Configuring the WSM using Device Manager # Go back one pageGo to the next page#Go to this book's Index

Layer 4 Switching Filters--Filters fields  

The following table describes the Filters fields.


Field Description
Index
Sets the index number--1 to 2,048.
To improve efficiency:
  • Place filters used most near the beginning of the list.
  • Number filters sequentially beginning with 1.
When multiple filters are stacked together on a port, the filter's number determines its order of precedence--the filter with the lowest number is checked first. When traffic is encountered at the WSM port, if the filter matches, its configured action takes place and the rest of the filters are ignored. If the filter criteria doesn't match, the next filter is tried.
Name
Sets a filter name of up to 31 characters.
Filter
Enables or disables the state of this filtering rule.
Action
Sets the action for the filtering rule.
  • Allow: Allows the frame to pass.
  • Deny: Discard frames that fit this filter's profile. This can be used for building basic security profiles.
  • Redirect: Redirect frames that fit this filter's profile, such as for web cache redirection. In addition, Layer 4 processing must be activated.
  • NAT: Perform generic Network Address Translation (NAT). This can be used to map the source or destination IP address and port information of a private network scheme to/from the advertised network IP address and ports. This is used in conjunction with the nat option below and can also be combined with proxies.
Invert
Sets the invert logic for the filter entry--invert-on or invert-off. Used to reverse the filter logic in order to activate the filter whenever the specified conditions are not met.
Logging
Enables or disables logging.
When enabled, messages are sent to the console port and system host log (syslog). Messages include packet source and destination IP addresses.
Caching
Enables or disables caching sessions that match filter. The default is enabled.
Exercise caution while applying cache-enabled and cache-disabled filters to the same WSM port. A cache-enabled filter creates a session entry in the WSM, so that the WSM can bypass checking for subsequent frames that match the same criteria. Cache is enabled by default.
Note: Cache should be disabled if applying a filter to virtual server IP address while performing UDP load balancing.
Client Proxy
Enables or disables client proxy. The default is enabled.
Applies only with filter action Redirect or NAT. Enable or disable proxy IP address translation for traffic matching the filter criteria. By default, this is enabled. If disabled, any proxy defined for the WSM port is not performed for traffic meeting the filter criteria. This is useful when certain traffic must retain original IP address information, or when other forms of translation (such as Application Redirection or NAT) are preferred.
VLAN
Sets the VLAN associated with this filter.
Source Address
Filter Type

Sets the source filter type to IP or MAC address.
Destination Address
Filter Type

