Command Line Interface Reference Guide > The SLB Configuration Menu > /cfg/slb/filt <filter number> SLB Filter Menu
/cfg/slb/filt <filter number>
SLB Filter Menu
Alteon supports up to 2048 traffic filters. Each filter can be configured to allow, deny, redirect or perform Network Address Translation (NAT) on traffic according to a variety of address and protocol specifications, and each physical port can be configured to use any combination of filters. This command is disabled by default.
 
[Filter 1 Menu]
adv - Filter Advanced Menu
     ssl - SSL Load Balancing Menu
name - Set filter name
tcpopt - TCP Optimization Menu
security - Security Menu
smac - Set source MAC address
dmac - Set destination MAC address
ipver - Set Filter IP version
sip - Set source IP address or network class
smask - Set source IP mask
dip - Set destination IP address or network class
dmask - Set destination IP mask
proto - Set IP protocol
sport - Set source TCP/UDP port or range
dport - Set destination TCP/UDP port or range
applic - Set the application type for this filter
cntclass - Set content class ID
urlfilt  - Set URL Filtering policy for this filter
botmng - Set the Bot Manager Protection policy for this filter      comppol - Set compression policy for this filter
     aw - AppWall Menu
secwa - Set secured web application for this filter
     action - Set action
group - Set real server group for redirection
rport - Set real server port for redirection
nat - Set which addresses are network address translated
     report - reporting menu
     vlan - Set vlan id
add - Add ports
rem - Remove ports
     filtset - Multi-protocol Filter Set Menu
     urlfmode - Set URL filter classification mode
invert - Enable/disable filter inversion
ena - Enable filter
dis - Disable filter
del - Delete filter
cur - Display current filter configuration
The following actions are required for filtering:
*Defining that address, masks, and/or protocol that will be affected by the filter.
*Defining the filter action (allow, deny, redirect, nat).
*Enabling the filter.
*Adding the filter to a port.
*Enabling filtering on the port
 
Filter Configuration Menu Options (/cfg/slb/filt) 
Command Syntax and Usage
adv
 
Displays the Filter Advanced menu. To view this menu, see /cfg/slb/filt <filter number>/adv Filter Advanced Menu.
There are several options available from this menu that can be used to provide more information through syslog. The types of information include:
*IP protocol
*TCP/UDP ports
*TCP flags
*ICMP message type
appshape
 
Displays the AppShape++ menu. To view this menu, see /cfg/slb/filt <filter number>/appshape AppShape++ Menu.
ssl
 
Displays the SSL Load Balancing menu. To view this menu, see /cfg/slb/filt <filter number>/ssl SSL Load Balancing Menu.
name <31 character name> |none
 
Specifies the name of the filter.
tcpopt
 
Displays the TCP Optimization menu for adding a TCP optimization policy to the client-side and server-side flows of a filter. To view this menu, see /cfg/slb/filt <filter number>/tcpopt TCP Optimization Menu.
smac any| <MAC address (such as, 00:60:cf:40:56:00)>
 
Specifies the source MAC address to be matched.
Default: any
dmac any| <MAC address (such as, 00:60:cf:40:56:00)>
 
Specifies the destination MAC address to be matched.
Default: any
ipver <IP version (v4, v6)>
 
Specifies the type of IP address.
Default: v4
sip <IP4 address (eg, 192.4.17.101) | IP6 address (eg, 3001:0:0:0:0:0:abcd:1234 or 3001::abcd:1234)> | <network class id>
 
Specifies the source IP address/subnet or network class to be matched.
Values:
*IPv4 address — IP address in dotted decimal notation.
*IPv6 address — IP address in colon notation.
*Network class ID — Network class ID as defined using /cfg/slb/nwclss <network class ID> Network Class Configuration Menu.
*any — Any IP address version.
A range of IP addresses is produced when used with smask (see in this table).
Default: any, if the source MAC address (smask) is any.
smask <IP4 subnet mask (such as, 255.255.255.0)> | <IP6 prefix length (eg, 64)>
 
Specifies the source IP version 4 address mask.
For more information on defining IP address ranges, see Defining IP Address Ranges for Filters.
dip <IP4 address (eg, 192.4.17.101)> | <IP6 address (eg, 3001:0:0:0:0:0:abcd:1234 or 3001::abcd:1234)> | <network class id>
 
