[Filter 1 Menu] adv - Filter Advanced Menu ssl - SSL Load Balancing Menu name - Set filter name tcpopt - TCP Optimization Menu security - Security Menu smac - Set source MAC address dmac - Set destination MAC address ipver - Set Filter IP version sip - Set source IP address or network class smask - Set source IP mask dip - Set destination IP address or network class dmask - Set destination IP mask proto - Set IP protocol sport - Set source TCP/UDP port or range dport - Set destination TCP/UDP port or range applic - Set the application type for this filter cntclass - Set content class ID urlfilt - Set URL Filtering policy for this filter botmng - Set the Bot Manager Protection policy for this filter comppol - Set compression policy for this filter aw - AppWall Menu secwa - Set secured web application for this filter action - Set action group - Set real server group for redirection rport - Set real server port for redirection nat - Set which addresses are network address translated report - reporting menu vlan - Set vlan id add - Add ports rem - Remove ports filtset - Multi-protocol Filter Set Menu urlfmode - Set URL filter classification mode invert - Enable/disable filter inversion ena - Enable filter dis - Disable filter del - Delete filter cur - Display current filter configuration |
Command Syntax and Usage | ||
---|---|---|
adv | ||
Displays the Filter Advanced menu. To view this menu, see /cfg/slb/filt <filter number>/adv Filter Advanced Menu. There are several options available from this menu that can be used to provide more information through syslog. The types of information include: ![]() ![]() ![]() ![]() | ||
appshape | ||
Displays the AppShape++ menu. To view this menu, see /cfg/slb/filt <filter number>/appshape AppShape++ Menu. | ||
ssl | ||
Displays the SSL Load Balancing menu. To view this menu, see /cfg/slb/filt <filter number>/ssl SSL Load Balancing Menu. | ||
name <31 character name> |none | ||
Specifies the name of the filter. | ||
tcpopt | ||
Displays the TCP Optimization menu for adding a TCP optimization policy to the client-side and server-side flows of a filter. To view this menu, see /cfg/slb/filt <filter number>/tcpopt TCP Optimization Menu. | ||
smac any| <MAC address (such as, 00:60:cf:40:56:00)> | ||
Specifies the source MAC address to be matched. Default: any | ||
dmac any| <MAC address (such as, 00:60:cf:40:56:00)> | ||
Specifies the destination MAC address to be matched. Default: any | ||
ipver <IP version (v4, v6)> | ||
Specifies the type of IP address. Default: v4 | ||
sip <IP4 address (eg, 192.4.17.101) | IP6 address (eg, 3001:0:0:0:0:0:abcd:1234 or 3001::abcd:1234)> | <network class id> | ||
Specifies the source IP address/subnet or network class to be matched. Values: ![]() ![]() ![]() ![]() A range of IP addresses is produced when used with smask (see in this table). Default: any, if the source MAC address (smask) is any. | ||
smask <IP4 subnet mask (such as, 255.255.255.0)> | <IP6 prefix length (eg, 64)> | ||
Specifies the source IP version 4 address mask. For more information on defining IP address ranges, see Defining IP Address Ranges for Filters. | ||
dip <IP4 address (eg, 192.4.17.101)> | <IP6 address (eg, 3001:0:0:0:0:0:abcd:1234 or 3001::abcd:1234)> | <network class id> | ||
Specifies the destination IP address or network class to be matched. Values: ![]() ![]() ![]() ![]() A range of IP addresses is produced when used with the dmask (see in this table). For more information, see Defining IP Address Ranges for Filters. Default: any, if the source MAC address (smask) is any | ||
dmask <IP4 subnet mask (such as, 255.255.255.0)> | <IP6 prefix length (eg, 64)> | ||
Specifies the destination IP version 4 address mask. | ||
proto any| <number> | name | ||
Specifies the protocol traffic to which the filter is applied. Values: any, the protocol name, or the protocol number (0 – 255). Supported protocols: ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Default: any | ||
sport any| <name> | <port> | <port> - <port> | ||
If defined, traffic with the specified TCP or UDP source port are affected by this filter. Specify the port number, range, name, or any. Default: any The following are some of the well-known ports: | ||
Number | Name | |
20 21 22 23 25 37 42 43 53 69 70 79 80 109 110 | ftp-data ftp ssh telnet smtp time name whois domain tftp gopher finger http pop2 pop3 | |
dport any| <name> | <port> | <port> - <port> | ||
If defined, traffic with the specified real server TCP or UDP destination port is affected by this filter. Specify the port number, range, name, or any. Default: any For a list of the well-known ports, see the sport command in this table. Note: When the destination port is set to RTSP (554), the filter automatically works in delayed binding (dbind) mode even if the dbind option is disabled for filter redirection at /cfg/slb/filt/adv/redir. | ||
applic <http|basic|sip|none> | ||
Specifies the application type related to a filter. Relevant only to filters where the /cfg/slb/filt/adv/redir/dbind option is set to forceproxy. Values: ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Default: none | ||
