Filtering Actions - Radware Alteon Application Manual

Filter Option
dip
proto
sport
dport
nat
vlan
invert
In addition, Alteon supports advanced filtering options, such as TCP flags
page 391) ICMP message types
(Layer 7 Invert Filter, page
Using these filter criteria, you can create a single filter that can potentially perform a very wide
variety of actions. Examples of such filters are:
• Block external Telnet traffic to your main server except from a trusted IP address.
• Warn you if FTP access is attempted from a specific IP address.
• Redirect all incoming e-mail traffic to a server where it can be analyzed for spam.

Filtering Actions

A filtering action (
/cfg/slb/filt/action
criteria are matched.
Alteon supports the following filtering actions:
• allow—Allows the frame to pass (by default). This filtering action can be used to redirect the
returning traffic to the service farm if the reverse session is enabled. For more information, see
Reverse Session, page
• deny—Discards frames that fit the filter profile. This can be used for building basic security
profiles.
• redir—Redirects frames that fit the filter profile, such as for Web cache redirection. In addition,
Layer 4 processing must be activated using the
• nat—Performs generic Network Address Translation (NAT). This can be used to map the source
or destination IP address and port information of a private network scheme to and from the
advertised network IP address and ports. This is used in conjunction with the nat option and can
also be combined with proxies.
• goto—Allows the user to specify a target filter ID that the filter search should jump to when a
match occurs. The "goto" action causes filter processing to jump to a designated filter,
effectively skipping over a block of filter IDs. Filter searching then continues from the designated
filter ID. To specify the new filter to goto, use the
Document ID: RDWR-ALOS-V2900_AG1302
Alteon Application Switch Operating System Application Guide
Table 29: Filter Options (cont.)
Description
Destination IP address or range (dip and dmask)
Protocol number or name
TCP/UDP application or source port or source port range (such as 31000
through 33000)
Note: The service number specified on Alteon must match the service
specified on the server.
TCP/UDP application or destination port or destination port range (such
as 31000 through 33000)
Addresses that are network address translated
VLAN ID
Reverses the filter logic at layer 4 to activate the filter whenever the
specified conditions are not met.
Note: Starting with version 28.1.50, it is possible to reverse the filter
logic at layer 7 using an advanced filter option. For more information,
see Layer 7 Invert Filter, page
(Matching ICMP Message Types, page
363).
) instructs the filter what to do when the filtering
363.
Filtering and Traffic Manipulation
363.
(Matching TCP Flags,
395), and Layer 7 inversion
command.
/cfg/slb/on
/cfg/slb/filt/adv/goto
command.
357