How do I create Traffic Management Filters from the TPS CLI?

Product / Version includes:

TippingPoint Virtual TPSAll

Last updated: 2024/04/18

Solution ID: KA-0010051

Category: Configure , Troubleshoot , Deploy

Summary

What are Traffic Management Filters?

Traffic Management Filters react to traffic based on a limited set of parameters including source and destination IP address, port, protocol, or other defined values. As an example, you might define the following Traffic Management Filters for your web servers in a lab that denies access to external users:

Block traffic if the source is on an external subnet that arrives through port 80 and is destined for the IP address of your web server.
Block traffic if the source is your web server, the source port is 80, and the destination is any external subnet.

In some instances where there is a requirement to enter large numbers of TMFs, it may be more efficient to copy/paste these commands into the CLI vs. entering each TMF manually via the SMS/LSM Graphical User Interface (GUI). Once the process has been completed, the profile with the TMFs can be imported into the SMS. TMFs can only be entered from the SMS/LSM GUI or the TPS CLI

The TippingPoint TPS device handles the creation of Traffic Management Filters (from either the LSM or the CLI) a bit differently than the SMS. The creation of TMFs from the TPS device requires a separate Traffic Management Profile with Virtual Segments assigned to it in order to assign ports and directionality. You can create a different Traffic Management Profile for different segments, and these TM Profiles can contain multiple Traffic Management Filters.

Note: When importing the Traffic Management Profile from the IPS, you will see both a Security Profile and a Traffic Management Profile assigned to a segment on the LSM. Importing the profile into the SMS will, in fact, merge both profiles under the name of the Security Profile. There will not be a second profile with the name you assigned to the Traffic Management Profile once the import is complete. Instead, the Traffic Management Rules will be moved to the Traffic Management section of the Security Profile.

The process to enable TMFs from the TPS CLI requires the following steps;

Create Traffic Management Profile
Create Traffic Management Filters
Assign "Actions" to Traffic Management Filters
Add Traffic Management Profile to virtual segments

A. Create Traffic Management Profile

SSH to the device
If required, remove the TPS device from SMS control (sms unmanage)
To display the current configuration enter display conf running traffic-management
Create the required TMFs with the following CLI command;
1. edit - enter edit context to make configuration changes
2. traffic-management - enter traffic-management profile context
3. profile ‘<ProfileName>’ - create/enter profile

Additional commands are:

delete profile ‘<ProfileName>’
rename profile ‘<ProfileName>’ ‘<NewProfileName>’

B. Create Traffic Management Filters

You can create ICMP, ICMPv6, IP, IPV6, TCP, UDP filters, or use ANY for all traffic. Likewise, you can specify a source and destination IP addresses and ports. Each rule also requires a unique name, where most people simply describe the rule with a short phrase.

traffic-filter '<FilterName>' - create/enter traffic filter

Additional commands are:

ip ipv4 [src-address IPV4-SRC-CIDR] [dst-address IPV4-DST-CIDR]
ip ipv6 [src-address IPV6-SRC-CIDR] [dst-address IPV6-DST-CIDR]
protocol any [ip-fragments-only]
protocol tcp|udp [src-port SRCPORT] [dst-port DSTPORT]
protocol icmp [type ICMPTYPE] [code ICMPCODE]

C. Assign “Actions” to Traffic Management Filters

Once a Traffic Management Filter has been created, it must be modified by a corresponding subcommand (action). Subcommands (Actions) include allow, block, trust, and rate-limit. Allow permits all traffic as a permit filter would. Block drops the traffic just as a block action would. A trust action allows traffic to flow completely uninspected. Trust is the most common action used.

Valid commands are:

action block|allow|trust|(rate-limit RATELIMITACTION)
enable|disable

D. Add segments (ports) to Traffic Management Profile

Now that we've created the Traffic Management Profile and assigned ports and directionality, we can add the TFM profile to a virtual segment.

edit - enter edit context to make configuration changes
virtual-segments - enter virtual segments context
Select the virtual segment that will be linked to the Traffic Management profile. For example virtual-segment "segment4-5 (A > B)"
Once in the virtual segment context for the particular segment enter;

traffic-profile ‘<ProfileName>’

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

How do I create Traffic Management Filters from the TPS CLI?

How do I create Traffic Management Filters from the TPS CLI?

Product / Version includes:

Summary