firewall cp

firewall cp

ipv4|ipv6 deny|permit <ip-addr><ip-mask>|any|{host <ip-addr>} proto{<ip-protocol-number> ports <start port number><end port number>}|ftp|http|https|icmp|snmp|ssh|telnet|tftp [bandwidth-contract <name>|<pbwm>]

no...

Description

This command creates whitelist/allowlist session ACLs. Whitelist/allowlist ACLs consist of rules that explicitly permit or deny session traffic from being forwarded or not to the managed device. This prohibits traffic from being automatically forwarded to the managed device if it was not specifically denied in a blacklist/denylist. The maximum number of entries allowed in the whitelist/allowlist is 64.

Parameter

Description

ipv4|ipv6

Specifies ipv4 or ipv6.

deny|permit

Specifies the entry to reject (deny) on the session ACL whitelist/allowlist.

Specifies an entry that is allowed (permit) on the session ACL whitelist/allowlist.

<ip-addr><ip-mask>

IPv4/IPv6 source address and source mask.

any

Specifies any IPv4 or IPv6 source address.

host <ip-addr>

Indicates a specific IPv4 or IPv6 source address.

proto

Specify one of the following protocols used by the session traffic:

  • ftp
  • http
  • https
  • icmp
  • scmp
  • ssh
  • telnet
  • tftp

bandwidth-contract <name>

Specify the name of a bandwidth contract. configures a bandwidth contract traffic rate, which can then be associated with a whitelist/allowlist session ACL

position <prio>

Specity filter position. Default is last position. 1 is first position.

IP protocol number

Specifies the IP protocol number that is permitted or denied.

Range: 1-255

start port

Specifies the starting port, in the port range, on which session traffic is running.

Range: 1-65535

end port

Specifies the last port, in the port range, on which session traffic is running.

Range: 1-65535

<pbwm>

Bandwidth rate in packets/seconds.

Range: 1–64000

Example

The following command creates a whitelist/allowlist ACL that allows on with the source address as 10.10.10.10 and the source mask as 2.2.2.2. The protocol is FTP and the bandwidth contract name is mycontract.

(host) [/md] (config-fw-cp) #ipv4 permit 10.10.10.10 2.2.2.2 proto ftp bandwidth-contract name mycontract

The following command creates a whitelist/allowlist ACL entry that denies traffic using protocol 2 on port 5000 from being forwarded to the managed device:

(host) [/md] (config-fw-cp) #deny proto 6 ports 5000 6000

The following example configures a bandwidth contract named “cp-rate” with a rate of 100 pps.

(host) [/md] (config) #cp-bandwidth-contract cp-rate pps 100

The following example displays a configuration in which ports deactivated by default are enabled:

(DR-Mode) *[mm] (config) #firewall cp

(DR-Mode) ^*[mm] (config-submode)#ipv4 permit any proto 6 ports 389 389

(DR-Mode) ^*[mm] (config-submode)#write memory

 

Saving Configuration...

 

Configuration Saved.

 

(DR-Mode) *[mm] (config-submode)#show firewall-cp

 

CP firewall policies

--------------------

IP Version Source IP Source Mask Protocol Start Port End Port Action hits contract wancp

---------- --------- ----------- -------- ---------- -------- -------------- ---- -------- -----

ipv4 any 6 6633 6633 Permit 0 0

ipv4 any 6 389 389 Permit 0 0

(DR-Mode) *[mm] (config-submode)#no ipv4 permit any proto 6 ports 389 389

(DR-Mode) ^*[mm] (config-submode)#write memory

 

Saving Configuration...

 

Configuration Saved.

(DR-Mode) *[mm] (config-submode)#show firewall-cp

 

CP firewall policies

--------------------

IP Version Source IP Source Mask Protocol Start Port End Port Action hits contract wancp

---------- --------- ----------- -------- ---------- -------- -------------- ---- -------- -----

ipv4 any 6 6633 6633 Permit 0 0

(DR-Mode) *[mm] (config-submode)#

Related Commands

Command

Description

show firewall-cp

Show Control Processor (CP) whitelist/allowlist ACL info.

Command History

Release

Modification

AOS 8.9.0.0

All instances of blacklist have been replaced with denylist.

All instances of whitelist have been replaced with allowlist.

AOS 8.0.0.0

Command introduced.

Command Information

Platforms

License

Command Mode

All platforms

Base operating system, except for noted parameters.

Config mode on Mobility Conductor.