-- Copyright (C) 2006-2012 Aricent Group . All Rights Reserved -- $Id: fsfwl.mib,v 1.19 2016/02/27 10:05:05 siva Exp $ -- This document explains the proprietary MIB implemented -- for FutureFirewall product. -- The FS proprietary MIB definitions, which mostly contains extra -- statistic objects and objects that can enable or disable certain features -- of a protocol or the protocol itself. The various groups that are present -- in the proprietary MIB are : -- FutureFirewall MIB. -- The MIB contains scalars and tables used to configure -- FutureFirewall . -- The different groups in FutureFirewall MIB are as follows: -- 1) fwlGlobal group : -- It contains scalar objects used to configure FutureFirewall. -- The objects in this group are used to control Firewall -- services and prevent against potential attacks. The objects in this -- group are fwlGlobalMasterControlSwitch, fwlGlobalIcmpControlSwitch, -- fwlGlobalTrace, fwlGlobalDebug, -- fwlGlobalIpSpoofFiltering, fwlGlobalSrcRouteFiltering, fwlGlobalTrap, -- fwlGlobalTinyFragmentFiltering, fwlGlobalTcpIntercept, -- fwlGlobalUrlFiltering, fwlGlobalIpv6SpoofFiltering, -- fwlGlobalICMPv6ControlSwitch, fwlGlobalLogFileSize, -- fwlGlobalLogSizeThreshold, fwlGlobalIdsLogSize, fwlGlobalIdsLogThreshold. -- 2) fwlDefinition group : -- This contains tables used to configure Filters and Rules and to apply -- them on a particular interface. It contains a table to configure -- interface specific Filters and a table to view dynamically created -- filters. It also provides an authentication table for configuring -- authorized users and services. -- a) fwlDefnTcpInterceptThreshold : This is a scalar object used to define -- the rate of TCP connection requests allowed. -- b) fwlDefnInterceptTimeout : This is a scalar object used to define -- the time interval for allowing the connections within threshold. -- c) fwlDefnFiltertable : This table is used to configure filters. The -- objects in this table are fwlFilterFilterName, fwlFilterSrcAddress, -- fwlFilterDestAddress, fwlFilterSrcPort, fwlFilterDestPort, -- fwlFilterProtocol and fwlFilterTos, fwlFilterAddrType,fwlFilterFlowId -- fwlFilterDscp. -- d) fwlDefnRuleTable : This table is used to configure rules(combination -- of Filters). The objects in this table are fwlRuleRuleName and -- fwlRuleFilterSet. -- e) fwlDefnAclTable : This table is used to apply a filter or a rule on -- a particular interface. The objects include fwlAclAclName, -- fwlAclIfIndex, fwlAclDirection, fwlAclAction and -- fwlAclSequenceNumber. -- f) fwlDefnIfTable : This table is used to configure interface specific -- filters. The objects in the table include fwlIfIpOptions, -- fwlIfFragments, fwlIfIcmpType, fwlIfIcmpCode ,fwlIfIfType and -- fwlIfICMPv6MsgType. -- g) fwlDefnDmzTable : This table is used to configure the DMZ hosts on an -- interface. The objects in the table include fwlDmzIpSubnet and -- fwlDmzSubnetMask. -- h) fwlDefnIPv6DmzTable : This table is used to configure the IPv6 DMZ hosts on an -- interface. The object in the table include fwlDmzIpv6Index. -- 3) fwlStatistics group : -- This contains scalar objects used to specify the global statistics. -- It also contains an interface table used to specify interface specific -- statistics. The objects that specify the global statistics are -- fwlStatTotalPacketsInspectedCount, fwlStatTotalPacketsDenied, -- fwlStatTotalPacketsAccepted, fwlStatTotalIcmpPacketsDenied, -- fwlStatTotalIpOptionPacketsDenied, fwlStatTotalFragmentedPacketsDenied, -- fwlStatMemoryAllocationFailCount, fwlStatTotalSynPacketsReceived, -- fwlStatTotalIpSpoofedPacketsDenied,fwlStatIPv6InspectedPacketsCount, -- fwlStatIPv6TotalPacketsDenied,fwlStatIPv6TotalPacketsAccepted, -- fwlStatIPv6TotalIcmpPacketsDenied,fwlStatIPv6TotalSpoofedPacketsDenied -- The following table is used to specify interface specific statistics. -- fwlStatIfTable : The objects in this table are fwlStatIfFilterCount, -- fwlStatIfPacketsDenied, fwlStatIfPacketsAccepted, -- fwlStatIfIcmpPacketsDenied, fwlStatIfFragmentPacketsDenied and -- fwlStatIfIpOptionPacketsDenied,fwlStatIfIPv6PacketsDenied, -- fwlStatIfIPv6PacketsAccepted, fwlStatIfIcmpv6PacketsDenied -- fwlStatIfIpOptionPacketsDenied. -- 4) fwlTraps Group : -- This group contains the different types of Traps used by the Firewall -- The trap control is fwlTrapMessage. -- The trap types are fwlTrapMemoryFailure and fwlTrapAttackSummary. -- fwlTrapThresholdExceeded would be triggered when the Discard limit -- exceeds the threshold set. fwlTrapIfIndex object specifies the -- Interface Index in which the limit is exceeded. It could be a Global -- or a particular Interface Index. fwlTrapMessage would be called for -- traps related to Firewall logs such as sizeexceeded and sizethresholdhit. -- fwlIdsTrapLogging would be called for traps related to IDS logs such as -- sizeexceeded and sizethresholdhit. fwlIdsTrapAttackPktFromIds would be -- called when an attack-packet is identified by IDS. FIREWALL-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Integer32, Unsigned32, Counter32, enterprises, IpAddress, NOTIFICATION-TYPE, TimeTicks FROM SNMPv2-SMI RowStatus, TruthValue, DisplayString, RowPointer, TimeStamp, TEXTUAL-CONVENTION FROM SNMPv2-TC InetAddress, InetAddressType, InetAddressPrefixLength FROM INET-ADDRESS-MIB; -- enterprises OBJECT IDENTIFIER ::= { private 1 } -- futuresoftware OBJECT IDENTIFIER ::= { enterprises 2076 } firewall MODULE-IDENTITY LAST-UPDATED "201209050000Z" ORGANIZATION "ARICENT COMMUNICATIONS SOFTWARE" CONTACT-INFO "support@aricent.com" DESCRIPTION " The MIB module to describe the Firewall . " REVISION "201209050000Z" DESCRIPTION " The MIB module to describe the Firewall . " ::= { enterprises futuresoftware(2076) 16} -- Textual Conventions -- These Textual Conventions enhance the readability of the specification. -- The Status is an integer value which specifies whether the Firewall -- AccessList control switches are enabled or disabled. Status ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION " The status of the Firewall AccessList control switches. " SYNTAX INTEGER { enabled(1), disabled(2) } -- The ProtocolType is an integer value that specifies the type of -- protocol. ProtocolType ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION " Enumeration of protocols that are commonly used on Firewall AccessList. " SYNTAX INTEGER { icmp(1), igmp(2), ggp(3), ip(4), tcp(6), egp(8), igp(9), nvp(11), udp(17), irtp(28), idpr(35), rsvp(46), mhrp(48), igrp(88), ospfigp(89), any(255) } -- Groups in Firewall AccessList fwlGlobal OBJECT IDENTIFIER ::= { firewall 1 } fwlDefinition OBJECT IDENTIFIER ::= { firewall 2 } fwlStatistics OBJECT IDENTIFIER ::= { firewall 3 } fwlTraps OBJECT IDENTIFIER ::= { firewall 4 } fwlState OBJECT IDENTIFIER ::= { firewall 5 } fwlRateLimit OBJECT IDENTIFIER ::= { firewall 6 } fwlSnork OBJECT IDENTIFIER ::= { firewall 7 } fwlRpf OBJECT IDENTIFIER ::= { firewall 8 } -- SCALAR_TABLE_BEGIN fwlGlobal 13 -- Firewall Global Group -- This group defines variables, which applies globally to the Firewall. fwlGlobalMasterControlSwitch OBJECT-TYPE SYNTAX Status MAX-ACCESS read-write STATUS current DESCRIPTION " This switch is used to enable or disable the entire firewall service. The default value for this switch is 'enabled' (1). " DEFVAL { enabled } ::= { fwlGlobal 1 } fwlGlobalICMPControlSwitch OBJECT-TYPE SYNTAX INTEGER { generate(1), suppress(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "This switch is used to generate or suppress the ICMP generation when a packet is rejected by the firewall. The default value for this switch is 'suppress'(2). " DEFVAL { suppress } ::= { fwlGlobal 2 } fwlGlobalIpSpoofFiltering OBJECT-TYPE SYNTAX Status MAX-ACCESS read-write STATUS current DESCRIPTION " This switch is used to determine whether the inbound packets (packets arriving on the external interface or the interface connected to the Internet)are to be examined for a potential source IP Spoofing attack. The default value for this switch is 'enabled'(1). " DEFVAL { enabled } ::= { fwlGlobal 3 } fwlGlobalSrcRouteFiltering OBJECT-TYPE SYNTAX Status MAX-ACCESS read-write STATUS deprecated DESCRIPTION "**************** THIS OBJECT IS DEPRECATED **************** This switch is used to determine whether the inbound packets (packets arriving on the external interface or the interface connected to the Internet)containing the IP source route option are filtered or not through the Firewall. The default value for this switch is 'enabled'(1). " DEFVAL { enabled } ::= { fwlGlobal 4 } fwlGlobalTinyFragmentFiltering