Sets the destination filter type to IP or MAC address.
Network Address Translation
Sets the selection of the address for Network Address Translating (NAT)--destination-address or source-address.
When NAT is set as the filter action (see above), specifies whether Network Address Translation (NAT) is performed on the source or the destination.
Source IP Address
Sets the source IP address for the filter. A setting of 0.0.0.0 allows any address to filter through.
If defined, traffic with this source IP address will be affected by this filter. Specify an IP address in dotted decimal notation, or "Any". A range of IP addresses is produced when used with the Source IP Mask below. The default is Any if the source MAC address is Any.
Source IP Mask
Sets the source IP subnet mask for filtering.
Destination IP Address
Sets the destination IP address to filter. 0.0.0.0 allows any address to filter through.
If defined, traffic with this destination IP address will be affected by this filter. Specify an IP address in dotted decimal notation, or "any". A range of IP addresses is produced when used with the Destination IP Mask below. The default is any if the destination MAC address is any.
Destination IP Mask
Sets the IP subnet mask.
This IP address mask is used with the Destination IP Address to select traffic which this filter will affect.
Source MAC Address
Sets source MAC address to filter.
Destination MAC Mask
Sets destination MAC address to filter.
Protocol
Sets the protocol to filter. Specify the protocol number, name, or "any". The default is any.
If defined, traffic from the specified protocol is affected by this filter.
Low Source Port
Sets the lower source TCP/UDP port number to filter. Applies when the filter protocol is defined as UDP or TCP; 0 (zero) indicates no filtering.
High Source Port
Sets the higher source TCP/UDP port number to filter. Applies when the filter protocol is defined as UDP or TCP; 0 (zero) indicates no filtering.
Low Destination Port
Sets the lower destination TCP/UDP port number to filter. Applies when the filter protocol is defined as UDP or TCP; 0 (zero) indicates no filtering.
High Destination Port
Sets the higher destination TCP/UDP port number to filter. Applies when the filter protocol is defined as UDP or TCP; 0 (zero) indicates no filtering.
Redirection Port
Sets real server port used for redirection. The default is 0.
Applies only when Redirect is specified at the filter action. Defines the real server TCP/UDP port number to which redirected traffic will be sent. For valid Layer 4 health checks, this must be configured whenever TCP protocol traffic is redirected. Also, if transparent proxies are used for Network Address Translation (NAT) Redirection Port must be configured for all Application Redirection filters.
Redirection Group
Sets real server group to which to redirect. Default is 1.
Applies only when Redirect is specified at the filter action. Define a real server group (1 to 16) to which redirected traffic will be sent.
URL Redirection
Enables or disables URL redirection.
Network Address Translation
Sets the selection of the address for Network Address Translating (NAT): destination-address or source-address.
NAT Active FTP
Enables or disables FTP NAT for the active FTP. Disabled by default.
Enables or disables active FTP Client Network Address Translation (NAT). When a client in active FTP mode sends a port command to a remote FTP server, the WSM looks into the data part of the frame and replaces the client's private IP address with a proxy IP address. The real server port is replaced with a proxy port. By default, this option is disabled.
NAT Session Timeout
Sets time-out for the NAT session--4 to 30, even values only.
TCP ACK or RST Matching      
Enables or disables filtering on matching TCP ACK (acknowedgement) or RST (reset) flag matching.
TCP URG
Enables or disables TCP URG (urgent) flag matching. The default is disabled.
TCP ACK
Enables or disables TCP ACK (acknowledgement) flag matching. The default is disabled.
TCP PSH
Enables or disables TCP PSH (push) flag matching. The default is disabled.
TCP RST
Enables or disables TCP RST (reset) flag matching. The default is disabled.
TCP SYN
Enables or disables TCP SYN (synchronize) flag matching. The default is disabled.
TCP FIN
Enables or disables TCP FIN (finish) flag matching. The default is disabled.
ICMP Type   
Sets ICMP message type to filter--0 to 255, or Any. Default is Any.
IP Option
Enables or disables the IP option.
IP TOS
Sets IP Type of Service (TOS) value to filter--0 to 255.
IP TOS Mask
Sets IP TOS mask for filtering--0 to 255.
New IP TOS
Overwrites the new IP TOS value when filtering--
0 to 255.

TCP Connection Rate Limiting
Enables or disables TCP connection rate limiting.
Maximum Connection for TCP Rate Limiting
Sets the maximum number of connections (0 to 255) for TCP connection rate limiting.
Firewall Redirect Hash
Enables or disables filtering the firewall redirect hash method.
To ensure that the stateful inspection behavior of firewalls is maintained, a hashing algorithm is used to ensure that inbound packets and outbound packets for a pair of IPSA/IPDA traverse through the same firewall. If the dport is 80 or 21, enabling this option changes the hash of the filter from a WCR hash to a FWLB hash. By default, this option is disabled.
WAN Link Load Balancing
Enables or disables WAN link load balancing.
Disabled by default.

Intrusion Detection Hash
  • Sets hash parameter for intrusion detection server load balancing.
  • sip: source IP address or range
  • dip: destination IP address or range
  • both: both source and destination IP address
Hash    
Sets the hash parameters for this filter: auto, sip (source IP), dip (destination IP) or both.
BWM Contract
Sets the Bandwidth Management Contract (0 to 1024). By default, the contract number is set at 1024. For more information, see Bandwidth management.
WAP Radius Snooping
Enables or disables Wireless Application Protocol (WAP) RADIUS snooping. Disabled by default.

See also:


Go back one pageGo to the next page##Go to this book's Index