Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

How do I create Traffic Management Filters from the TPS CLI?

    • Updated:
    • 15 Nov 2019
    • Product/Version:
    • TippingPoint TPS All
    • TippingPoint TX-Series All
    • TippingPoint Virtual TPS All
    • Platform:
Summary

What are Traffic Management Filters?

Traffic Management Filters react to traffic based on a limited set of parameters including source and destination IP address, port, protocol, or other defined values. As an example, you might define the following Traffic Management Filters for your web servers in a lab that denies access to external users:

  • Block traffic if the source is on an external subnet that arrives through port 80 and is destined for the IP address of your web server.
  • Block traffic if the source is your web server, the source port is 80, and the destination is any external subnet.

In some instances where there is a requirement to enter large numbers of TMFs, it may be more efficient to copy/paste these commands into the CLI vs. entering each TMF manually via the SMS/LSM Graphical User Interface (GUI). Once the process has been completed, the profile with the TMFs can be imported into the SMS. TMFs can only be entered from the SMS/LSM GUI or the TPS CLI

The TippingPoint TPS device handles the creation of Traffic Management Filters (from either the LSM or the CLI) a bit differently than the SMS. The creation of TMFs from the TPS device requires a separate Traffic Management Profile with Virtual Segments assigned to it in order to assign ports and directionality. You can create a different Traffic Management Profile for different segments, and these TM Profiles can contain multiple Traffic Management Filters.

Note: When importing the Traffic Management Profile from the IPS, you will see both a Security Profile and a Traffic Management Profile assigned to a segment on the LSM. Importing the profile into the SMS will, in fact, merge both profiles under the name of the Security Profile. There will not be a second profile with the name you assigned to the Traffic Management Profile once the import is complete. Instead, the Traffic Management Rules will be moved to the Traffic Management section of the Security Profile.

The process to enable TMFs from the TPS CLI requires the following steps;

  1. Create Traffic Management Profile
  2. Create Traffic Management Filters
  3. Assign "Actions" to Traffic Management Filters
  4. Add Traffic Management Profile to virtual segments
Details
Public

A. Create Traffic Management Profile

  1. SSH to the device
  2. If required, remove the TPS device from SMS control (sms unmanage)
  3. To display the current configuration enter display conf running traffic-management
  4. Create the required TMFs with the following CLI command;
    1. edit - enter edit context to make configuration changes
    2. traffic-management - enter traffic-management profile context
    3. profile ‘<ProfileName>’ - create/enter profile

Additional commands are:

  • delete profile ‘<ProfileName>’
  • rename profile ‘<ProfileName>’ ‘<NewProfileName>’

B. Create Traffic Management Filters

You can create ICMP, ICMPv6, IP, IPV6, TCP, UDP filters, or use ANY for all traffic. Likewise, you can specify a source and destination IP addresses and ports. Each rule also requires a unique name, where most people simply describe the rule with a short phrase.

traffic-filter '<FilterName>' - create/enter traffic filter

Additional commands are:

  • ip ipv4 [src-address IPV4-SRC-CIDR] [dst-address IPV4-DST-CIDR]
  • ip ipv6 [src-address IPV6-SRC-CIDR] [dst-address IPV6-DST-CIDR]
  • protocol any [ip-fragments-only]
  • protocol tcp|udp [src-port SRCPORT] [dst-port DSTPORT]
  • protocol icmp [type ICMPTYPE] [code ICMPCODE]

C. Assign “Actions” to Traffic Management Filters

Once a Traffic Management Filter has been created, it must be modified by a corresponding subcommand (action). Subcommands (Actions) include allow, block, trust, and rate-limit. Allow permits all traffic as a permit filter would. Block drops the traffic just as a block action would. A trust action allows traffic to flow completely uninspected. Trust is the most common action used.

Valid commands are:

  • action block|allow|trust|(rate-limit RATELIMITACTION)
  • enable|disable

D. Add segments (ports) to Traffic Management Profile

Now that we've created the Traffic Management Profile and assigned ports and directionality, we can add the TFM profile to a virtual segment.

  1. edit - enter edit context to make configuration changes
  2. virtual-segments - enter virtual segments context
  3. Select the virtual segment that will be linked to the Traffic Management profile. For example virtual-segment "segment4-5 (A > B)"
  4. Once in the virtual segment context for the particular segment enter;

traffic-profile ‘<ProfileName>’

Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Deploy
Solution Id:
TP000154701
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.