Configuration Guide 6. SPI Firewall
Version 7.2 25 Security Setup
6 SPI Firewall
The device provides a built-in firewall feature. The firewall allows or denies traffic using a
rule set. The firewall rules are set using ACLs. The firewall can be session-aware or
stateless. There are two modes of firewall: manual and automatic. To configure the firewall
in automatic mode, use the following commands:
Table 6-1: Firewall - Automatic Mode
Command Description
Enter the data configuration menu.
(config-data)# interface
gigabitethernet 0/0
Enter the interface.
(conf-if-GE 0/0)# firewall enable
Enables the firewall.
(conf-if-GE 0/0)# no firewall
enable
Disables firewall.
An automatic firewall performs a stateful packet inspection and keeps track of the state of
each connection and is able to drop inbound protocol data units if they do not belong to a
known connection. For example, if a user initiates an HTTP request to a sever on the WAN
(anything connected to the WAN interface), the device allows that server to respond to the
user.
To configure a manual firewall, use ACLs and apply the ACL rules on an interface IN or OUT
direction. The firewall can only be configured on Layer-3 interfaces.
Table 6-2: Firewall – Manual Configuration
Command Description
Enter the data configuration menu.
(config-data)# interface
gigabitethernet 0/0
Enter the interface.
(conf-if-GE 0/0)# ip access-group
name {in|out}
Apply an access-list to the interface (inbound or
outbound).
(conf-if-GE 0/0)# no ip access-
group name {in|out}
Remove an access-list to the interface (inbound
or outbound).
To view whether the firewall "caught" packets, use the following command:
Table 6-3: Firewall –Verification
Command Description
Displays all access lists and packets that have
been caught.
# show data ip access-list FW_out
Displays specific ACL and packets caught.
To Next Page
Loading...
Need help?
General
