What are Traffic Management Filters?
Traffic Management Filters react to traffic based on a limited set of parameters including source and destination IP address, port, protocol, or other defined values. As an example, you might define the following Traffic Management Filters for your web servers in a lab that denies access to external users:
- Block traffic if the source is on an external subnet that arrives through port 80 and is destined for the IP address of your web server.
- Block traffic if the source is your web server, the source port is 80, and the destination is any external subnet.
In some instances where there is a requirement to enter large numbers of TMFs, it may be more efficient to copy/paste these commands into the CLI vs. entering each TMF manually via the SMS/LSM Graphical User Interface (GUI). Once the process has been completed, the profile with the TMFs can be imported into the SMS. TMFs can only be entered from the SMS/LSM GUI or the IPS CLI.
The TippingPoint IPS device handles the creation of Traffic Management Filters (from either the LSM or the CLI) a bit differently than the SMS. Creation of TMFs from the IPS device requires a separate Traffic Management Profile with Virtual Segments assigned to it in order to assign ports and directionality. You can create a different Traffic Management Profile for different segments, and these TM Profiles can contain multiple Traffic Management Filters.
Note: When importing the Traffic Management Profile from the IPS, you will see both a Security Profile and a Traffic Management Profile assigned to a segment on the LSM. Importing the profile into the SMS will in fact merge both profiles under the name of the Security Profile. There will not be a second profile with the name you assigned to the Traffic Management Profile once the import is complete. Instead, the Traffic Management Rules will be moved to the Traffic Management section of the Security Profile.
The process to enable TMFs from the IPS CLI requires the following steps;
1. Create Traffic Management Profile
2. Add segments (ports) to Traffic Management Profile
3. Create Traffic Management Filters
4. Assign "Actions" to Traffic Management Filters
A. Create Traffic Management Profile
1. Login to the IPS device CLI via SSH.
2. Remove the IPS device from SMS control (if required) conf t no sms
3. Create a Traffic Management Profile with the following CLI command:
conf t profile <profile name> traffic-mgmt
You can also append a description with the -description option:
conf t profile <profile name> -description "<description>"
B. Add segments (ports) to Traffic Management Profile
4. Add segments (ports) with the following CLI command;
conf t profile <profile name> add-pair <IN Port OUT Port> (e.g. 2A 2B, etc.) You can also add the reverse pair to ensure bi-directionality)
Now that we've created the Traffic Management Profile and assigned ports and directionality, we can begin adding the Traffic Management Filters. Note that the profile name to which the below commands refer to is the Traffic Management Profile just created.
C. Create Traffic Management Filters
5. Create the required TMFs with the following CLI command;
conf t traffic-mgmt
You can create ICMP, ICMPv6, IP, IPV6, TCP, UDP filters, or use ANY for all traffic. Likewise, you can specify a source and destination IP addresses and ports. Each rule also requires a unique name, where most people simply describe the rule with a short phrase. For example:
conf t traffic-mgmt '<FilterName>' -profile '<ProfileName>' -srcaddr <Source IP> -destaddr <Dest IP> <Protocol> -srcport <Source Port> -destport <Dest Port>
conf t traffic-mgmt 'Controller2-4' -profile 'TestProfile' -srcaddr 10.10.10.1 -destaddr 10.10.10.2 tcp -srcport any -destport any
You can also use CIDR addressing for these rules, as well as use an IP fragment tag if all that needs to be managed are fragments. This tag, -ip-frag-only, goes immediately after the IP protocol specification in the command. Note that to ensure traffic is trusted in both directions, two rules must be entered, swapping the source and destination addresses.
D. Assign "Actions" to Traffic Management Filters
6. Assign actions and priority's with the following CLI commands;
Once a Traffic Management Filter has been created, it must be modified by a corresponding subcommand (action).
Subcommands (Actions) include allow, block, trust, position, rate-limit and delete. Allow permits all traffic as a permit filter would. Block drops the traffic just as a block action would. A trust action allows that traffic to flow completely uninspected. Trust is the most common action used.
conf t traffic-mgmt <FilterName> -profile <ProfileName> <subcommand>
You can delete a filter using the delete subcommand.
conf t traffic-mgmt <FilterName> [-profile <profile>] delete
Change the rule priority within the profile by using the position <number> subcommand.
conf t traffic-mgmt <FilterName> [-profile <profile>] position <number>
Rate limit the filter using a previously defined rate-limit action set: rate-limit <action set name>.
conf t traffic-mgmt <FilterName> [-profile <profile>] rate-limit <action set name>
Using these guidelines the user can develop a schema for trusts in notepad or some other program that allows for review and editing before pasting them one at a time into the CLI.
7. Return IPS device to SMS control (if required); conf t sms
Security Management System (SMS User Guide
Local Security Manager (LSM) User Guide
Command Line Interface (CLI) Reference