Manualshelf

Install guide

ManualsBrandsAllied Telesis ManualsComputer equipmentRapier 16Fi-FX
61626364656667686970
68 Firewall Enhancements Release Note
Software Version 2.9.1
C613-10486-00 REV C
Command Changes
The following table summarises the modified commands:
Limiting Firewall Sessions from a Device
This Software Version allows you to limit the number of concurrent sessions a
device can initiate by using the new limitrule firewall commands. Limit rules
apply to firewall sessions initiated by a device on either side of the firewall, and
are attached to policies.
Each time a device initiates a session through the firewall, the router or switch
checks all the limit rules for the applicable firewall policy. If a session exceeds
the limit in a matching rule, then the router or switch does not allow the new
session to start. The device can only start the new session once it has ended one
or more of the current sessions. If a session does not match any limit rules, then
no limit is applied. Each policy can have up to 100 limit rules.
All matching existing session numbers are included when the router or switch
checks the limit rules and more than one limit rule can apply to a session.
However, if the firewall finds any matching rule that denies the session, then
the session is denied, regardless of the other rules.
To add a limit rule to a policy, use the new add firewall policy limitrule
command:
add firewall policy=policy-name limitrule=rule-id
srciplimit=0..10000 [interface=interface]
[gblremoteip=ipadd[-ipadd]] [ip=ipadd[-ipadd]]
The ip and gblremoteip parameters specify the IP address range of the private
(ip) and public (gblremoteip) devices that you are limiting the sessions for. The
limit is set with the srciplimit parameter, and is applied to each device
separately. That is, if a rule limits devices to 20 sessions, then any device can
initiate a maximum of 20 sessions regardless of the other devices’ activity.
Each limit rule applies to sessions initiated from both sides of the firewall. For
example, consider the command:
add firewall policy=policy-name limitrule=1 srclimit=3
[interface=interface] gblremoteip=125.4.10.1-125.4.10.12
ip=101.20.20.1
In the above example:
the private device (101.20.20.1) can initiate a maximum of three sessions to
all devices within the IP range 125.4.10.1 to 125.4.10.12
each public device within the specified range can initiate up to three
sessions each to the private device.
To modify a limit rule, use the new set firewall policy limitrule command:
set firewall policy=policy-name limitrule=rule-id
[interface=interface] [gblremoteip=ipadd[-ipadd]]
[ip=ipadd[-ipadd]] [srciplimit=0..10000]
Command Change
create trigger Modified firewall parameter
set trigger Modified firewall parameter