Specifies the destination IP address or network class to be matched.
Values:
*IPv4 address — IP address in dotted decimal notation.
*IPv6 address — IP address in colon notation.
*Network class ID — Network class ID as defined using /cfg/slb/nwclss <network class ID> Network Class Configuration Menu.
*any — Any IP address version.
A range of IP addresses is produced when used with the dmask (see in this table). For more information, see Defining IP Address Ranges for Filters.
Default: any, if the source MAC address (smask) is any
dmask <IP4 subnet mask (such as, 255.255.255.0)> | <IP6 prefix length (eg, 64)>
 
Specifies the destination IP version 4 address mask.
proto any| <number> | name
 
Specifies the protocol traffic to which the filter is applied.
Values: any, the protocol name, or the protocol number (0 – 255).
Supported protocols:
*icmp (1)
*icmp6 (58)
*igmp (2)
*ospf (89)
*sctp (132)
*tcp (6)
*udp (17)
*vrrp (112)
Default: any
sport any| <name> | <port> | <port> - <port>
 
If defined, traffic with the specified TCP or UDP source port are affected by this filter. Specify the port number, range, name, or any.
Default: any
The following are some of the well-known ports:
Number
Name
20
21
22
23
25
37
42
43
53
69
70
79
80
109
110
ftp-data
ftp
ssh
telnet
smtp
time
name
whois
domain
tftp
gopher
finger
http
pop2
pop3
dport any| <name> | <port> | <port> - <port>
 
If defined, traffic with the specified real server TCP or UDP destination port is affected by this filter. Specify the port number, range, name, or any.
Default: any
For a list of the well-known ports, see the sport command in this table.
Note: When the destination port is set to RTSP (554), the filter automatically works in delayed binding (dbind) mode even if the dbind option is disabled for filter redirection at /cfg/slb/filt/adv/redir.
applic <http|basic|sip|none>
Specifies the application type related to a filter. Relevant only to filters where the /cfg/slb/filt/adv/redir/dbind option is set to forceproxy.
Values:
*http — Supports application layer capabilities for HTTP and HTTPS traffic, such as SSL encryption/decryption, compression, and content-switching, as well as content modification and session persistency (with AppShape++ scripts).
*basic — Supports application layer capabilities for generic TCP applications, such as SSL encryption/decryption, as well as content-switching, content modification and session persistency (with AppShape++ scripts).
*sip  — Supports application layer capabilities for SIP, such as SSL encryption/decryption, as well as content-switching, content modification and session persistency (with AppShape++ scripts).
*dns — Supports application layer capabilities for DNS, such as content-switching and content modification (with AppShape++ scripts).
*smtp — Supports outbound SSL inspection capabilities for SMTP traffic.
*pop3 — Supports outbound SSL inspection capabilities for POP3 traffic.
*imap — Supports outbound SSL inspection capabilities for IMAP traffic.
*ftp — Supports outbound SSL inspection capabilities for FTP traffic.
*none — No application level functionality is supported.
Default: none
cntclass
 
Specifies the content class for the filter.
The content class can be of type HTTP (URL, HTTP Headers, HTTP Payload), HTTP/2 (URL, HTTP Headers, HTTP Payload), or SSL (SNI, relevant only for SSL inspection filters).
Note: On front-end SSL inspection filters, the type of content class that can be used depends on the Alteon installation mode:
*When Alteon is installed as Explicit Proxy (SSL Policy Frontend SSL set to Enable on Connect), only HTTP Content Class can be selected.
*When Alteon is installed as Transparent Proxy (SSL Policy Frontend SSL set to Enable) only SSL Content Class can be selected.
urlfilt
 
Specifies Layer 7 classification based on Web category by selecting the appropriate URL filtering policy.
URL filtering can ensure privacy in outbound SSL Inspection solutions by bypassing inspection of traffic to certain categories of websites. It can also provide a layer of security for outbound Internet access by enabling or disabling access to types of websites according to the organization’s policy.
For URL filtering policy configuration, use /cfg/slb/layer7/urlfiltr.
botmng
 
Specifies the Bot Manager Protection policy for the filter.
Bot Manager provides comprehensive protection of web applications, mobile apps, and APIs from automated threats like bots. Bot Manager provides precise bot management across all channels by combining behavioral modeling for granular intent analysis, collective bot intelligence, and fingerprinting of browsers, devices and machines. It protects against all forms of account takeover (such as credential stuffing and brute force), denial of inventory, DDoS, ad and payment fraud, and web scraping to help organizations safeguard and grow their online operations.
You use /cfg/security/botmng/ to configure a Bot Manager policy. For details, see  /cfg/security/botmng Bot Manager Menu.
comppol
 
Specifies the compression policy for the filter.
aw
 
Displays the AppWall menu. To view this menu, see /cfg/slb/filt <filter number>/aw AppWall Menu.
secwa
 
