Session filters can be configured to allow stateful firewall use-cases.
Use the following CLI syntax to configure an AA session filter:
*A:Dut-A>config>app-assure>group# session-filter <session-filter-name> [create]
default-action {permit | deny} [event-log <event-log-name>]
description <description-string>
entry <entry-id> [create]
action {permit | deny} [event-log <event-log-name>]
match
dst-ip <ip-address>
dst-ip ip-prefix-list <ip-prefix-list-name>
no dst-ip
dst-port {eq | gt | lt} <port-num>
dst-port range <start-port-num> <end-port-num>
dst-port port-list <port-list-name>
no dst-port
ip-protocol-num <ip-protocol-number>
no ip-protocol-num
src-ip <ip-address>
no src-ip
src-ip ip-prefix-list <ip-prefix-list>
src-port {eq | gt | lt} <port-num>
src-port range <start-port-num> <end-port-num>
src-port port-list <port-list-name>
no src-port*A:Dut-A>config>app-assure>group# session-filter " denyUnsolictedwMgntCntrl" create
description ‟S-FW opted-in sub – allow ISP access"
default-action deny event-log ‟FW_log”
entry 10 create
description "allow ICMP access from ISP LAN#1"
match
ip-protocol-num icmp
src-ip 10.10.8.0/24
exit
action permit
exit
entry 30 create
description "allow all TCP (e.g. FTP/telnet)access from ISP LAN#2"
match
ip-protocol-num tcp
src-ip 192.168.0.0/24
exit
action permit
entry 40 create
description "allow TCP on port 80 /HTTP access from a IP List on ISP LAN#1"
match
ip-protocol-num tcp
src-ip ip-prefix-list AllowedLAN1Hosts
dst-port eq 80
exit
action permit
exit
*A:Dut-A>config>app-assure>group>sess-fltr$ info
----------------------------------------------
description "S-FW opted-in sub . allow ISP access"
default-action deny event-log ‟FW_Log”
entry 10 create
description "allow ICMP access from ISP LAN#1"
match
ip-protocol-num icmp
src-ip 10.10.8.0/24
exit
action permit
exit
entry 20 create
description "allow ICMP access from ISP LAN#2"
action deny
exit
entry 30 create
description "allow all TCP (e.g. FTP/telnet)access from ISP LAN#2"
match
ip-protocol-num tcp
src-ip 192.168.0.0/24
exit
action permit
exit
entry 40 create
description "allow TCP on port 80 /HTTP access from a IP List on
ISP LAN#1"
match
ip-protocol-num tcp
src-ip ip-prefix-list "AllowedLan1Hosts"
dst-port eq 80
exit
action permit
exit
----------------------------------------------
*A:Dut-A>config>app-assure>group>sess-fltr$
*A:Dut-A>config>app-assure>group>policy>aqp>
entry 110 create
description ‟FW for managed opted-in subs”
match
traffic-direction network-to-subscriber
exit
action
session-filter ‟ denyUnsolictedwMgntCntrl "
fragment-drop all event-log "FW_log"
error-drop event-log ‟FW_log”
overload-drop
exit
exit
*A:Dut-A>config>app-assure>group>policy>aqp>entry# info
----------------------------------------------
description "FW for managed opted-in subs."
match
traffic-direction network-to-subscriber
exit
action
session-filter "denyUnsolictedwMgntCntrl"
fragment-drop all event-log "FW_log"
error-drop event-log ‟FW_log”
overload-drop
exit
no shutdown
----------------------------------------------
*A:Dut-A>config>app-assure>group>policy>aqp>entry#