13.4.1 Configuration algorithm
Step Description Command Keys
1 Create security zones. esr(config)# security zone <zone-
name1>
esr(config)# security zone <zone-
name2>
<zone-name> – up to 12
characters.
2 Specify a security zone description. esr(config-zone)# description
<description>
<description> – up to 255
characters..
3 Specify VRF instance, in which the
given security zone will operate
(optional).
esr(config- zone)# ip vrf
forwarding <VRF>
<VRF> – VRF name, set by the
string of up to 31 characters.
4 Enable session counters for NAT and
Firewall (optional, may reduce the
performance).
esr(config)# ip firewall sessions
counters
5 Disable filtration of packets for which it
was not possible to determine
belonging to any known connection and
which are not the beginning of a new
connection (optional, may reduce the
performance).
esr(config)# ip firewall sessions
allow-unknown
6 Select firewall operation mode
(optional)
The firewall by application list is
possible only in stateless mode
esr(config)# ip firewall mode
<MODE>
<MODE> – firewall operation
mode, may take the following
values: stateful, stateless.
Default value: stateful
7 Determine the session lifetime for
unsupported protocols (optional).
esr(config)# ip firewall sessions
generic-timeout <TIME>
<TIME> – session lifetime for
unsupported protocols, takes
values in seconds [1..8553600].
Default value: 60 seconds.
8 Determine ICMP session lifetime after
which it is considered to be outdated
(optional).
esr(config)# ip firewall sessions
icmp-timeout <TIME>
<TIME> – ICMP session
lifetime, takes values in
seconds [1..8553600].
Default value: 30 seconds.
9 Determine ICMPv6 session lifetime
after which it is considered to be
outdated (optional).
esr(config)# ip firewall sessions
icmpv6-timeout <TIME>
<TIME> – ICMP session
lifetime, takes values in
seconds [1..8553600].
Default value: 30 seconds.
To Next Page
Loading...
