Stateful Firewall Thresholds

Stateful Firewall Thresholds

Thresholds generate alerts or alarms based on either the total number of Stateful Firewall calls setup by the system during the specified polling interval, or on the number of currently active calls only.

Alerts or alarms are triggered for call setups based on the following rules:

  • Enter condition: Actual number of call setups > or = High Threshold

  • Clear condition: Actual number of call setups < Low Threshold.

If a trigger condition occurs within the polling interval, the alert or alarm will not be generated until the end of the polling interval.

Default value is 0, which means there will be no monitoring.

The polling interval is in seconds and it is an integer between 30 and 60000. Entries will be rounded up to the nearest 30 seconds.

Configuring Stateful Firewall Thresholds

This section describes how to enable and configure Stateful Firewall thresholds.

Enabling Thresholds

To enable thresholds use the following configuration: 

configure 
 threshold monitoring firewall 
 end

Configuring Threshold Polling Intervals

To configure threshold poll interval use the following configuration: 

configure 
 threshold poll fw-deny-rule interval <interval> 
 threshold poll fw-dos-attack interval <interval> 
 threshold poll fw-drop-packet interval <interval> 
 threshold poll fw-no-rule interval <interval> 
 end

Configuring Thresholds Limits

To configure threshold limits use the following configuration: 

configure 
 threshold fw-deny-rule <high_thresh> [ clear <low_thresh> ]  
 threshold fw-dos-attack <high_thresh> [ clear <low_thresh> ]  
 threshold fw-drop-packet <high_thresh> [ clear <low_thresh> ]  
 threshold fw-no-rule <high_thresh> [ clear <low_thresh> ]  
 end

Saving Your Configuration

When you configure thresholds they are not permanent unless you save the changes. When you have completed configuring thresholds, save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration . For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference.