6.2.2.16.7. packet-filtering
6.2.2.16.7.1. Introduction
The packet-filtering command of the set advanced-configuration subgroup enables specifying static rules for filtering the flows captured by the capture interfaces.
This enables excluding the flows:
- that are not analysable 
- that could saturate the device's resources (CPUs, etc.) 
Below are the configuration options:
- creating a filter rule 
 To create a filter rule, the following steps must be taken:- set the native vlan - The - set advanced-configuration packet-filtering interface mon1 change-native-vlancommand enables specifying the untagged 802.1q or 802.1ad VLAN number (nested VLANs) to frames that do not have a VLAN.
- define the capture interface - interface
- set the vlan - vlan- The syntax for 802.1AD (Q-in-Q) support is X:Y: - X is the "outer TAG". "The outer TAG can be tagged as 0x88A8,802.1AD 
- Y is the "inner TAG". "The inner TAG can be tagged as 0x9100, 0x9200, 0x8100 (Cisco) 
 
- specify the flow ( - prefix,- port-range,- protocol,- ciphered-protocols)
- the - confirmkeyword enables the command to be confirmed
 
- deleting a filter rule 
 To delete a filter rule, follow these steps:- define the rule id using the command: - show advanced-config packet-filtering.
- delete a single rule with the rule ID: - set advanced-configuration packet-filtering delete ID.
- delete a group of rules with the syntax: - set advanced-configuration packet-filtering delete ID_BEGIN-ID_END.
 
Note
Packet-filtering functionality is not supported if the MTU > 3000.
6.2.2.16.7.2. Prerequisites
- User: setup 
- Dependencies: the detection engine must be switched off 
6.2.2.16.7.3. Command
To set the native vlan:
set advanced-configuration packet-filtering interface {mon0|mon1|mon2|mon3} change-native-vlan VLAN_ID confirm
set advanced-configuration packet-filtering interface {mon0|mon1|mon2|mon3} drop vlan VLAN_ID prefix PREFIX_NETWORK port-range {BEGIN:END} confirm
To add a rule to the monx capture interface for filtering encrypted flows in vlan ID:
set advanced-configuration packet-filtering interface {mon0|mon1|mon2|mon3} drop ciphered-protocols vlan VLAN_ID confirm
To delete a single rule with the rule ID:
set advanced-configuration packet-filtering delete ID
To delete a group of rules with the syntax:
set advanced-configuration packet-filtering delete {BEGIN-END}
6.2.2.16.7.4. Example of adding an encrypted flow filtering rule of vlan 110 to the mon1 capture interface
- Enter the following command. - (gcap-cli) set advanced-configuration packet-filtering interface mon1 drop ciphered-protocols vlan 110 confirm 
- Validate. - The system displays the result. - Adding rules: - iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto ESP - iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto AH - iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto L2TP - iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto GRE - iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto TCP range 22:22 - iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto TCP range 443:443 - iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto TCP range 465:465 - iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto UDP range 500:500 - iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto TCP range 993:993 - iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto TCP range 995:995 - iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto UDP range 4500:4500 
6.2.2.16.7.5. Example of defining the native vlan
- Enter the following command. - (gcap-cli) set advanced-configuration packet-filtering interface mon1 change-native-vlan 10 
- Validate. - The system displays the result. - The following rules will be created: - iface mon1 native vlan 10 Do you want to continue? [y/N] 
- Enter y 
6.2.2.16.7.6. Example of deleting a filter rule
- Enter the following command. - (gcap-cli) show advanced-configuration packet-filtering 
- Validate. - The system displays the result. - Current XDP filters: - 0: iface mon1 native vlan 10 - 1: iface mon2 native vlan 1 - 2: iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto TCP range 22:22 - 3: iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto TCP range 443:443 - 4: iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto TCP range 465:465 - 5: iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto TCP range 993:993 - 6: iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto TCP range 995:995 - 7: iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto UDP range 500:500 - 8: iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto UDP range 4500:4500 - 9: iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto GRE - 10: iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto ESP - 11: iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto AH - 12: iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto L2TP 
- Enter the following command. - (gcap-cli) set advanced-configuration packet-filtering delete 4 confirm 
- Validate. - Deleting the following rules: - iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto TCP range 465:465 
- Enter the following command. - (gcap-cli) set advanced-configuration packet-filtering delete 6-9 confirm 
- Validate. - Deleting the following rules: - iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto UDP range 500:500 - iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto UDP range 4500:4500 - iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto GRE - iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto ESP