OBJECT-TYPE SYNTAX Status MAX-ACCESS read-write STATUS deprecated DESCRIPTION "**************** THIS OBJECT IS DEPRECATED **************** This switch is used to determine whether the inbound packets (packets arriving on the external interface or the interface connected to the Internet)containing Tiny IP Fragments are allowed or discarded through the Firewall. The default value for this switch is 'enabled'(1). " DEFVAL { enabled } ::= { fwlGlobal 5 } fwlGlobalTcpIntercept OBJECT-TYPE SYNTAX Status MAX-ACCESS read-write STATUS current DESCRIPTION " This switch is used to determine whether packets are to be examined for a potential Denial of service attack (TCP SYN Flooding attack). The default value for this switch is 'enabled'(1). " DEFVAL { enabled } ::= { fwlGlobal 6 } fwlGlobalTrap OBJECT-TYPE SYNTAX Status MAX-ACCESS read-write STATUS current DESCRIPTION " This switch is used to control the different types of Trap sent to the administrator in case of memory failure or any attacks has occurred. If this switch is enabled then Trap will be sent for the above mentioned reasons. The default value for this switch is 'disabled'(2)." DEFVAL { disabled } ::= { fwlGlobal 7 } fwlGlobalTrace OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-write STATUS current DESCRIPTION " This is used to enable trace statements in Firewall Module. A four byte integer value is specified for enabling the level of tracing. Each Bit in the four byte integer variable represents a level of Trace. The bits represents the levels as follows: 0 - Init and Shutdown, 1 - Management, 2 - Data Path, 3 - Control Plane, 4 - packet Dump, 5 - All resources except buffer, 6 - All Failures, 7 - Buffer, 16 - Action taken by firewall, 17 - Inspection of Packet, 18 - error and 19 - Trap. The remaining bits are unused. The combination of levels are also allowed. For example if the bits 1 and 2 are set, then the Trace statements related to management and Data Path will be printed. The user have to enter the corresponding integer value for the bits set. For example if bits 1 and 2 are set then he has to give the value 6." DEFVAL { 0 } ::= { fwlGlobal 8 } fwlGlobalDebug OBJECT-TYPE SYNTAX Status MAX-ACCESS read-write STATUS current DESCRIPTION " This is used to enable/disable Debug Statements in Firewall Module." DEFVAL { disabled } ::= { fwlGlobal 9 } fwlGlobalMaxFilters OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION " This specifies the maximum number of memory blocks that can be allocated for filters." DEFVAL { 100 } ::= { fwlGlobal 10 } fwlGlobalMaxRules OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION " This specifies the maximum number of memory blocks that can be allocated for rules." DEFVAL { 100 } ::= { fwlGlobal 11 } fwlGlobalUrlFiltering OBJECT-TYPE SYNTAX Status MAX-ACCESS read-write STATUS current DESCRIPTION " This enables or disables URL filtering. The default value for this switch is 'disable'(2). " DEFVAL { disabled } ::= { fwlGlobal 12 } fwlGlobalNetBiosFiltering OBJECT-TYPE SYNTAX Status MAX-ACCESS read-write STATUS current DESCRIPTION " This enables or disables NETBIOS filtering. The default value for this switch is 'disable'(2). " DEFVAL { disabled } ::= { fwlGlobal 13 } fwlGlobalNetBiosLan2Wan OBJECT-TYPE SYNTAX Status MAX-ACCESS read-write STATUS current DESCRIPTION " This enables or disables NETBIOS LAN to WAN control switch. The default value for this switch is 'disable'(2). " DEFVAL { disabled } ::= { fwlGlobal 14 } fwlGlobalICMPv6ControlSwitch OBJECT-TYPE SYNTAX INTEGER { generate(1), suppress(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "This switch is used to generate or suppress the ICMPv6 generation when a packet is rejected by the firewall. When this is enabled, ICMPv6 error message is generated whenever a ICMPv6 packet is denied. The default value for this switch is 'suppress'(2). " DEFVAL { suppress } ::= { fwlGlobal 15 } fwlGlobalIpv6SpoofFiltering OBJECT-TYPE SYNTAX Status MAX-ACCESS read-write STATUS current DESCRIPTION " This switch is used to determine whether the inbound packets (packets arriving on the external interface or the interface connected to the Internet)are to be examined for a potential source IPv6 Spoofing attack. The default value for this switch is 'enabled'(1). " DEFVAL { enabled } ::= { fwlGlobal 16 } fwlGlobalLogFileSize OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-write STATUS current DESCRIPTION " This is the maximum file size in bytes of the firewall log file." DEFVAL { 1048576 } ::= { fwlGlobal 17 } fwlGlobalLogSizeThreshold OBJECT-TYPE SYNTAX Unsigned32 (1..99) MAX-ACCESS read-write STATUS current DESCRIPTION " This is the threshold value of the Log storage space with respect to the maximum Log Storage Space. It is entered as a percentage value. " DEFVAL { 70 } ::= { fwlGlobal 18 } fwlGlobalIdsLogSize OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-write STATUS current DESCRIPTION "This is the maximum file size in bytes of the IDS log file. " DEFVAL { 1048576 } ::= { fwlGlobal 19 } fwlGlobalIdsLogThreshold OBJECT-TYPE SYNTAX Unsigned32 (1..99) MAX-ACCESS read-write STATUS current DESCRIPTION " This is the threshold value of the Log storage space with respect to the maximum Log Storage Space. It is entered as a percentage value." DEFVAL { 70 } ::= { fwlGlobal 20 } fwlGlobalIdsVersionInfo OBJECT-TYPE SYNTAX DisplayString (SIZE (1..64)) MAX-ACCESS read-only STATUS current DESCRIPTION "This Object shows the Current version of IDS (Intrusion Detection System)" DEFVAL {""} ::= {fwlGlobal 21} fwlGlobalReloadIds OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-write STATUS current DESCRIPTION "This Object reload IDS process (Intrusion Detection System) with the new set of rules/configurations." ::= {fwlGlobal 22} fwlGlobalIdsStatus OBJECT-TYPE SYNTAX Status MAX-ACCESS read-write STATUS current DESCRIPTION "This Object is used to enable or disable IDS (Intrusion Detection System) service in the system. By default IDS is enabled." DEFVAL { enabled } ::= {fwlGlobal 23} fwlGlobalLoadIdsRules OBJECT-TYPE SYNTAX INTEGER { load (1), unload (2) } MAX-ACCESS read-write STATUS current DESCRIPTION "This Object loads the existing regular expressions of rules to Pattern Matching Engine (PME) if exists. Also reloads IDS process (Intrusion Detection System). While rules load in progress IDS status would be disabled." ::= {fwlGlobal 24} fwlDosAttackAcceptRedirect OBJECT-TYPE SYNTAX INTEGER { enable (1), disable (0) } MAX-ACCESS read-write STATUS current DESCRIPTION "This object stores the status of the Accept Redirect Dos attack " ::= {fwlGlobal 25} fwlDosAttackAcceptSmurfAttack OBJECT-TYPE SYNTAX INTEGER { enable (1), disable (0) } MAX-ACCESS read-write STATUS current DESCRIPTION "This object stores the status of the Smurf Dos attack " ::= {fwlGlobal 26} fwlDosLandAttack OBJECT-TYPE SYNTAX INTEGER { enable (1), disable (0) } MAX-ACCESS read-write STATUS current DESCRIPTION "This object stores the status of the Land Dos attack " ::= {fwlGlobal 27} fwlDosShortHeaderAttack OBJECT-TYPE SYNTAX Integer32 (1..1000) MAX-ACCESS read-write STATUS current DESCRIPTION "This object stores the status of the ShortHeader Dos attack " DEFVAL { 10 } ::= {fwlGlobal 28} -- SCALAR_TABLE_END -- Firewall Definition Group -- The Definition group defines the variables used to configure the -- filters an rules for the Firewall . It also defines the -- variables used to prevent all types of attacks. -- SCALAR_TABLE_BEGIN fwlDefinition 7 -- The following two scalar variables are used to prevent the Denial -- of Service attack. fwlDefnTcpInterceptThreshold OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-write STATUS current DESCRIPTION " The number of TCP Connection requests (TCP SYN packets) entering into the firewall module within a timeout period. The default value is 50 connections. " DEFVAL { 50 } ::= { fwlDefinition 1 } fwlDefnInterceptTimeout OBJECT-TYPE SYNTAX TimeTicks MAX-ACCESS read-write STATUS current DESCRIPTION " The interval after which the Connection requests exceeding the threshold will be discarded. The default value is 1 second. This timeout value applies for TCP,UDP and ICMP" DEFVAL { 1 } ::= { fwlDefinition 2 } -- SCALAR_TABLE_END -- Filter Table -- This is the first level of configuration where the Filters are defined. -- These Filters specify the parameters that has to be checked against the -- packet. The parameters include source address, destination address, -- source port, destination port, protocol type, etc. fwlDefnFilterTable OBJECT-TYPE SYNTAX SEQUENCE OF FwlDefnFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " This table is used to configure the Filters in the Firewall. The Filters can be configured as 'Filter1 10.0.0.0/24 108.0.4.1/32 6'. It means that in Filter1, the source address can range from 10.0.0.0 to 10.0.0.255 and destination address is 108.0.4.1 and protocol is TCP. The mask used is not wild-card mask. If a configured Filter is to be deleted, it must ensure that the Rules using this particular filter or this Filter applied on a particular interface, must be deleted first. " ::= { fwlDefinition 3 } fwlDefnFilterEntry OBJECT-TYPE SYNTAX FwlDefnFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " The individual entry in the above table. " INDEX { fwlFilterFilterName } ::= { fwlDefnFilterTable 1 } FwlDefnFilterEntry ::= SEQUENCE { fwlFilterFilterName OCTET STRING, fwlFilterSrcAddress DisplayString, fwlFilterDestAddress DisplayString, fwlFilterProtocol INTEGER, fwlFilterSrcPort DisplayString, fwlFilterDestPort DisplayString, fwlFilterAckBit INTEGER, fwlFilterRstBit INTEGER, fwlFilterTos Integer32, fwlFilterAccounting Status, fwlFilterHitClear TruthValue, fwlFilterHitsCount Counter32, fwlFilterAddrType InetAddressType, fwlFilterFlowId Unsigned32, fwlFilterDscp Integer32, fwlFilterRowStatus RowStatus } fwlFilterFilterName OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..35)) MAX-ACCESS not-accessible STATUS current DESCRIPTION " This Filter name uniquely identifies the particular Filter configured. " ::= { fwlDefnFilterEntry 1 } fwlFilterSrcAddress OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-create STATUS current DESCRIPTION " The source IP address and the source mask to be checked against the packet. The default value is 0.0.0.0/0. The address value should not be specified without the mask value. ('10.0.14.23') " DEFVAL {''h} ::= { fwlDefnFilterEntry 2 } fwlFilterDestAddress OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-create STATUS current DESCRIPTION " The destination IP address and the destination mask to be checked against the packet. The default value is 0.0.0.0/0. The address value should not be specified without the mask value. ('10.0.14.23') " DEFVAL { ''h } ::= { fwlDefnFilterEntry 3 } fwlFilterProtocol OBJECT-TYPE SYNTAX ProtocolType MAX-ACCESS read-create STATUS current DESCRIPTION " The type of protocol to be checked against the packet. The default value is 'any' (255). If the value is 'any' (255), it means that the protocol type can be anything and it will not be checked to decide the action. " DEFVAL { any } ::= { fwlDefnFilterEntry 4 } fwlFilterSrcPort OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-create STATUS current DESCRIPTION " The source port to be checked against the packet. The range of port can be specified by using the symbols like '>', '<', '!=', '=', '<=', '>='. For example the port value will be specified as '>1023', '=23', etc. This value is parsed into MIN and MAX port value. The string '>1023' will be parsed as MIN port value = 1024 and MAX port value = 65536. The default value for the MIN and MAX port value is 0. If the value is 0, it means that the port number can be anything and it will not be checked to decide the action. " DEFVAL { ''h } ::= { fwlDefnFilterEntry 5 } fwlFilterDestPort OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-create STATUS current DESCRIPTION " The destination port to be checked against the packet. The range of port can be specified by using the symbols like '>', '<', '!=', '=', '<=', '>='. For example the port value will be specified as '>1023', '=23', etc. This value is parsed into MIN and MAX port value. The string '>1023' will be parsed as MIN port value = 1024 and MAX port value = 65536. The default value for the MIN and MAX port value is 0. If the value is 0, it means that the port number can be anything and it will not be checked to decide the action. " DEFVAL { ''h } ::= { fwlDefnFilterEntry 6 } fwlFilterAckBit OBJECT-TYPE SYNTAX INTEGER { establish(1), notEstablish(2), any(3) } MAX-ACCESS read-create STATUS deprecated DESCRIPTION "**************** THIS OBJECT IS DEPRECATED **************** The TCP ACK bit to be checked against the packet. The default value is 'any'(3). It means that ACK bit will not be checked to decide the action. " DEFVAL { any } ::= { fwlDefnFilterEntry 7 } fwlFilterRstBit OBJECT-TYPE SYNTAX INTEGER { set(1), notSet(2), any(3) } MAX-ACCESS read-create STATUS deprecated DESCRIPTION "**************** THIS OBJECT IS DEPRECATED **************** The TCP RST bit to be checked against the packet. The default value is 'any'(3). It means that RST bit will not be checked to decide the action. " DEFVAL { any } ::= { fwlDefnFilterEntry 8 } fwlFilterTos OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-create STATUS current DESCRIPTION " The IP TOS bit to be checked against the packet. This is a single byte integer of which the last three bits (least significant bits) indicate Delay, Throughput and Reliability i.e. 'uuuuudtr', u-unused, d-delay, t-throughput, r-reliability. For example '6' indicates low delay and high throughput. " DEFVAL { 0 } ::= { fwlDefnFilterEntry 9 } fwlFilterAccounting OBJECT-TYPE SYNTAX Status MAX-ACCESS read-write STATUS current DESCRIPTION "This object is used to enable or disable the filter accounting of this filter. If this object is enabled then the Hit count of this filter will be incremented when the traffic matches this filter. If this object is disabled then the Hit counter of the filter will not be incremented when the traffic matches this filter. The default value of this object is 'disabled'(2)." DEFVAL { disabled } ::= { fwlDefnFilterEntry 10 } fwlFilterHitClear OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "This object is used to clear the hit count of this filter. The default value is 'false'. When this object is true, the Hit count for the respective filter will be cleared and the object value will be reset to false. The get routine for this object always returns 'false'." DEFVAL { false } ::= { fwlDefnFilterEntry 11 } fwlFilterHitsCount OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION " The number of times this Filter is matched while processing the packet. " ::= { fwlDefnFilterEntry 12 } fwlFilterAddrType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-create STATUS current DESCRIPTION "The address type of the source and destination address. This object is limited to IPv4 and IPv6 addresses." ::= { fwlDefnFilterEntry 13 } fwlFilterFlowId OBJECT-TYPE SYNTAX Unsigned32 (0..1048575) MAX-ACCESS read-create STATUS current DESCRIPTION "The flow label identifier is specific to an IPv6 header as its to classify the same flow of packets between a source and destination in IPv6" DEFVAL { 0 } ::= { fwlDefnFilterEntry 14 } fwlFilterDscp OBJECT-TYPE SYNTAX Integer32 (0..63) MAX-ACCESS read-create STATUS current DESCRIPTION "The IP DSCP value is applicable for both IPv4 and IPv6, but when DSCP is specified TOS value(fwlFilterTos) should not be configured. Also TOS value (fwlFilterTos) is not applicable for IPv6 traffic and its filters" DEFVAL { 0 } ::= { fwlDefnFilterEntry 15 } fwlFilterRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION " This object allows entries to be created or deleted in this table. " ::= { fwlDefnFilterEntry 16 } -- Rule Table -- This is the second and optional level of configuration. Here the -- Filters are grouped to form Rules. They are grouped -- using the '&' or ','(or) operation. A set of Filters -- combined using '&' or ','(or) operation can form a Rule. fwlDefnRuleTable OBJECT-TYPE SYNTAX SEQUENCE OF FwlDefnRuleEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " The table used to configure the Rules by assigning a set of Filters.