Stateful Inspection - Digi TransPort WR31 User Manual
Hide thumbs
Also See for TransPort WR31:
- Technical support (26 pages) ,
- User manual (9 pages) ,
- Quick start manual (2 pages)
Table of Contents
Advertisement
Configure security settings
Stateful inspection
The Digi routing code stack contains a sophisticated scripted stateful firewall and route inspection
engine. Stateful inspection is a powerful tool allowing the router to keep track of a TCP/UDP or ICMP
session and match packets based on the state of the connection on which they are being carried. In
addition to providing sophisticated firewall functionality, the SF/RI engine also provides a number
of facilities for tracking the health of routes, marking dead routes as being Out Of Service (OOS) and
creating rules for the automatic status checking of routes previously marked as OOS (for use in
multilevel backup/restore scenarios).
You can use the firewall to put interfaces into an OOS state, and control how the interfaces return to
service. When an interface goes OOS, all routes configured to use that interface will have their route
metric set to 16 (the maximum value), meaning that some other route with a lower metric will be
selected.
When a firewall stateful inspection rule expires, a decision is made as to whether the traffic being
allowed to pass by this rule completed successfully or not. For example, if the stateful rule monitors
SYN and FIN packets in both directions for a TCP socket then that rule will expire successfully.
However, if SYNs are seen to pass in one direction but no SYNs pass in the other direction, the
stateful rule will expire and the router will tag this as a failure.
Conditions tagging a stateful rule as a failure
The following conditions tag a stateful rule as a failure:
Packets have only passed in one direction.
▪
10 packets have passed in one direction with no return packets (for TCP the packets must also
▪
be re-transmits) All of these features depend upon the stateful inspection capabilities of the
Firewall engine which are explained below.
The [inspect] field
The [inspect] field takes the following format:
inspect = ["inspect-state" {"oos" {interface-name¦logical-name} secs
{t=secs} {c=count} {d=count}} {r="ping"¦"tcp"{,secs{secs}}} {rd=x}
{dt=secs}{stat}]
You can use the [inspect] field on its own or with an optional oos (Out Of Service) parameter.
Digi TransPort WR Routers User Guide
Firewall
702
- Quick Links:
- Transport Wr31
- Log in to the Device
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