Specifies the Secure Web Application object to associate with the filter.
For more information on configuring a Web Application Firewall on filters, see Configuring WAF on Filters.
action allow|deny|redir|nat|monitor|goto|outbound-llb
 
Specifies the action this filter takes:
*allow — Allows the frame to pass. This filtering action can be used to redirect the returning traffic to the service farm if the reverse session is enabled.
*deny — Discards frames that fit this filter’s profile. This can be used for building basic security profiles.
*nat — Performs generic Network Address Translation (NAT). This can be used to map the source or destination IP address and port information of a private network scheme to and from the advertised network IP address and ports. This is used in conjunction with the NAT option (see in this table), and can also be combined with proxies.
*redir — Redirects frames that fit this filter’s profile, such as for Web cache redirection.
*goto — Specifies a target filter ID that the filter search should jump to when a match occurs. This causes filter processing to jump to a designated filter, effectively skipping over a block of filter IDs. Filter searching action continues from the designated filter ID.
The goto filter does not support Layer 7 classification.
To set the new filter as “goto”, use the /cfg/slb/filt/adv/goto command.
*outbound-llb — Transparently forwards traffic from the local network to the wide area network via a WAN link selected from the group of WAN links specified. The public addresses used to NAT this outgoing traffic should be configured per each WAN link (in WAN Link server configuration).
*monitor — Configures integrated AppWall WAF as monitor mode. AppWall receives a copy of the traffic (mirroring) and performs detection and reporting only. This mode is used in an out-of-path environment.
Default: allow
Note: IPv6 filters support the allow, deny, and redirection actions.
Note: The bandwidth management downstream rate limit is not supported for outbound traffic.
group <real server group ID (alphanumeric)>
 
The real server group to which traffic matching the redir filter is sent.
Default: 1
rport <real server port (0, 1, 5-65534)>
 
Defines the real server TCP or UDP port to which redirected traffic is sent.
Note: This option applies only when redir is specified as the filter action (see in this table).
For valid Layer 4 health checks, rport must be configured whenever TCP protocol traffic is redirected. Also, if transparent proxies are used for NAT on Alteon (see the pip option in /cfg/slb/port <port number> Port SLB Menu), rport must be configured for all application redirection filters.
Default: 0
nat [source|dest|mcast]
 
Species which IP address should be translated using static NAT.
Values:
*source — The packet source IP address is translated.
*dest — The packet destination IP address is translated.
*mcast — The packet destination MAC address is translated to a multicast MAC, using the last 23 bits of the configured NAT address. The destination IP address and NAT address must be discrete.
Default: dest
report
 
Displays the Filter Report menu. To view this menu, see /cfg/slb/filt <filter number>/report/inspect Filter Inspect Report Menu.
vlan any| <VLAN ID (1 - 4090)>
 
Specifies the VLAN associated with the filter.
The filter is applied only on the specified VLAN to traffic arriving via the specified physical ports.
Default: any — Alteon matches any VLAN ID of the incoming packet.
add
 
Specifies the physical port or ports on which the filter will be applied to incoming traffic.
rem
 
Removes a physical port or ports from the filter.
filtset <1..15>
 
Specifies the multi-protocol filter set ID. A multi-protocol filter set must be defined required to discover the TCP ports on which HTTPS traffic is transported - for example for outbound SSL inspection. All filters that handle the intercepted traffic - filter/s that handle SSL traffic, filters/s that handle HTTP traffic and filter/s that handle all other traffic, must be attached to the same filter set. A filter set must include at least one SSL filter (that performs SSL offload or SSL Inspection).
Values: 1 - 15, none
urlfmode [http|ssl]
 
Specifies the URL filtering mode.
Use http when trying to match HTTP traffic with an HTTP host.
Use ssl when trying to match HTTPS or SSL traffic with an SNI host. SNI is relevant when trying to match SSL traffic without decryption.
Default: http
invert disable|enable
 
Specifies the filter logic.
Note: When using filter inversion for IPv6, the Neighbor Solicitations (NSol) are filtered out if no appropriate NSol filter was set up before inversion.
Values:
*enable — Inverts the filter logic: if the conditions of the filter are met, do not act; and if the conditions for the filter are not met, perform the assigned action.
*disable — Uses standard filter logic: if the conditions of the filter are met, act; and if the conditions for the filter are not met, do not perform the assigned action.
Default: disable
ena
 
Enables this filter.
dis
 
Disables this filter.
del
 
Deletes this filter.
cur
 
Displays the current configuration of the filter.