[Security Menu] ratelim - Rate Limiting Menu addgrp - Add pattern match group for layer 7 filtering remgrp - Remove pattern match group for layer 7 filtering pmatch - Enable/disable pattern matching matchall - Enable/disable match-all criteria for layer 7 filtering parsechn - Enable/disable chained pgroup match criteria for l7 filtering parseall - Enable/disable pattern string lookup (parsing) of all packets cur - Display current Security configuration |
Command Syntax and Usage | |
---|---|
ratelim | |
Displays the Rate Limiting menu. To view this menu, see /cfg/slb/filt <filter number>/adv/security/ratelim Advanced Security Rate Limiting Configuration Menu. Protocol-based rate limiting limits the traffic coming from specific clients based on the IP address of the client. This lets Alteon detect and block UDP or ICMP-based DoS attacks that slow down or decapitate the servers. Rate limiting can be enabled on TCP, UDP, and ICMP protocols. | |
addgrp <pattern match group id> | |
Adds a pattern group to this filter. When a virus or other attack contains multiple patterns or strings, it is useful to combine them into one group and give the group a name that is easy to remember. When a pattern group is applied to a deny filter, Alteon matches any of the strings or patterns within that group before denying and dropping the packet. Up to five (5) patterns can be combined into a single pattern group. Configure the binary or ASCII pattern strings, group them into a pattern group, name the pattern group, and then apply the group to a filter. The filtering commands enable the administrator to define groups of patterns and place them into groups. By applying the patterns and groups to a deny filter, the packet content can be detected and thus denied access to the network. Alteon supports up to 1024 pattern groups. Note: The pattern group matching feature is available only if you have purchased and enabled the Advanced Denial of Service Protection software key. | |
remgrp <pattern match group id> | |
Removes a pattern group from this filter. | |
pmatch <disable|enable> | |
Specifies whether to enable binary pattern matching on this filter. Pattern matching scans ingressing packets for patterns contained in some well-known TCP or UDP attacks on back-end servers. You can configure Alteon with one or more filters that scan the first IP packet, and drop if it contains one or all of the configured patterns. If no match is found, Alteon allows the packets through. Note: The ability to match and perform filter action on a pattern or group of patterns is available only when you enable the Security Pack software. Default: disable | |
matchall <disable|enable> | |
Specifies whether to enable matching of all configured pattern strings before the filter can perform the Layer 7 deny action. Default: disable | |
parsechn <enable|disable> | |
Specifies whether to enable chained pattern group match criteria for Layer 7 filtering. Default: disable | |
parseall <disable|enable> | |
Specifies whether to parse all packets or transactions in a session where Layer 7 parsing is being performed. This field is relevant for legacy Layer 7 lookup and content classes. Values: ![]() ![]() Default: disable Note: When working in force proxy mode, Alteon performs parsing per transaction. | |
cur | |
Displays the current configuration. |