Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Understanding APE Rulebase Actions

    Actions are responses to sessions that match the source/destination/service or source/destination/application condition.

    Table 1 describes the actions you can specify for application policy enforcement (APE) rulebase rules.

    Table 1: IDP Rulebase Actions

    Action

    Description

    None

    Does not perform rate limiting. Logs generated for traffic that match this rule display Accepted.

    Drop Connection

    Drops the connection without sending an RST packet to the sender, thereby preventing the traffic from reaching its destination. Use this action to drop connections for traffic that is not prone to spoofing.

    Logs generated for traffic that match this rule display Drop Connection.

    Note: In sniffer mode, this action has no effect because the IDP Series device is not in the path of network traffic.

    Close Client

    Closes the connection to the client but not to the server.

    Logs generated for traffic that match this rule display Close Client.

    Note: In sniffer mode, the IDP Series device is not in the path of network traffic. However, if you use ACM to configure a sniffer mode reset interface, the IDP Series device can send an RST packet to both the client and the server, but it does not close the connection.

    Close Server

    Closes the connection to the server but not to the client.

    Logs generated for traffic that match this rule display Close Server.

    Note: In sniffer mode, the IDP Series device is not in the path of network traffic. However, if you use ACM to configure a sniffer mode reset interface, the IDP Series device can send an RST packet to both the client and the server, but it does not close the connection.

    Close Client and Server

    Closes the connection and sends an RST packet to both the client and the server.

    Logs generated for traffic that match this rule display Close.

    Note: In sniffer mode, the IDP Series device is not in the path of network traffic. However, if you use ACM to configure a sniffer mode reset interface, the IDP Series device can send an RST packet to both the client and the server, but it does not close the connection.

    DiffServ Marking

    Assigns the DiffServ value you specify to the packet. This action is useful when your network has a class of service (CoS) design, and you want to use the IDP Series device to rewrite the CoS code point based on APE rules processing. The CoS rules you have implemented for the next devices in the network path ultimately determine the effect on the transmission rate.

    Logs generated for traffic that match this rule display DiffServ.

    Note: In sniffer mode, this action has no effect because the IDP Series device is not in the path of network traffic.

    Rate Limit

    Rate limits set an aggregate limit for all matching sessions. If a session matches an APE rule in which a rate limit has been set, the IDP engine performs a rate-limit check. If the limit is not reached, the IDP Series device forwards the packets. If the limit is reached, the IDP Series device behaves as if no bandwidth is available: it drops packets until the aggregate bandwidth falls below the limit. When the IDP Series device drops packets, the TCP or UDP endpoints identify the packet loss and slow the transmission rate.

    The rate limits that are best suited for your business case depend on the bandwidth for your links. If you have a 1-Gbps link and want no more than 10% available to peer-to-peer traffic, the sum of the rate limits you specify for all peer-to-peer rules must be less than 102.4 Mbps (in each direction).

    If you implement user-role-based rules, you can apply rate limiting to all users who belong to the specified role or to individual users who belong to the specified role. By default, rate limiting is applied to all users who belong to the specified role. In this case, you would configure a larger limit. You can change this setting with the command-line interface. If you change the default to enable rate limiting per user, configure a smaller limit.

    You configure separate rate limits for client-to-server and server-to-client directions. For peer-to-peer traffic, we recommend that you set the same rate for each direction.

    Note: For TFTP traffic, all traffic is considered client-to-server traffic. A TFTP server responds to get requests by establishing an ephemeral port from which to send the reply. In this case, both directions appear to the IDP Series device as client-to-server flows. We recommend you set the same rate for each direction.

    Logs generated for traffic that match this rule display Rate Limit and traffic direction (c2s or s2c).

    Note: In sniffer mode, this action has no effect because the IDP Series device is not in the path of network traffic.

    DiffServ Marking & Rate Limiting

    Takes both actions described above.


    Published: 2011-02-08