rule permit-v6-neigh-disc
action permit
ip-version v6
source ipv6-address any
source zone any
dest zone any
service object-group ipv6-neigh-disc
object-group service ipv6-neigh-disc
icmpv6 type 133
icmpv6 type 134
icmpv6 type 135
icmpv6 type 136
icmpv6 type 137
My rule-set changes were not applied

• It takes up to10 seconds for rule-set changes to take effect.
page 138
• Use the fw apply-changes command to make rule-set changes take effect immediately.
• New rule-set changes do not apply to already existing sessions.
• Use the clear sessions command to clear out any existing sessions.
• Firewall rule-set compilation might have failed.
• Use the show fw status command to check for rule-set compilation status.
• A rule might be disabled or the rule-set may not be active.
• Check the rule-set configuration to see if the rule is disabled, and make sure that rule-set is
active.
VRRP-A does not work with firewall enabled

• A rule in active rule-set might be denying VRRP-A packets
• Enable debug fw and look for DENY in the logs.
• Firewall internal rule-set compilation may have failed.
• Use the show fw status internal command to check for internal rule-set compilation status.
• Check if the firewall is part of the correct vrid.
• Check if internal rules are installed using the “devcall dump_fw_rules(0, 1)”. For example:
Total rules 2
Rule vrrpa_ipv4_hello_mcast idx 0 id 1 permit udp (proto-id 17) dst 224.0.0.210 /32
src_port 65244 - 65244 dst_port 65244 - 65244 hits 0
Rule vrrpa_ipv6_hello_mcast idx 0 id 2 permit udp (proto-id 17) dst ff02::d2/128

src_port 65244 - 65244 dst_port 65244 - 65244 hits 0
page 139
ALG does not work

• ALG data sessions are not getting created
• Check if any rules in the rule-set are getting applied.

• Enable debug fw and look for DENY in the logs.
• You can bypass the rule-set lookup for data sessions by configuring fw alg-processing over-
ride-rule-set.
• ALGs are not supported in Layer 2 setups.
• If clients and servers are in same subnet and the firewall is switching packets (as opposed to
routing), ALG data sessions will not be created.
Other miscellaneous issues

• Firewall CLI commands are absent or have disappeared.
• DCFW is part of CFW product.

• Check the output from the show license-info command for a valid CFW license.
• The syslog server is not displaying any logs:
• Ensure that the action under a rule has the “log” keyword.
• Ensure that the syslog server is reachable through the data ports.
• Firewall CLI commands are rejected with an error: “Periodic compilation in progress, please try
after some time.”
• When rule-set compilation is in progress in a given partition, any further firewall CLI commands
that change rules are blocked.
• Wait for the rule-set compilation to finish. Then, check the output of show log for the following
message:
[Firewall]:Rule-set “my-rule-set" in partition "shared" successfully compiled at
2016-05-17 20:59:17.
page 140
page 141
CONTACT US
1 a10networks.com/contact
ACOS 4.1.1-P11 DATA CENTER AND GI/SGI FIREWALL CONFIGURATION GUIDE 29 MAY 2019

A10 4.1.1-P11 DCFW

Uploaded by

Copyright:

Available Formats

A10 4.1.1-P11 DCFW

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

A10 4.1.1-P11 DCFW

Uploaded by

Copyright:

Available Formats

ACOS 4.1.

A10 NETWORKS INC. SOFTWARE LICENSE AND END USER AGREEMENT

Configuring the Firewall .............................................................................................................. 7

Firewall Rule-Sets for Gi/SGi-FW ................................................................................................ 31

Application CGNv6 LSN-LID .............................................................................................................. 33

Firewall Logging ......................................................................................................................... 39

Configuring RADIUS Support for Firewall .................................................................................. 55

Deploying Data Center Firewall .................................................................................................. 59

Deploying Gi/SGi-Firewall ........................................................................................................... 81

Config Commands: Firewall ....................................................................................................... 89

Troubleshooting Your Firewall Deployment ............................................................................. 137

My rule-set changes were not applied .................................................................................................138

Configuring the Firewall

This chapter covers the following topics:

• Overview of the Stateful Firewall

• Configuring Application Layer Gateway

• Support for High Availability with VRRP-A

Overview of the Stateful Firewall

The firewall can be deployed in the following manners:

This Overview section covers the following topics:

• Known Issues and Limitations

• Hardware-related Benefits of A10 Thunder Firewall

Hardware-related Benefits of A10 Thunder Firewall

• Firewall Features (General)

Firewall Features (General)

• The data center firewall supports SLB topologies.

• The data center firewall supports rule-based statistics.

Supported CGN Technologies for Gi/SGi-FW

• LSN (NAT44) & NAT64

• Selective Filtering for CGN NAT Pools

• CGN NAT Pool IP Blacklisting

• Session rate limiting for CGN

Known Issues and Limitations

• Known Issues for Standalone FW

• Known Issues for DCFW

• Known Issues for Gi/SGi-FW

Known Issues for Standalone FW

Known Issues for DCFW

• Destination Zone for SLB VIP traffic is always “any”.

Known Issues for Gi/SGi-FW

• How the Firewall Works

• Firewall Traffic Flow

How the Firewall Works

1. A firewall “rule-set” is equivalent to a “firewall policy”.

Firewall Traffic Flow

FIGURE 1 Traffic flow through firewall (DCFW + SLB)

1. The client sends a request to the VIP at 10.10.10.10.

Composition of the Firewall rule-set

FIGURE 2 Configuration elements in a firewall rule-set

ZƵůĞϮ ZƵůĞϯ ĐƚŝŽŶƐ

• The firewall rule-set includes several rules.

Using the GUI

To activate the firewall rule-set using the GUI:

1. Navigate as follows: Security > DC Firewall.

FIGURE 3 Activating the firewall rule-set using the GUI

4. In the Create Ruleset window, enter the following:

Using the CLI

1. See “rule-set” on page 117 for details.

3. Activate the firewall rule-set with the following CLI command2: