Table of Contents
Advertisement
Firewall CLI Commands
–
–
–
•
Naming conventions - Any firewall object name must use these alpha-numeric characters only:
A - Z (upper or lower case), 0 - 9, - (dash), or _ (underscore). Also, all firewall object names are
case-sensitive.
•
TCP/UDP/ICMP Filter - Filters TCP, UDP, or ICMP packets and assigns an idle session timeout
for their inspection with
•
Non-TCP/UDP Filter - Defines packet filtering of non-TCP and UDP protocols with
firewall filter
protocol packet to pass through the firewall you must specify a filter object with the correct
source/destination IP address and IP protocol ID.
•
Java and ActiveX - Allows HTML pages with Java and ActiveX content through the firewall
with the
allowing from all or selected IP addresses, or denying from any IP address.
•
System Filter - Specifies Interface mode filtering with the
or strict routing through the Internet, trace routes or record time stamps),
DHCP, e.g.), and
•
Enable/Disable - Turns firewall on or off with
is set per interface or globally and is disabled on all interfaces, by default. If the firewall is
globally disabled, a local enable is ignored and if globally enabled, all interfaces are "on"
unless you explicitly disable each port.
•
Load - Installs the completed firewall configuration in the XSR's inspection engine with
firewall load
before doing so you can perform a trial load to verify settings or configure incrementally and
check for errors between loads. You can view modified settings before loading with
firewall config
general
running-config
are not in the configuration until the
the
other
loaded (refer to the following bullet).
•
Display Commands - A host of firewall
attributes for each firewall configuration command. Also,
displays the as yet un-committed configuration,
dynamic TCP, UDP and ICMP session data, and
summary system firewall statistics such as the status of the firewall, protected and
unprotected interfaces, sessions counters, and number of DoS attacks.
16-20 Configuring Security on the XSR
Non-Unicast packet handling - Packets with broadcast or multicast destination addresses are
not allowed to pass in either direction - they must be allowed explicitly.
This rule makes it easy to deny access to IP broadcast/multicast packets through the
firewall but to allow access, you must issue the
firewall ip-multicast
IP Packets with options - Packets with options are dropped either way by default. You must
permit options explicitly either way.
ip firewall tcp, ip firewall udp,
. Because these packets are dropped by default, to allow any other IP
ip firewall java
ip-multicast
. This command avoids conflicts with existing sessions by clearing them. But,
. Also, the delay load option schedules a load and
displays an outstanding delay and when it will run. Be aware that you must copy the
to
startup-config
running-
to
startup-config
show
commands display various objects that are in effect, that is, those that have been
Caution: Performing a load requires that you re-establish all TCP connections including Telnet
sessions and PKI links to the Certificate Authority. Also, firewall configuration changes are
blocked during a load delay.
ip firewall ip-broadcast
commands as well as set policy.
and
ip firewall activex
(for routing) commands.
ip firewall {enable | disable
Enable
displays in
file to save any changes. Commands entered at the CLI
load
command is invoked, so if you omit a load and save
file, the commands you entered will not display. Several
show
commands are available to display firewall
show ip firewall sessions
show ip firewall general
and
ip firewall icmp.
commands. Options include
ip firewall ip-options
ip-broadcast
running-config
, but not
show ip firewall
show ip firewall config
or
ip
ip
(for loose
(for
}. The firewall
disable
.
ip
show ip
displays
displays
Advertisement
Table of Contents
Troubleshooting
