Question & Answer
Question
What are the IPSec defensive filter modes and how can I configure them?
Answer
Each defensive filter has a mode setting of block or simulate. The defensive filter's mode is set when the filter is created or updated by the ipsec command.
By default, defensive filters are in block mode, causing traffic to be discarded. A defensive filter in simulate mode simulates a block and lets you monitor the impact of enabling defensive filters without discarding traffic.
When a packet matches a defensive filter and the mode is simulate, a message is logged indicating that the packet would have been discarded, but the packet is not discarded and IP filtering continues. The packet can subsequently match a defensive filter that is in block mode and be discarded, but the packet will not match another simulation filter.
For a new defensive filter,
to specify the block mode, issue IPsec -F add srcip ipaddress destip ipaddress prot ip_protocol dir direction routing routing_value mode block -N DefensiveFilterName
to specify the simulate mode, issue IPsec -F add srcip ipaddress destip ipaddress prot ip_protocol dir direction routing routing_value mode simulate -N DefensiveFilterName
To update an existing defensive filter,
to specify the block mode, issue IPsec -F update mode block -N DefensiveFilterName
to specify the simulate mode, issue IPsec -F update mode simulate -N DefensiveFilterName
Product Synonym
ZOSCS COMMSERVER
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
dwa1377786