ESR service routers. ESR-Series. Functionality description. Version 1.12.0
283
Router always has a security zone named 'self'. When the traffic recipient is the router itself, i.e. traffic is not
transit, pass 'self' zone as a parameter. Create a pair of zones for traffic coming from 'WAN' zone into 'self'
zone. In order the router could response to the ICMP requests from 'WAN' zone, add a rule allowing ICMP
traffic transfer from R2 to ESR router:
esr(config)# security zone-pair WAN self
esr(config-zone-pair)# rule
1
esr(config-zone-pair-rule)# action permit
esr(config-zone-pair-rule)# match protocol icmp
esr(config-zone-pair-rule)# match destination-address WAN
esr(config-zone-pair-rule)# match source-address WAN_GATEWAY
esr(config-zone-pair-rule)# enable
esr(config-zone-pair-rule)# exit
esr(config-zone-pair)# exit
Create a pair of zones for traffic coming from 'LAN' zone into 'self' zone. In order the router could response to
the ICMP requests from 'LAN' zone, add a rule allowing ICMP traffic transfer from R1 to ESR:
esr(config)# security zone-pair LAN self
esr(config-zone-pair)# rule
1
esr(config-zone-pair-rule)# action permit
esr(config-zone-pair-rule)# match protocol icmp
esr(config-zone-pair-rule)# match destination-address LAN
esr(config-zone-pair-rule)# match source-address LAN_GATEWAY
esr(config-zone-pair-rule)# enable
esr(config-zone-pair-rule)# exit
esr(config-zone-pair)# exit
esr(config)# exit
To view port membership in zones, use the following command:
esr# show security zone
To view zone pairs and their configuration, use the following commands:
esr# show security zone-pair
esr# show security zone-pair configuration
To view active sessions, use the following commands:
esr# show ip firewall sessions
7.5.3 Configuration example of application filtering (DPI)
The use of application filtering mechanism reduces by several times the router performance because
of the need to check each packet. The performance decreases with an increase in amount of the
selected for filtration applications.