Command Line Interface Reference Guide > The SLB Configuration Menu
/cfg/slb/filt <filter number>/adv/security
SLB Filter Advanced Security Menu
 
[Security Menu]
ratelim - Rate Limiting Menu
addgrp - Add pattern match group for layer 7 filtering
remgrp - Remove pattern match group for layer 7 filtering
pmatch - Enable/disable pattern matching
matchall - Enable/disable match-all criteria for layer 7 filtering
parsechn - Enable/disable chained pgroup match criteria for l7 filtering
parseall - Enable/disable pattern string lookup (parsing) of all packets
cur - Display current Security configuration
 
Layer 7 Advanced Filter Menu Options (/cfg/slb/filt/adv/security) 
Command Syntax and Usage
ratelim
 
Protocol-based rate limiting limits the traffic coming from specific clients based on the IP address of the client. This lets Alteon detect and block UDP or ICMP-based DoS attacks that slow down or decapitate the servers. Rate limiting can be enabled on TCP, UDP, and ICMP protocols.
addgrp <pattern match group id>
 
Adds a pattern group to this filter.
When a virus or other attack contains multiple patterns or strings, it is useful to combine them into one group and give the group a name that is easy to remember. When a pattern group is applied to a deny filter, Alteon matches any of the strings or patterns within that group before denying and dropping the packet. Up to five (5) patterns can be combined into a single pattern group. Configure the binary or ASCII pattern strings, group them into a pattern group, name the pattern group, and then apply the group to a filter.
The filtering commands enable the administrator to define groups of patterns and place them into groups. By applying the patterns and groups to a deny filter, the packet content can be detected and thus denied access to the network.
Alteon supports up to 1024 pattern groups.
Note: The pattern group matching feature is available only if you have purchased and enabled the Advanced Denial of Service Protection software key.
remgrp <pattern match group id>
 
Removes a pattern group from this filter.
pmatch <disable|enable>
 
Specifies whether to enable binary pattern matching on this filter.
Pattern matching scans ingressing packets for patterns contained in some well-known TCP or UDP attacks on back-end servers. You can configure Alteon with one or more filters that scan the first IP packet, and drop if it contains one or all of the configured patterns. If no match is found, Alteon allows the packets through.
Note: The ability to match and perform filter action on a pattern or group of patterns is available only when you enable the Security Pack software.
Default: disable
matchall <disable|enable>
 
Specifies whether to enable matching of all configured pattern strings before the filter can perform the Layer 7 deny action.
Default: disable
parsechn <enable|disable>
 
Specifies whether to enable chained pattern group match criteria for Layer 7 filtering.
Default: disable
parseall <disable|enable>
 
Specifies whether to parse all packets or transactions in a session where Layer 7 parsing is being performed.
This field is relevant for legacy Layer 7 lookup and content classes.
Values:
*disable — Alteon performs Layer 7 matching only on the first transaction. The rest of the transactions are not examined.
*enable — Alteon performs Layer 7 matching on all transactions in a session. Each transaction can be matched to a different filter.
Default: disable
Note: When working in force proxy mode, Alteon performs parsing per transaction.
cur
 
Displays the current configuration.