Product specifications

Chapter 5: System Security Efficient Networks
®
Router family
Technical Reference Guide
Page 5-42 Efficient Networks
®
The information displayed includes:
Time and Date
Protocol
Source IP address
Source Port Number / ICMP Type
Destination IP address
Destination Port Number / ICMP Code
Reason for drop
Message Logging
The message logging function configured in the creation of firewall rules can be
enabled or disabled on the Stateful Firewall Configuration Page on page 8-60 of the
WMI or by entering the following command:
firewall watch <on | off>
When enabled, a message will be printed to the display for an accepted packet only if
the verbose (-v) option was specified while creating the rule. If the quiet (-q) option
was specified, a message would not be displayed for that rule.
Stateful Firewall and IPSec
The router can act as an IPSec gateway and encrypt outgoing packets using IPSec
tunneling. Additionally, IPSec could be implemented on the client machines behind
the router, in which case, the router would only need to allow IPSec packets through.
When IPSec is being done at the router, and NAT is enabled, NAT translation is
performed on the packet before IPSec acts on it or after IPSec acts on it. To perform
NAT before IPSec, use the command:
ike ipsec policies set translate on
However, if IPSec encryption is to be done before NAT, disable translation with the
following command:
ike ipsec policies set translate off
Denial of Service Attacks
The Stateful Firewall provides for protection against Denial of Service Attacks. In
general, there is little a router can do to prevent a Denial of Service (DoS) attack from
being launched against it. The router can, however, detect these unsolicited packets
and drop them at the earliest possible stage to minimize the amount of CPU and
memory usage they consume.