6.2.2.16.7. packet-filtering

6.2.2.16.7.1. Introduction

The packet-filtering command of the set advanced-configuration subgroup enables specifying static rules for filtering the flows captured by the capture interfaces.

This enables excluding the flows:

• that are not analysable

• that could saturate the device's resources (CPUs, etc.)

Below are the configuration options:

• Creating a filter rule
  To create a filter rule, the following steps must be taken:

  • Set the native vlan

    The set advanced-configuration packet-filtering interface mon1 change-native-vlan command enables specifying the untagged 802.1q or 802.1ad VLAN number (nested VLANs) to frames that do not have a VLAN.

  • Define the capture interface interface

  • Set the vlan vlan

    The syntax for 802.1AD (Q-in-Q) support is X:Y:

    • X is the "outer TAG". "The outer TAG can be tagged as 0x88A8,802.1AD

    • Y is the "inner TAG". "The inner TAG can be tagged as 0x9100, 0x9200, 0x8100 (Cisco)

  • Specify the flow (prefix, port-range, protocol, ciphered-protocols)

  • The confirm keyword enables the command to be confirmed

• Deleting a filter rule
  To delete a filter rule, follow these steps:

  • Define the rule id using the command: show advanced-config packet-filtering.

  • Delete a single rule with the rule ID: set advanced-configuration packet-filtering delete ID.

  • Delete a group of rules with the syntax: set advanced-configuration packet-filtering delete ID_BEGIN-ID_END.

Note

Packet-filtering functionality is not supported if the MTU > 3000.

---

6.2.2.16.7.2. Prerequisites

• User: setup

• Dependencies: the detection engine must be switched off

---

6.2.2.16.7.3. Command

To set the native vlan: set advanced-configuration packet-filtering interface {mon0|mon1|mon2|mon3} change-native-vlan VLAN_ID confirm

set advanced-configuration packet-filtering interface {mon0|mon1|mon2|mon3} drop vlan VLAN_ID prefix PREFIX_NETWORK port-range {BEGIN:END} confirm

To add a rule to the monx capture interface for filtering encrypted flows in vlan ID: set advanced-configuration packet-filtering interface {mon0|mon1|mon2|mon3} drop ciphered-protocols vlan VLAN_ID confirm

To delete a single rule with the rule ID: set advanced-configuration packet-filtering delete ID

To delete a group of rules with the syntax: set advanced-configuration packet-filtering delete {BEGIN-END}

---

6.2.2.16.7.4. Example of adding an encrypted flow filtering rule of vlan 110 to the mon1 capture interface

• Enter the following command.

  (gcap-cli) set advanced-configuration packet-filtering interface mon1 drop ciphered-protocols vlan 110 confirm
  

• Validate.
  The system displays the result.

  Adding rules:
  - iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto ESP
  - iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto AH
  - iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto L2TP
  - iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto GRE
  - iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto TCP range 22:22
  - iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto TCP range 443:443
  - iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto TCP range 465:465
  - iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto UDP range 500:500
  - iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto TCP range 993:993
  - iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto TCP range 995:995
  - iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto UDP range 4500:4500
  

---

6.2.2.16.7.5. Example of defining the native vlan

• Enter the following command.

  (gcap-cli) set advanced-configuration packet-filtering interface mon1 change-native-vlan 10
  

• Validate.
  The system displays the result.

  The following rules will be created:
     - iface mon1 native vlan 10
  
  Do you want to continue? [y/N]
  

• Enter y

---

6.2.2.16.7.6. Example of deleting a filter rule

• Enter the following command.

  (gcap-cli) show advanced-configuration packet-filtering
  

• Validate.
  The system displays the result.

  Current XDP filters:
      - 0: iface mon1 native vlan 10
      - 1: iface mon2 native vlan 1
      - 2: iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto TCP range 22:22
      - 3: iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto TCP range 443:443
      - 4: iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto TCP range 465:465
      - 5: iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto TCP range 993:993
      - 6: iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto TCP range 995:995
      - 7: iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto UDP range 500:500
      - 8: iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto UDP range 4500:4500
      - 9: iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto GRE
      - 10: iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto ESP
      - 11: iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto AH
      - 12: iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto L2TP
  

• Enter the following command.

  (gcap-cli) set advanced-configuration packet-filtering delete 4 confirm
  

• Validate.

  Deleting the following rules:
    - iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto TCP range 465:465
  

• Enter the following command.

  (gcap-cli) set advanced-configuration packet-filtering delete 6-9 confirm
  

• Validate.

  Deleting the following rules:
    - iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto UDP range 500:500
    - iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto UDP range 4500:4500
    - iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto GRE
    - iface mon1 drop vlan 110 prefix 0.0.0.0/0 proto ESP
  

---