Each defensive filter has a mode setting of block or simulate.
The defensive filter's mode is set when the filter is created or updated
by the ipsec command.
By default, defensive filters are in block mode, causing traffic
to be discarded. A defensive filter in simulate mode simulates a block
and lets you monitor the impact of enabling defensive filters without
discarding traffic.
When a packet matches a defensive filter and the mode is simulate,
a message is logged indicating that the packet would have been discarded,
but the packet is not discarded and IP filtering continues. The packet
can subsequently match a defensive filter that is in block mode and
be discarded, but the packet will not match another simulation filter.
The DMD configuration file also provides the mode settings Active,
Simulate, or Inactive on the DmStackConfig statement.
- Active enables defensive filtering and honors the mode setting
of the individual filters.
- Simulate enables defensive filtering and overrides the mode setting
of the individual filters; simulate mode is used for all defensive
filters installed in the stack.
- Inactive disables defensive filtering.
Table 1 summarizes the interaction
between the mode setting on the DmStackConfig statement and the mode
setting in individual filters set by the ipsec command.
Table 1. Interaction between the mode setting
on the DmStackConfig statement and the mode setting in individual
filters |
Mode setting on
the DmStackConfig statement |
|
Active |
Simulate |
Inactive |
Individual filter mode
set by the ipsec command |
Block |
Block the packet |
Simulate blocking the packet |
No defensive filters |
Simulate |
Simulate blocking the packet |
Simulate blocking the packet |
No defensive filters |
Tips: - You might want to specify Mode Simulate on the DmStackConfig statement
when you are first implementing defensive filtering. All defensive
filters in the TCP/IP stack will be treated as if the mode was simulate.
When a packet matches a defensive filter, syslog message EZD1722I
is generated and IP filtering continues. Defensive filters added to
this stack retain the mode setting with which they were added, block
or simulate. In most cases, you should use the default mode, block,
on the individual filter.
- After completing defensive filter testing in simulate mode, specify
Mode Active on the DmStackConfig statement. If there are defensive
filters installed in the stack when the mode is changed from simulate
to active, the mode on the individual defensive filters is used.
- If defensive filtering is active (DmStackConfig statement with
Mode Active) and you want to implement and test additional automation,
you can revert to an overall mode of simulate for the whole stack.
However, you might want only defensive filters added by the new automation
to have a mode of simulate. The automation action can add individual
defensive filters with a mode of simulate using the mode keyword on
the ipsec -F add command. After testing, you can
update the automation action to add defensive filters with a mode
of block using the mode keyword on the ipsec -F add command.
For more information about the DmStackConfig statement, see z/OS Communications Server: IP Configuration
Reference. For more information about adding or updating
a defensive filter with the -F option of the ipsec command, see z/OS Communications Server: IP System Administrator's
Commands.