(Rule1 = Filter1 & Filter2; Rule2 = Filter1 , Filter2; etc.). " ::= { fwlDefinition 4 } fwlDefnRuleEntry OBJECT-TYPE SYNTAX FwlDefnRuleEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " The individual entry in the above table. " INDEX { fwlRuleRuleName } ::= { fwlDefnRuleTable 1 } FwlDefnRuleEntry ::= SEQUENCE { fwlRuleRuleName OCTET STRING, fwlRuleFilterSet DisplayString, fwlRuleRowStatus RowStatus } fwlRuleRuleName OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..35)) MAX-ACCESS not-accessible STATUS current DESCRIPTION " The name that identifies the particular Rule configured in the Firewall . " ::= { fwlDefnRuleEntry 1 } fwlRuleFilterSet OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-create STATUS current DESCRIPTION " A set of Filters combined to form a Rule and this Rule is configured globally or on a particular interface. " ::= { fwlDefnRuleEntry 2 } fwlRuleRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION " This object allows entries to be created or deleted in this table. " ::= { fwlDefnRuleEntry 3 } -- Acl table -- This is the final level of configuration. The configured Filter or rule -- to be applied on an interface is specified. The action to be taken -- against the packet is specified. The direction in which filters -- are to be applied, either to inbound packets or outbound -- packets is also specified. fwlDefnAclTable OBJECT-TYPE SYNTAX SEQUENCE OF FwlDefnAclEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " The ACL table will associate the filter or a combination of filters to a specific Action. The ACL name should map with the rule name" ::= { fwlDefinition 5 } fwlDefnAclEntry OBJECT-TYPE SYNTAX FwlDefnAclEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " The individual entry in the above table. " INDEX { fwlAclIfIndex, fwlAclAclName, fwlAclDirection } ::= { fwlDefnAclTable 1 } FwlDefnAclEntry ::= SEQUENCE { fwlAclIfIndex Integer32, fwlAclAclName OCTET STRING, fwlAclDirection INTEGER, fwlAclAction INTEGER, fwlAclSequenceNumber Integer32, fwlAclAclType INTEGER, fwlAclLogTrigger INTEGER, fwlAclFragAction INTEGER, fwlAclRowStatus RowStatus } fwlAclIfIndex OBJECT-TYPE SYNTAX Integer32 (0..1000) MAX-ACCESS not-accessible STATUS current DESCRIPTION " The interface number in which the filters are to be configured. The value ranges from 0 to 1000. If the value specified is 0, it means that the filters will be configured globally.(i.e. : filters or rules specified with Global interface number are applicable to all interfaces.)" ::= { fwlDefnAclEntry 1 } fwlAclAclName OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..35)) MAX-ACCESS not-accessible STATUS current DESCRIPTION " The name that uniquely identifies the particular Filter or Rule configured in the Firewall . " ::= { fwlDefnAclEntry 2 } fwlAclDirection OBJECT-TYPE SYNTAX INTEGER { in (1), out (2) } MAX-ACCESS not-accessible STATUS current DESCRIPTION " This specifies in which direction the Filters or Rules are to be applied on the packets, either to incoming or outgoing packets. " ::= { fwlDefnAclEntry 3 } fwlAclAction OBJECT-TYPE SYNTAX INTEGER { permit(1), reject(2) } MAX-ACCESS read-create STATUS current DESCRIPTION " This specifies the action to be taken against the packet. If the action value is 'permit', then the packet will be permitted if the filter or rule matches. If it is 'reject', then the packet will be rejected and an ICMP message will be sent as response, if the global Switch for generation of ICMP message is enabled. " ::= { fwlDefnAclEntry 4 } fwlAclSequenceNumber OBJECT-TYPE SYNTAX Integer32 (1..65535) MAX-ACCESS read-create STATUS current DESCRIPTION " This specifies the order in which the Filters are to be matched against the packets from a particular interface. The sequence number should not be zero. The sequence numbers are unique." ::= { fwlDefnAclEntry 5 } fwlAclAclType OBJECT-TYPE SYNTAX INTEGER { filter(1), rule(2) } MAX-ACCESS read-only STATUS deprecated DESCRIPTION "**************** THIS OBJECT IS DEPRECATED **************** This specifies whether the access list configured on a particular interface is a Filter or a Rule (Combination of Filters). The default value is 'rule'(2). " DEFVAL { rule } ::= { fwlDefnAclEntry 6 } fwlAclLogTrigger OBJECT-TYPE SYNTAX INTEGER { none(0), brief(1), detail(2) } MAX-ACCESS read-create STATUS current DESCRIPTION " This specifies whether the log details should be in brief or detail or none .The default value is 'brief(1)'." DEFVAL { brief } ::= { fwlDefnAclEntry 7 } fwlAclFragAction OBJECT-TYPE SYNTAX INTEGER{ permit(1), deny(2) } MAX-ACCESS read-create STATUS current DESCRIPTION " This specifies whether the fragmentation has to permitted or denied." ::= { fwlDefnAclEntry 8 } fwlAclRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION " This object allows entries to be created or deleted in this table. " ::= { fwlDefnAclEntry 9 } -- Interface Table -- This table is used to control packet filtering on interface basis. fwlDefnIfTable OBJECT-TYPE SYNTAX SEQUENCE OF FwlDefnIfEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " This table is used for interface specific filtering like filtering based on IP options, Fragments, ICMP Type and Code, etc. " ::= { fwlDefinition 6 } fwlDefnIfEntry OBJECT-TYPE SYNTAX FwlDefnIfEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " The individual entry in the above table. " INDEX { fwlIfIfIndex } ::= { fwlDefnIfTable 1 } FwlDefnIfEntry ::= SEQUENCE { fwlIfIfIndex Integer32, fwlIfIfType INTEGER, fwlIfIpOptions INTEGER, fwlIfFragments INTEGER, fwlIfFragmentSize Unsigned32, fwlIfICMPType INTEGER, fwlIfICMPCode INTEGER, fwlIfICMPv6MsgType Integer32, fwlIfRowStatus RowStatus } fwlIfIfIndex OBJECT-TYPE SYNTAX Integer32 (0..1000) MAX-ACCESS not-accessible STATUS current DESCRIPTION " The interface number in which the filters or rules are to be configured. " ::= { fwlDefnIfEntry 1 } fwlIfIfType OBJECT-TYPE SYNTAX INTEGER { internal(1), external(2) } MAX-ACCESS read-create STATUS current DESCRIPTION " This specifies whether the interface is an external interface (interface connected to the internet) or internal interface. The default value is 'external'(2). " DEFVAL { external } ::= { fwlDefnIfEntry 2 } fwlIfIpOptions OBJECT-TYPE SYNTAX INTEGER { sourceRoute (1), recordRoute (2), timestamp (3), anyOptions (4), noOptions (5), traceRoute(6) } MAX-ACCESS read-create STATUS current DESCRIPTION " The IP options to be checked against the packet. If the packet matches with the IP option specified, then the packet will be dropped. The default value is 'anyOptions' (4). To disable checking for IP options set the value to noOptions (5). " DEFVAL { anyOptions } ::= { fwlDefnIfEntry 3 } fwlIfFragments OBJECT-TYPE SYNTAX INTEGER { tinyFragment(1), largeFragment(2), anyFragment(3), noFragment(4) } MAX-ACCESS read-create STATUS current DESCRIPTION " The Fragment type to be checked against the packet. If the packet matches with the fragment type, then the packet will be dropped. The default value is anyFragment(3) ensures that all fragments are dropped. The value 'noFragment' (4) ensures that fragmentation checks are disabled. " DEFVAL { anyFragment } ::= { fwlDefnIfEntry 4 } fwlIfFragmentSize OBJECT-TYPE SYNTAX Unsigned32 (1..65500) MAX-ACCESS read-create STATUS current DESCRIPTION " The maximum size of each fragment when the fragment type 'fwlIfFragments' is large." DEFVAL { 30000 } ::= { fwlDefnIfEntry 5 } fwlIfICMPType OBJECT-TYPE SYNTAX INTEGER { echoReply(0), destinationUnreachable(3), sourceQuench(4), redirect(5), echoRequest(8), timeExceeded(11), prameterProblem(12), timestampRequest(13), timestampReply(14), informationRequest(15), informationReply(16), addressMaskRequest(17), addressMaskReply (18), noICMPType(255) } MAX-ACCESS read-create STATUS current DESCRIPTION " The ICMP type to be checked against the packet. If the ICMP Type matches with the packet, then the packet will be dropped. The default value is 'noICMPType' (255). It means that ICMP Type is not configured and need not be checked. Generally the value zero is given as default. But here zero is an ICMP Type value. Hence 255 is given as the default value. " DEFVAL { noICMPType } ::= { fwlDefnIfEntry 6 } fwlIfICMPCode OBJECT-TYPE SYNTAX INTEGER { networkUnreachable(0), hostUnreachable(1), protocolUnreachable(2), portUnreachable(3), fragmentNeed(4), sourceRouteFail(5), destNetworkUnknown(6), destHostUnknown(7), srcHostIsolated(8), destNetworkAdminProhibited(9), destHostAdminProhibited(10), networkUnreachableTOS(11), hostUnreachableTOS(12), noICMPCode(255) } MAX-ACCESS read-create STATUS deprecated DESCRIPTION "**************** THIS OBJECT IS DEPRECATED **************** The ICMP Code to be checked against the packet. If the packet matches with the ICMP Code, then the packet will be dropped. The default value is 'noICMPCode'(255). It means that ICMP code is not configured and need not be checked. Generally the value zero will be given as default. But here, zero is an ICMP Code value. Hence 255 is given as the default value. " DEFVAL { noICMPCode } ::= { fwlDefnIfEntry 7 } fwlIfICMPv6MsgType OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-create STATUS current DESCRIPTION "The ICMPv6 type to be checked against the packet. If the ICMP Type matches with the packet, then the packet will be dropped. The default value is 'noICMPv6Type' (0x0). It means that ICMP Type is not configured and need not be checked. This object is used to store the ICMPv6 message types that are enabled by the user. The bit positions to enable specific message types are as shown below : Bit 0 - destinationUnreachable Bit 1 - timeExceeded Bit 2 - prameterProblem Bit 3 - echoRequest Bit 4 - echoReply Bit 5 - redirect Bit 6 - informationRequest Bit 7 - informationReply A value of zero(0x0) indicates that no ICMPv6 type is configured and all bits set indicates that all the ICMPv6 message types are set" DEFVAL { 0 } ::= { fwlDefnIfEntry 8 } fwlIfRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION " This object allows entries to be created or deleted in this table. " ::= { fwlDefnIfEntry 9 } -- DMZ Table -- This table is used to define the De-Militarized Zone, where no restrictions -- apply. fwlDefnDmzTable OBJECT-TYPE SYNTAX SEQUENCE OF FwlDefnDmzEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " This table is used for defining the De-Militarized Zone (DMZ). The host/hosts in this zone will have unrestricted access from the public/external network (Internet)." ::= { fwlDefinition 7 } fwlDefnDmzEntry OBJECT-TYPE SYNTAX FwlDefnDmzEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " The individual entry in the above table. " INDEX { fwlDmzIpIndex } ::= { fwlDefnDmzTable 1 } FwlDefnDmzEntry ::= SEQUENCE { fwlDmzIpIndex IpAddress, fwlDmzRowStatus RowStatus } fwlDmzIpIndex OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS not-accessible STATUS current DESCRIPTION " The IP Address which the DMZ is to be configured." ::= { fwlDefnDmzEntry 1 } fwlDmzRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION " This object allows entries to be created or deleted in this table. " ::= { fwlDefnDmzEntry 2 } -- URL Filtering Table -- This table is used to define URL filters fwlUrlFilterTable OBJECT-TYPE SYNTAX SEQUENCE OF FwlUrlFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " This table is used for defining URL filters. Any http request that matches the URL string will be filtered" ::= { fwlDefinition 8 } fwlUrlFilterEntry OBJECT-TYPE SYNTAX FwlUrlFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " The individual entry in the above table. " INDEX { fwlUrlString } ::= { fwlUrlFilterTable 1 } FwlUrlFilterEntry ::= SEQUENCE { fwlUrlString DisplayString, fwlUrlHitCount Counter32, fwlUrlFilterRowStatus RowStatus } fwlUrlString OBJECT-TYPE SYNTAX DisplayString (SIZE(1..99)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The object specifies the URL string to be filtered" ::= { fwlUrlFilterEntry 1 } fwlUrlHitCount OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION " The number of times this URL Filter is matched while processing the packet" ::= { fwlUrlFilterEntry 2 } fwlUrlFilterRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION " This object allows entries to be created or deleted in this table " ::= { fwlUrlFilterEntry 3 } -- Firewall Statistics Group -- Statistics group details about the general statistics of the packets -- processed by the Firewall ( like packet rejected, inspected etc). -- It also details the statistics about the packets -- filtered per interface. -- SCALAR_TABLE_BEGIN fwlStatistics 23 fwlStatInspectedPacketsCount OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION " The number of packets inspected by the Firewall module. It includes the number of packets rejected and accepted. " ::= { fwlStatistics 1 } fwlStatTotalPacketsDenied OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION " The number of packets dropped by the Firewall module. This includes all fragmented packets, non-fragmented packets, packets with IP Options, without IP options, etc. " ::= { fwlStatistics 2 } fwlStatTotalPacketsAccepted OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION " The number of packets accepted by the Firewall module. This includes all fragmented packets, non-fragmented packets, packets with IP Options and packets without IP options, etc. " ::= { fwlStatistics 3 } fwlStatTotalIcmpPacketsDenied OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION " The number of ICMP packets rejected by the Firewall module. " ::= { fwlStatistics 4 } fwlStatTotalSynPacketsDenied OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of SYN packets denied over the external interfaces." ::= { fwlStatistics 5 } fwlStatTotalIpSpoofedPacketsDenied OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION " The number of packets rejected by the Firewall due to IP Spoofing attack on the external interfaces. " ::= { fwlStatistics 6 } fwlStatTotalSrcRoutePacketsDenied OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION " The number of packets rejected by the Firewall due to Source Routing attack on the external interfaces. " ::= { fwlStatistics 7 } fwlStatTotalTinyFragmentPacketsDenied OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION " The number of packets rejected by the Firewall due to Tiny Fragment attack on the external interfaces. " ::= { fwlStatistics 8 } fwlStatTotalFragmentedPacketsDenied OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION " The number of fragmented packets rejected by Firewall. " ::= { fwlStatistics 9 } fwlStatTotalLargeFragmentPacketsDenied OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION " The number of packets rejected by Firewall due to large fragment attack on the external interface. " ::= { fwlStatistics 10 } fwlStatTotalIpOptionPacketsDenied OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION " The number of packets with IP options (source routing, record routing, timestamp) rejected by the Firewall. " ::= { fwlStatistics 11 } fwlStatTotalAttacksPacketsDenied OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION " The number of packets rejected by firewall due to suspicious attacks." ::= { fwlStatistics 12 } fwlStatMemoryAllocationFailCount OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION " The number of times dynamic memory allocation failure (malloc) has occurred. " ::= { fwlStatistics 13 } fwlStatIPv6InspectedPacketsCount OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION " The number of IPv6 packets inspected by the Firewall module. It includes the number of packets rejected and accepted. " ::= { fwlStatistics 14 } fwlStatIPv6TotalPacketsDenied OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION " The number of IPv6 packets dropped by the Firewall module." ::= { fwlStatistics 15 } fwlStatIPv6TotalPacketsAccepted OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION " The number of IPv6 packets accepted by the Firewall module." ::= { fwlStatistics 16 } fwlStatIPv6TotalIcmpPacketsDenied OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION " The number of ICMPv6 packets rejected by the Firewall module. " ::= { fwlStatistics 17 } fwlStatIPv6TotalSpoofedPacketsDenied OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION " The number of IPv6 packets rejected by the Firewall due to IP Spoofing attack on the external interfaces. " ::= { fwlStatistics 18 } fwlStatIPv6TotalAttacksPacketsDenied OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION " The number of IPv6 packets rejected by firewall due to suspicious attacks." ::= { fwlStatistics 19 } -- SCALAR_TABLE_END -- Firewall State Table -- This table gives information about the number of state entries -- corresponding to the stateful table, partial Entry table and Init Flow -- table. fwlStateTable OBJECT-TYPE SYNTAX SEQUENCE OF FwlStateEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " This table contains the entries maintained by Firewall during state full inspection of the connections passing through the DUT from LAN to WAN or WAN to LAN." ::= { fwlState 1 } fwlStateEntry OBJECT-TYPE SYNTAX FwlStateEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " The individual entry in the above table. " INDEX { fwlStateType, fwlStateLocalIpAddrType, fwlStateLocalIpAddress, fwlStateRemoteIpAddrType, fwlStateRemoteIpAddress, fwlStateLocalPort, fwlStateRemotePort, fwlStateProtocol, fwlStateDirection } ::= { fwlStateTable 1 } FwlStateEntry ::= SEQUENCE { fwlStateType INTEGER, fwlStateLocalIpAddrType InetAddressType, fwlStateLocalIpAddress OCTET STRING, fwlStateRemoteIpAddrType InetAddressType, fwlStateRemoteIpAddress OCTET STRING, fwlStateLocalPort Integer32, fwlStateRemotePort Integer32, fwlStateProtocol Integer32, fwlStateDirection INTEGER, fwlStateEstablishedTime TimeStamp, fwlStateLocalState INTEGER, fwlStateRemoteState INTEGER, fwlStateLogLevel INTEGER, fwlStateCallStatus INTEGER } fwlStateType OBJECT-TYPE SYNTAX INTEGER { stateful (1), partialentry (2), initflow (3) } MAX-ACCESS not-accessible STATUS current DESCRIPTION " This indicates the type of the the entry present in this table. There can be state full entries or init flow entries maintained for TCP connections or partial entries created to create pin holes in firewall" ::= { fwlStateEntry 1 } fwlStateLocalIpAddrType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS not-accessible STATUS current DESCRIPTION "Address Family Identifier of the Local address" ::= { fwlStateEntry 2 } fwlStateLocalIpAddress OBJECT-TYPE SYNTAX OCTET STRING (SIZE (1..40)) MAX-ACCESS not-accessible STATUS current DESCRIPTION " The Local Ip Address of the session." ::= { fwlStateEntry 3 } fwlStateRemoteIpAddrType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS not-accessible STATUS current DESCRIPTION "Address Family Identifier of the remote address" ::= { fwlStateEntry 4 } fwlStateRemoteIpAddress OBJECT-TYPE SYNTAX OCTET STRING (SIZE (1..40)) MAX-ACCESS not-accessible STATUS current DESCRIPTION " The Remote Ip Address of the session." ::= { fwlStateEntry 5 } fwlStateLocalPort OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object identifies the Local Port information of the session" ::= { fwlStateEntry 6 } fwlStateRemotePort OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object identifies the remote Port information of the session" ::= { fwlStateEntry 7 } fwlStateProtocol OBJECT-TYPE SYNTAX Integer32 (1..255) MAX-ACCESS not-accessible STATUS current DESCRIPTION " The type of the protocol of the session." ::= { fwlStateEntry 8 } fwlStateDirection OBJECT-TYPE SYNTAX INTEGER { in (1), out (2) } MAX-ACCESS not-accessible STATUS current DESCRIPTION "The direction of the firewall state session." ::= { fwlStateEntry 9 } fwlStateEstablishedTime OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The time at which the firewall session has been established." ::= { fwlStateEntry 10 } fwlStateLocalState OBJECT-TYPE SYNTAX INTEGER { new (1), established (2), related (3), invalid (4), listen (10), synsent (11), synrcvd (12), synest (13), finwait1 (14), finwait2 (15), closing (16), timewait (17), closewait (18), lastack (19), closed (20) } MAX-ACCESS read-only STATUS current DESCRIPTION "The state information of the local host. The states new, established and related are used in stateful table. The other states are used in TCP init flow table. The partial entry table will not maintain the state of the entry so it carries zero for partial entry table. The default value for stateful table is new (1). The default value for init flow table is listen (10)." ::= { fwlStateEntry 11 } fwlStateRemoteState OBJECT-TYPE SYNTAX INTEGER { new (1), established (2), related (3), invalid (4), listen (10), synsent (11), synrcvd (12), synest (13), finwait1 (14), finwait2 (15), closing (16), timewait (17), closewait (18), lastack (19), closed (20) } MAX-ACCESS read-only STATUS current DESCRIPTION "The state information of the remote host. The states new, established and related are used in stateful table. The other states are used in TCP init flow table. The partial entry table will not maitain the state of the entry so it carries zero for partial entry table. The default value for stateful table is new (1). The default value for init flow table is listen (10)." ::= { fwlStateEntry 12 } fwlStateLogLevel OBJECT-TYPE SYNTAX INTEGER { none (0), brief (1), detail (2), must (3) } MAX-ACCESS read-only STATUS current DESCRIPTION "The logging details of the session. Definition of Log level (0-3) with 3 being the highest level" DEFVAL { brief } ::= { fwlStateEntry 13 } fwlStateCallStatus OBJECT-TYPE SYNTAX INTEGER { nonsip (0), hold (1), unhold (2) } MAX-ACCESS read-only STATUS current DESCRIPTION "This object is effective when SIP is enabled. This indicates the status of the firewall session. The values hold and unhold are effective only for SIP calls. " DEFVAL { nonsip } ::= { fwlStateEntry 14 } -- FIREWALL STATE TABLE END -- Firewall Interface Statistics Table -- This table gives information about the number of rules configured on -- an interface, number of packets rejected, accepted on that -- interface, etc. fwlStatIfTable OBJECT-TYPE SYNTAX SEQUENCE OF FwlStatIfEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " This table is used to maintain the statistics of packets per interface. " ::= { fwlStatistics 20 } fwlStatIfEntry OBJECT-TYPE SYNTAX FwlStatIfEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " The individual entry in the above table . " INDEX { fwlStatIfIfIndex } ::= { fwlStatIfTable 1 } FwlStatIfEntry ::= SEQUENCE { fwlStatIfIfIndex Integer32, fwlStatIfFilterCount Integer32, fwlStatIfPacketsDenied Counter32, fwlStatIfPacketsAccepted Counter32, fwlStatIfSynPacketsDenied Counter32, fwlStatIfIcmpPacketsDenied Counter32, fwlStatIfIpSpoofedPacketsDenied Counter32, fwlStatIfSrcRoutePacketsDenied Counter32, fwlStatIfTinyFragmentPacketsDenied Counter32, fwlStatIfFragmentPacketsDenied Counter32, fwlStatIfIpOptionPacketsDenied Counter32, fwlStatIfClear TruthValue, fwlIfTrapThreshold Integer32, fwlStatIfIPv6PacketsDenied Counter32, fwlStatIfIPv6PacketsAccepted Counter32, fwlStatIfIPv6IcmpPacketsDenied Counter32, fwlStatIfIPv6SpoofedPacketsDenied Counter32, fwlStatIfClearIPv6 TruthValue } fwlStatIfIfIndex OBJECT-TYPE SYNTAX Integer32 (1..1000) MAX-ACCESS not-accessible STATUS current DESCRIPTION " The interface number that uniquely identifies an entry in this table. The value ranges from 1 to 1000." ::= { fwlStatIfEntry 1 } fwlStatIfFilterCount OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION " The number of filters configured on an interface. " ::= { fwlStatIfEntry 2 } fwlStatIfPacketsDenied OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION " The number of packets dropped by the Firewall on a particular interface. This includes all fragmented packets, non-fragmented packets, packets with IP Options and packets without IP options, etc. " ::= { fwlStatIfEntry 3 } fwlStatIfPacketsAccepted OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION " The number of packets accepted by the Firewall on a particular interface. This includes all fragmented packets, non-fragmented packets, packets with IP Options and packets without IP options, etc. " ::= { fwlStatIfEntry 4 } fwlStatIfSynPacketsDenied OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION " The number of SYN packets denied on a particular interface. " ::= { fwlStatIfEntry 5 } fwlStatIfIcmpPacketsDenied OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION " The number of ICMP packets rejected by the Firewall on a particular interface. " ::= { fwlStatIfEntry 6 } fwlStatIfIpSpoofedPacketsDenied OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION " The number of packets rejected by the Firewall on a particular interface due to IP spoofing attack. " ::= { fwlStatIfEntry 7 } fwlStatIfSrcRoutePacketsDenied OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION " The number of packets rejected by the Firewall on a particular interface due to Source Routing attack. " ::= { fwlStatIfEntry 8 } fwlStatIfTinyFragmentPacketsDenied OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION " The number of packets rejected by the Firewall on a particular interface due to Tiny Fragment attack. " ::= { fwlStatIfEntry 9 } fwlStatIfFragmentPacketsDenied OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION " The number of fragmented packets rejected by the Firewall on a particular interface. " ::= { fwlStatIfEntry 10 } fwlStatIfIpOptionPacketsDenied OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION " The number of packets with IP options (source routing, record routing, timestamp) rejected or dropped by the Firewall on a particular interface. " ::= { fwlStatIfEntry 11 } fwlStatIfClear OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION " This field is used to clear the statistics of packets per interface. The default value is 'false'. When this object is set to true , the statistics of packets per interface is cleared and the value is reset to false. The get routine for this object always returns 'false'." DEFVAL { false } ::= { fwlStatIfEntry 12 } fwlIfTrapThreshold OBJECT-TYPE SYNTAX Integer32 (50..50000) MAX-ACCESS read-write STATUS current DESCRIPTION "This Object sets the Interface threshold value such that traps will be generated when the number of packets denied exceed the given threshold " DEFVAL { 50 } ::= { fwlStatIfEntry 13 } fwlStatIfIPv6PacketsDenied OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION " The number of IPv6 packets dropped by the Firewall on a particular interface." ::= { fwlStatIfEntry 14 } fwlStatIfIPv6PacketsAccepted OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION " The number of IPv6 packets accepted by the Firewall on a particular interface." ::= { fwlStatIfEntry 15 } fwlStatIfIPv6IcmpPacketsDenied OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION " The number of ICMPv6 packets rejected by the Firewall on a particular interface. " ::= { fwlStatIfEntry 16 } fwlStatIfIPv6SpoofedPacketsDenied OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION " The number of IPv6 spoofed packets rejected by the Firewall on a particular interface due to spoofing attack. " ::= { fwlStatIfEntry 17 } fwlStatIfClearIPv6 OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION " This field is used to clear the statistics of IPv6 packets per interface.The default value is 'false'. When this object is set to true , the statictics for IPv6 packets per interface is cleared and the value is reset to false.The get routine for this object always returns 'false'." DEFVAL { false } ::= { fwlStatIfEntry 18 } -- fwlStatIfTable ends here fwlStatClear OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "This Object clears the global statistics. The default value is 'false'. When this object is set to true , the global statistics is cleared and the value is reset to false. The get routine for this object always returns 'false'." DEFVAL { false } ::= { fwlStatistics 21 } fwlStatClearIPv6 OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "This object clears the global ipv6 statistics. The default value is 'false'. When this object is set to true , the global ipv6 statistics is cleared and the value is reset to false. The get routine for this object always returns 'false'." DEFVAL { false } ::= { fwlStatistics 22 } fwlTrapThreshold OBJECT-TYPE SYNTAX Integer32 (50..50000) MAX-ACCESS read-write STATUS current DESCRIPTION "This Object sets the global threshold value such that traps will be generated when the number of packets denied exceed the given threshold " DEFVAL { 50 } ::= { fwlStatistics 23 } -- Firewall Traps Group. -- This group defines the different types of Traps used by the Firewall Module. fwlTrapControl OBJECT IDENTIFIER ::= { fwlTraps 1 } fwlTrapTypes OBJECT IDENTIFIER ::= { fwlTraps 0 } -- Trap Controls fwlTrapMemFailMessage OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-write STATUS current DESCRIPTION " The string to display where the memory failure has occurred. It may happen during allocation of Memory pool or when dynamic allocation fails. This string is also used to display message about the number of attacks occurred. " ::= { fwlTrapControl 1 } fwlTrapAttackMessage OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-write STATUS current DESCRIPTION " This string is also used to display message about the number of attacks occurred. " ::= { fwlTrapControl 2 } fwlIfIndex OBJECT-TYPE SYNTAX RowPointer MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "fwlIfIfIndex is of type not-accessible and it cannot be used as object for notifications. So this object is defined to use for notifications.The value of this object is same as that of OID of fwlIfIfIndex appended with the interface index in which the Threshold has exceeded." ::= { fwlTrapControl 3 } fwlTrapEvent OBJECT-TYPE SYNTAX INTEGER{ sizeexceeded(1), sizethresholdhit(2) } MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "sizeexceeded - Firewall Log Size Exceeded. sizethreshold hit - Firewall Log Size hit the threshold value." ::= { fwlTrapControl 4 } fwlTrapEventTime OBJECT-TYPE SYNTAX DisplayString(SIZE (24)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "This object specifies the date and time at which fwlTrapEvent was performed." ::= { fwlTrapControl 5 } fwlTrapFileName OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "Firewall Log filename in the trap message." ::= { fwlTrapControl 6 } fwlIdsTrapEvent OBJECT-TYPE SYNTAX INTEGER{ sizeexceeded(1), sizethresholdhit(2) } MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "sizeexceeded - Firewall Log Size Exceeded. sizethreshold hit - Firewall Log Size hit the threshold value." ::= { fwlTrapControl 7 } fwlIdsTrapEventTime OBJECT-TYPE SYNTAX DisplayString(SIZE (24)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "This object specifies the date and time at which fwlTrapEvent was performed." ::= { fwlTrapControl 8 } fwlIdsTrapFileName OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "Firewall Log filename in the trap message." ::= { fwlTrapControl 9 } fwlIdsAttackPktIp OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "This object specifies the IP address of the attack-packet identified by IDS." ::= { fwlTrapControl 10 } -- Trap Types fwlTrapMemoryFailure NOTIFICATION-TYPE OBJECTS { fwlTrapMemFailMessage } STATUS current DESCRIPTION " Trap which is send for memory initialization failure or when Dynamic Allocation fails. " ::= { fwlTrapTypes 1 } fwlTrapAttackSummary NOTIFICATION-TYPE OBJECTS { fwlTrapAttackMessage } STATUS current DESCRIPTION " Trap which is send when the number of attacks exceeds the limit value. The limit value is configurable." ::= { fwlTrapTypes 2 } fwlTrapThresholdExceeded NOTIFICATION-TYPE OBJECTS { fwlIfIndex, fwlStatIfPacketsDenied } STATUS current DESCRIPTION "This Object specifies the Interface index in which the number of packets denied exceeds the threshold configured." ::= { fwlTrapTypes 3 } fwlTrapMessage NOTIFICATION-TYPE OBJECTS { fwlTrapEvent, fwlTrapEventTime, fwlTrapFileName } STATUS current DESCRIPTION "This trap notifies the errors in Firewall Log file." ::= {fwlTrapTypes 4 } fwlIdsTrapLogging NOTIFICATION-TYPE OBJECTS { fwlIdsTrapEvent, fwlIdsTrapEventTime, fwlIdsTrapFileName } STATUS current DESCRIPTION "This trap notifies the errors in IDS logging." ::= {fwlTrapTypes 5} fwlIdsTrapAttackPktFromIds NOTIFICATION-TYPE OBJECTS { fwlIdsAttackPktIp } STATUS current DESCRIPTION "This trap notifies the attack packet identified in IDS." ::= {fwlTrapTypes 6} -- BLACKLIST IP ADDRESS Table -- This table is used to list the IP Addresses which have been blacklisted It -- supports both IPv4 and IPv6 addresses. fwlDefnBlkListTable OBJECT-TYPE SYNTAX SEQUENCE OF FwlDefnBlkListEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table is a user configurable table. It is used for listing the IP Addresses that are black listed. The traffic from or to a blacklisted IP Address shall be dropped." ::= { fwlDefinition 9 } fwlDefnBlkListEntry OBJECT-TYPE SYNTAX FwlDefnBlkListEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The individual entry in the above table." INDEX { fwlBlkListIpAddressType, fwlBlkListIpAddress, fwlBlkListIpMask } ::= { fwlDefnBlkListTable 1 } FwlDefnBlkListEntry ::= SEQUENCE { fwlBlkListIpAddressType InetAddressType, fwlBlkListIpAddress InetAddress, fwlBlkListIpMask InetAddressPrefixLength, fwlBlkListHitsCount Counter32, fwlBlkListEntryType INTEGER, fwlBlkListRowStatus RowStatus } fwlBlkListIpAddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS not-accessible STATUS current DESCRIPTION "The address type of fwlBlkListIpAddress (IPv4/Ipv6)" ::= { fwlDefnBlkListEntry 1 } fwlBlkListIpAddress OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS not-accessible STATUS current DESCRIPTION "The IP Address is to be listed as Blacklist." ::= { fwlDefnBlkListEntry 2 } fwlBlkListIpMask OBJECT-TYPE SYNTAX InetAddressPrefixLength UNITS "bits" MAX-ACCESS not-accessible STATUS current DESCRIPTION "The IP Subnet mask for the IP address to be blacklisted." ::= { fwlDefnBlkListEntry 3 } fwlBlkListHitsCount OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times BlackList is matched while processing the packet." ::= { fwlDefnBlkListEntry 4 } fwlBlkListEntryType OBJECT-TYPE SYNTAX INTEGER { static(0), dynamic(1) } MAX-ACCESS read-only STATUS current DESCRIPTION "This object is used to display whether the entry is created by administrator or the entry is created dynamically through snort module. static(0) - BlkListEntry is added by adminstrator. dynamic(1) - BlkListEntry is added dynamically through snort module." ::= { fwlDefnBlkListEntry 5 } fwlBlkListRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-write STATUS current DESCRIPTION "This object allows entries to be created or deleted in this Table. The row status values are CREATE_AND_GO and DESTROY" ::= { fwlDefnBlkListEntry 6 } -- WHITELIST IP ADDRESS Table -- This table is used to list the IP Addresses which have been listed as White -- list. It supports both IPv4 and IPv6 address. fwlDefnWhiteListTable OBJECT-TYPE SYNTAX SEQUENCE OF FwlDefnWhiteListEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This is a user configurable table. This table is used for listing the IP Addresses that are to be listed as White list. The traffic from or to the IP Address in this White list shall be forwarded bypassing the firewall." ::= { fwlDefinition 10 } fwlDefnWhiteListEntry OBJECT-TYPE SYNTAX FwlDefnWhiteListEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The individual entry in the above table." INDEX { fwlWhiteListIpAddressType, fwlWhiteListIpAddress, fwlWhiteListIpMask } ::= { fwlDefnWhiteListTable 1 } FwlDefnWhiteListEntry ::= SEQUENCE { fwlWhiteListIpAddressType InetAddressType, fwlWhiteListIpAddress InetAddress, fwlWhiteListIpMask InetAddressPrefixLength, fwlWhiteListHitsCount Counter32, fwlWhiteListRowStatus RowStatus } fwlWhiteListIpAddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS not-accessible STATUS current DESCRIPTION "The address type of fwlDefnWhiteListEntry (IPv4/Ipv6)" ::= { fwlDefnWhiteListEntry 1 } fwlWhiteListIpAddress OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS not-accessible STATUS current DESCRIPTION "The IP Address is to be listed as White List." ::= { fwlDefnWhiteListEntry 2 } fwlWhiteListIpMask OBJECT-TYPE SYNTAX InetAddressPrefixLength UNITS "bits" MAX-ACCESS not-accessible STATUS current DESCRIPTION "The IP Subnet mask for the IP address to be added in White List." ::= { fwlDefnWhiteListEntry 3 } fwlWhiteListHitsCount OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times WhiteList is matched while processing the packet." ::= { fwlDefnWhiteListEntry 4 } fwlWhiteListRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-write STATUS current DESCRIPTION "This object allows entries to be created or deleted in this Table. The row status values are CREATE_AND_GO and DESTROY." ::= { fwlDefnWhiteListEntry 5 } -- IPv6 DMZ Table -- This table is used to define the De-Militarized Zone for , where no restrictions -- apply. fwlDefnIPv6DmzTable OBJECT-TYPE SYNTAX SEQUENCE OF FwlDefnIPv6DmzEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " This table is used for defining the De-Militarized Zone (DMZ)for IPv6. The host/hosts in this zone will have unrestricted access from the public/external network (Internet)." ::= { fwlDefinition 11 } fwlDefnIPv6DmzEntry OBJECT-TYPE SYNTAX FwlDefnIPv6DmzEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " The individual entry in the above table. " INDEX { fwlDmzIpv6Index } ::= { fwlDefnIPv6DmzTable 1 } FwlDefnIPv6DmzEntry ::= SEQUENCE { fwlDmzAddressType InetAddressType, fwlDmzIpv6Index InetAddress, fwlDmzIpv6RowStatus RowStatus } fwlDmzAddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-create STATUS current DESCRIPTION " The Address type of the ipv6 DMZ Host. This object is limited to IPv6 addresses." ::= { fwlDefnIPv6DmzEntry 1 } fwlDmzIpv6Index OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS not-accessible STATUS current DESCRIPTION " The IPv6 Address which the DMZ is to be configured." ::= { fwlDefnIPv6DmzEntry 2 } fwlDmzIpv6RowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION " This object allows entries to be created or deleted in this table. " ::= { fwlDefnIPv6DmzEntry 3 } -- Firewall Rate Table -- This table gives information about the rate limiting entries -- corresponding to Protocol Type TCP/UDP/ICMP and then rate values -- table. fwlRateLimitTable OBJECT-TYPE SYNTAX SEQUENCE OF FwlRateLimitEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table gives information about the rate limiting entries corresponding to Protocol Type TCP/UDP/ICMP and then rate values applied on a particular interface, must be deleted first. " ::= { fwlRateLimit 1 } fwlRateLimitEntry OBJECT-TYPE SYNTAX FwlRateLimitEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " The individual entry in the above table. " INDEX { fwlRateLimitPortIndex } ::= { fwlRateLimitTable 1 } FwlRateLimitEntry ::= SEQUENCE { fwlRateLimitPortIndex Integer32 , fwlRateLimitPortNumber Integer32 , fwlRateLimitPortType INTEGER, fwlRateLimitValue Integer32, fwlRateLimitBurstSize Integer32, fwlRateLimitTrafficMode INTEGER, fwlRateLimitRowStatus RowStatus } fwlRateLimitPortIndex OBJECT-TYPE SYNTAX Integer32 (0..100) MAX-ACCESS not-accessible STATUS current DESCRIPTION "Configures interface Rate Limit (Packet that can be transferred on a port at a particular second). This object's value will take effect on the interface speed. Based on the operating speed of the port, the rate limit will be applied. This value can also be affected by the metering. A value of zero(0) disable rate limiting i.e. sets the port to full speed." ::= {fwlRateLimitEntry 1} fwlRateLimitPortNumber OBJECT-TYPE SYNTAX Integer32 (0..1000) MAX-ACCESS read-write STATUS current DESCRIPTION "Configures the Port number for the protocol specified" ::= {fwlRateLimitEntry 2} fwlRateLimitPortType OBJECT-TYPE SYNTAX INTEGER { tcp (1), udp (2), icmp (3) } MAX-ACCESS read-write STATUS current DESCRIPTION "Configures the Protocol Type TCP , UDP ,ICMP" ::= { fwlRateLimitEntry 3} fwlRateLimitValue OBJECT-TYPE SYNTAX Integer32 (0..80000000) MAX-ACCESS read-write STATUS current DESCRIPTION "Configures interface Rate Limit (Packet that can be transferred on a port at a particular second). This object's value will take effect on the interface speed. Based on the operating speed of the port, the rate limit will be applied. This value can also be affected by the metering. A value of zero(0) disable rate limiting i.e. sets the port to full speed." ::= {fwlRateLimitEntry 4} fwlRateLimitBurstSize OBJECT-TYPE SYNTAX Integer32 (0..80000000) MAX-ACCESS read-write STATUS current DESCRIPTION "Configures interface Burst Pkt Rate. (Packet Burst that can be transferred on a port at a particular second) This object's value will take effect on the interface speed. Based on the operating speed of the port, the burst size of the port will be applied. This value can also be affected by the metering. A value of zero(0) disable burst rate limiting i.e. sets the port burst rate limit to full speed." ::= {fwlRateLimitEntry 5 } fwlRateLimitTrafficMode OBJECT-TYPE SYNTAX INTEGER { pps (1), kbps (2), bps (3) } MAX-ACCESS read-write STATUS current DESCRIPTION "Configures the Traffic mode PPS , KBPS ,BPS" ::= { fwlRateLimitEntry 6} fwlRateLimitRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION " This object allows entries to be created or deleted in this table. " ::= { fwlRateLimitEntry 7 } -- Snork attack Table -- This table gives information about the configured ports -- for snork attack. fwlSnorkTable OBJECT-TYPE SYNTAX SEQUENCE OF FwlSnorkEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table gives information about the configured ports for snork attack" ::= { fwlSnork 1 } fwlSnorkEntry OBJECT-TYPE SYNTAX FwlSnorkEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " The individual entry in the above table. " INDEX { fwlSnorkPortNo } ::= { fwlSnorkTable 1 } FwlSnorkEntry ::= SEQUENCE { fwlSnorkPortNo Integer32 , fwlSnorkRowStatus RowStatus } fwlSnorkPortNo OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS not-accessible STATUS current DESCRIPTION " This mib holds the value of the port for which Snork is configured" ::= {fwlSnorkEntry 1} fwlSnorkRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION " This object allows entries to be created or deleted in this table. " ::= { fwlSnorkEntry 2 } -- uRPF Table -- This table gives information about the configured ports -- for uRPF . fwlRpfTable OBJECT-TYPE SYNTAX SEQUENCE OF FwlRpfEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table gives information about the configured ports for uRPF attack" ::= { fwlRpf 1 } fwlRpfEntry OBJECT-TYPE SYNTAX FwlRpfEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " The individual entry in the above table. " INDEX { fwlRpfInIndex } ::= { fwlRpfTable 1 } FwlRpfEntry ::= SEQUENCE { fwlRpfInIndex Integer32 , fwlRpfMode INTEGER , fwlRpfRowStatus RowStatus } fwlRpfInIndex OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS not-accessible STATUS current DESCRIPTION " This mib holds the value of the port interface index for which RPF is configured" ::= {fwlRpfEntry 1} fwlRpfMode OBJECT-TYPE SYNTAX INTEGER { disable(0), loose(1), strict(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "This mib holds the value of the uRPF mode either strict or loose The default value is 'disable'(0). " DEFVAL { disable } ::= { fwlRpfEntry 2 } fwlRpfRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION " This object allows entries to be created or deleted in this table. " ::= { fwlRpfEntry 3 } END