Understanding Rules With Stateful Inspection - Cisco ASR 5000 series Product Overview

▀ Understanding Rules with Stateful Inspection

Understanding Rules with Stateful Inspection
This section describes terms used in the Personal Stateful Firewall context.
Access Ruledefs: The Personal Stateful Firewall's stateful packet inspection feature allows operators to
configure rule definitions (ruledefs) that take active session information into consideration to permit or deny
incoming or outgoing packets.
An access ruledef contains the criteria for multiple actions that could be taken on packets matching the rules.
These rules specify the protocols, source and destination hosts, source and destination ports, direction of traffic
parameters for a subscriber session to allow or reject the traffic flow.
An access ruledef consists of the following fields:
An access ruledef can be added to multiple Firewall-and-NAT policies.
A combined maximum of 4096 rules (host pools + IMSI pools + port maps + charging ruledefs +
firewall/access ruledefs + routing ruledefs) can be created in a system. Access ruledefs are different from ACS
ruledefs.
Firewall-and-NAT Policy: Firewall policies can be created for individual subscribers, domains, or all callers
within a referenced context. Each policy contains a set of access ruledefs with priorities defined for each rule
and the firewall configurations. Firewall-and-NAT policies are configured in the Firewall-and-NAT Policy
Configuration Mode.
Service Definition: User-defined firewall service for defining Stateful Firewall policy for initiating an outgoing
connection on a primary port and allowing opening of auxiliary ports for that association in the reverse
direction.
Maximum Association: The maximum number of Stateful Firewall associations for a subscriber.
Connection State and State Table in Personal Stateful Firewall
This section describes the state table and different connection states for transport and network protocols.
After packet inspection, the Personal Stateful Firewall stores session state and other information into a table. This state
table contains entries of all the communication sessions of which the firewall subsystem is aware of. Every entry in this
▄ Cisco ASR 5000 Series Product Overview
Ruledef name
Source IP address
Source port number — not required if the protocol is other than TCP or UDP
Destination IP address
Destination port number — not required if the protocol is other than TCP or UDP
Transport protocol (TCP/UDP/ICMP/AH/ESP)
Direction of connection (Uplink/Downlink)
Bearer (IMSI-pool and APN)
Logging action (enable/disable)
Personal Stateful Firewall Overview
OL-22938-02