IBM Support

How do the IPSec defensive filter modes work?

Question & Answer


Question

What are the IPSec defensive filter modes and how can I configure them?

Answer

Each defensive filter has a mode setting of block or simulate. The defensive filter's mode is set when the filter is created or updated by the ipsec command.

By default, defensive filters are in block mode, causing traffic to be discarded. A defensive filter in simulate mode simulates a block and lets you monitor the impact of enabling defensive filters without discarding traffic.

When a packet matches a defensive filter and the mode is simulate, a message is logged indicating that the packet would have been discarded, but the packet is not discarded and IP filtering continues. The packet can subsequently match a defensive filter that is in block mode and be discarded, but the packet will not match another simulation filter.

For a new defensive filter,

  • to specify the block mode, issue IPsec -F add srcip ipaddress destip ipaddress prot ip_protocol dir direction routing routing_value mode block -N DefensiveFilterName

  • to specify the simulate mode, issue IPsec -F add srcip ipaddress destip ipaddress prot ip_protocol dir direction routing routing_value mode simulate -N DefensiveFilterName

To update an existing defensive filter,

  • to specify the block mode, issue IPsec -F update mode block -N DefensiveFilterName

  • to specify the simulate mode, issue IPsec -F update mode simulate -N DefensiveFilterName

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"","Version":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

ZOSCS COMMSERVER

Document Information

Modified date:
15 June 2018

UID

dwa1377786