cntclass | ||
Specifies the content class for the filter. The content class can be of type HTTP (URL, HTTP Headers, HTTP Payload), HTTP/2 (URL, HTTP Headers, HTTP Payload), or SSL (SNI, relevant only for SSL inspection filters). Note: On front-end SSL inspection filters, the type of content class that can be used depends on the Alteon installation mode: ![]() ![]() | ||
urlfilt | ||
Specifies Layer 7 classification based on Web category by selecting the appropriate URL filtering policy. URL filtering can ensure privacy in outbound SSL Inspection solutions by bypassing inspection of traffic to certain categories of websites. It can also provide a layer of security for outbound Internet access by enabling or disabling access to types of websites according to the organization’s policy. For URL filtering policy configuration, use /cfg/slb/layer7/urlfiltr. | ||
botmng | ||
Specifies the Bot Manager Protection policy for the filter. Bot Manager provides comprehensive protection of web applications, mobile apps, and APIs from automated threats like bots. Bot Manager provides precise bot management across all channels by combining behavioral modeling for granular intent analysis, collective bot intelligence, and fingerprinting of browsers, devices and machines. It protects against all forms of account takeover (such as credential stuffing and brute force), denial of inventory, DDoS, ad and payment fraud, and web scraping to help organizations safeguard and grow their online operations. You use /cfg/security/botmng/ to configure a Bot Manager policy. For details, see /cfg/security/botmng Bot Manager Menu. | ||
comppol | ||
Specifies the compression policy for the filter. | ||
aw | ||
Displays the AppWall menu. To view this menu, see /cfg/slb/filt <filter number>/aw AppWall Menu. | ||
secwa | ||
Specifies the Secure Web Application object to associate with the filter. For more information on configuring a Web Application Firewall on filters, see Configuring WAF on Filters. | ||
action allow|deny|redir|nat|monitor|goto|outbound-llb | ||
Specifies the action this filter takes: ![]() ![]() ![]() ![]() ![]() The goto filter does not support Layer 7 classification. To set the new filter as “goto”, use the /cfg/slb/filt/adv/goto command. ![]() ![]() Default: allow Note: IPv6 filters support the allow, deny, and redirection actions. Note: The bandwidth management downstream rate limit is not supported for outbound traffic. | ||
group <real server group ID (alphanumeric)> | ||
The real server group to which traffic matching the redir filter is sent. Default: 1 | ||
rport <real server port (0, 1, 5-65534)> | ||
Defines the real server TCP or UDP port to which redirected traffic is sent. Note: This option applies only when redir is specified as the filter action (see in this table). For valid Layer 4 health checks, rport must be configured whenever TCP protocol traffic is redirected. Also, if transparent proxies are used for NAT on Alteon (see the pip option in /cfg/slb/port <port number> Port SLB Menu), rport must be configured for all application redirection filters. Default: 0 | ||
nat [source|dest|mcast] | ||
Species which IP address should be translated using static NAT. Values: ![]() ![]() ![]() Default: dest | ||
report | ||
Displays the Filter Report menu. To view this menu, see /cfg/slb/filt <filter number>/report/inspect Filter Inspect Report Menu. | ||
vlan any| <VLAN ID (1 - 4090)> | ||
Specifies the VLAN associated with the filter. The filter is applied only on the specified VLAN to traffic arriving via the specified physical ports. Default: any — Alteon matches any VLAN ID of the incoming packet. | ||
add | ||
Specifies the physical port or ports on which the filter will be applied to incoming traffic. | ||
rem | ||
Removes a physical port or ports from the filter. | ||
filtset <1..15> | ||
Specifies the multi-protocol filter set ID. A multi-protocol filter set must be defined required to discover the TCP ports on which HTTPS traffic is transported - for example for outbound SSL inspection. All filters that handle the intercepted traffic - filter/s that handle SSL traffic, filters/s that handle HTTP traffic and filter/s that handle all other traffic, must be attached to the same filter set. A filter set must include at least one SSL filter (that performs SSL offload or SSL Inspection). Values: 1 - 15, none | ||
urlfmode [http|ssl] | ||
Specifies the URL filtering mode. Use http when trying to match HTTP traffic with an HTTP host. Use ssl when trying to match HTTPS or SSL traffic with an SNI host. SNI is relevant when trying to match SSL traffic without decryption. Default: http | ||
invert disable|enable | ||
Specifies the filter logic. Note: When using filter inversion for IPv6, the Neighbor Solicitations (NSol) are filtered out if no appropriate NSol filter was set up before inversion. Values: ![]() ![]() Default: disable | ||
ena | ||
Enables this filter. | ||
dis | ||
Disables this filter. | ||
del | ||
Deletes this filter. | ||
cur | ||
Displays the current configuration of the filter. |