General Tests

The following scenario shows how to place an OSDx router between two machines to allow them to communicate with each other and to provide protection when accessing one another and the external WAN.

../../../_images/topology26.svg

Test Simple Ruleset With Queues

Description

Configures the three DUTs that will be used and checks that they are capable of pinging each other but not of connecting via SSH, since these connections are being dropped by the firewall.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set interfaces ethernet eth0 traffic nat source rule 1 address masquerade
set interfaces ethernet eth1 vif 101 address 40.0.0.1/8
set interfaces ethernet eth1 vif 101 traffic policy in FW_PLAN
set interfaces ethernet eth1 vif 201 address 20.0.0.1/8
set interfaces ethernet eth1 vif 201 traffic policy in FW_PLAN
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns static host-name WAN inet 10.215.168.1
set service firewall FW logging level config
set service firewall FW logging outputs fast
set service firewall FW mode inline queue FW_Q
set service firewall FW ruleset file 'running://base.rules'
set service firewall FW validator-timeout 20
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set traffic policy FW_PLAN rule 1 action enqueue FW_Q
set traffic queue FW_Q elements 1

Step 2: Ping IP address 20.0.0.2 from DUT1:

admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1
Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data.
64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.530 ms

--- 20.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.530/0.530/0.530/0.000 ms

Step 3: Ping IP address 40.0.0.2 from DUT2:

admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1
Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data.
64 bytes from 40.0.0.2: icmp_seq=1 ttl=63 time=0.439 ms

--- 40.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.439/0.439/0.439/0.000 ms

Step 4: Expect a failure in the following command: Init an SSH connection from DUT1 to IP address 20.0.0.2 with the user admin:

admin@DUT1$ ssh admin@20.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1

Step 5: Expect a failure in the following command: Init an SSH connection from DUT2 to IP address 40.0.0.2 with the user admin:

admin@DUT2$ ssh admin@40.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1

Step 6: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:

(?m)^.+[Drop].+(SSH not allowed in this network).+$
Show output
10/10/2025-21:16:46.966200  [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:43706 -> 40.0.0.2:22
10/10/2025-21:16:47.113981  [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:43706 -> 40.0.0.2:22
10/10/2025-21:16:47.640093  [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:43706 -> 40.0.0.2:22
10/10/2025-21:16:47.798164  [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:43706 -> 40.0.0.2:22
10/10/2025-21:16:49.206037  [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 40.0.0.2:50810 -> 20.0.0.2:22
10/10/2025-21:16:49.368055  [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:43706 -> 40.0.0.2:22
10/10/2025-21:16:49.462264  [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:43706 -> 40.0.0.2:22
10/10/2025-21:16:49.848393  [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 40.0.0.2:50810 -> 20.0.0.2:22
10/10/2025-21:16:52.790192  [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:43706 -> 40.0.0.2:22
10/10/2025-21:16:52.920041  [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:43706 -> 40.0.0.2:22

Test Simple Ruleset With Custom Action-order

Description

Configures the three DUTs that will be used and checks that initially they are capable of pinging each other but after changing the priority of rule actions, ICMP traffic is not passed, but dropped by the firewall.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set interfaces ethernet eth0 traffic nat source rule 1 address masquerade
set interfaces ethernet eth1 vif 101 address 40.0.0.1/8
set interfaces ethernet eth1 vif 101 traffic policy in FW_PLAN
set interfaces ethernet eth1 vif 201 address 20.0.0.1/8
set interfaces ethernet eth1 vif 201 traffic policy in FW_PLAN
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns static host-name WAN inet 10.215.168.1
set service firewall FW logging level config
set service firewall FW logging outputs fast
set service firewall FW mode inline queue FW_Q
set service firewall FW ruleset file 'running://base.rules'
set service firewall FW validator-timeout 20
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set traffic policy FW_PLAN rule 1 action enqueue FW_Q
set traffic queue FW_Q elements 1

Step 2: Ping IP address 20.0.0.2 from DUT1:

admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1
Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data.
64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.469 ms

--- 20.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.469/0.469/0.469/0.000 ms

Step 3: Ping IP address 40.0.0.2 from DUT2:

admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1
Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data.
64 bytes from 40.0.0.2: icmp_seq=1 ttl=63 time=0.401 ms

--- 40.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.401/0.401/0.401/0.000 ms

Step 4: Modify the following configuration lines in DUT0 :

set service firewall FW action-order 'drop, reject, alert, pass'

Step 5: Expect a failure in the following command: Ping IP address 20.0.0.2 from DUT1:

admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1
Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data.

--- 20.0.0.2 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

Step 6: Expect a failure in the following command: Ping IP address 40.0.0.2 from DUT2:

admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1
Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data.

--- 40.0.0.2 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

Step 7: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:

(?m)^.+[Drop].+(ICMP traffic dropped).+$
Show output
10/10/2025-21:17:23.977433  [Drop] [**] [1:30:0] ICMP traffic dropped [**] [Classification: (null)] [Priority: 3] {ICMP} 40.0.0.2:8 -> 20.0.0.2:0
10/10/2025-21:17:25.064575  [Drop] [**] [1:30:0] ICMP traffic dropped [**] [Classification: (null)] [Priority: 3] {ICMP} 20.0.0.2:8 -> 40.0.0.2:0

Test Simple Ruleset Using Routing With Marks

Description

Configures the three DUTs that will be used. In this test the traffic is routed using marks in DUT0 (like SD-WAN scenarios). Then, checks that initially ping works from DUT1 to DUT2 but after changing the priority of rule actions, ICMP traffic is not passed, but dropped by the firewall.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set interfaces ethernet eth0 traffic nat source rule 1 address masquerade
set interfaces ethernet eth1 vif 101 address 40.0.0.1/8
set interfaces ethernet eth1 vif 101 traffic policy in LAN_IN
set interfaces ethernet eth1 vif 101 vrf LAN
set interfaces ethernet eth1 vif 201 address 20.0.0.1/8
set interfaces ethernet eth1 vif 201 traffic nat source rule 1 address masquerade
set interfaces ethernet eth1 vif 201 traffic policy in WAN_IN
set interfaces ethernet eth1 vif 201 vrf WAN
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set protocols vrf AP static route 0.0.0.0/0 next-hop-vrf WAN
set service dns static host-name WAN inet 10.215.168.1
set service firewall FW logging level config
set service firewall FW logging outputs fast
set service firewall FW mode inline queue FW_Q
set service firewall FW ruleset file 'running://base.rules'
set service firewall FW validator-timeout 20
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system traffic policy in FW_POLICY priority very-low
set system vrf AP
set system vrf LAN
set system vrf WAN
set traffic policy FW_POLICY rule 1 action enqueue FW_Q
set traffic policy FW_POLICY rule 1 selector AP_CONNMARK
set traffic policy LAN_IN rule 1 selector ICMP
set traffic policy LAN_IN rule 1 set vrf AP connmark-cache
set traffic policy WAN_IN rule 1 selector AP_CONNMARK
set traffic policy WAN_IN rule 1 set vrf LAN
set traffic queue FW_Q elements 1
set traffic selector AP_CONNMARK rule 1 vrf-connmark AP
set traffic selector ICMP rule 1 protocol icmp

Step 2: Ping IP address 20.0.0.2 from DUT1:

admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1
Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data.
64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.743 ms

--- 20.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.743/0.743/0.743/0.000 ms

Step 3: Modify the following configuration lines in DUT0 :

set service firewall FW action-order 'drop, reject, alert, pass'

Step 4: Expect a failure in the following command: Ping IP address 20.0.0.2 from DUT1:

admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1
Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data.

--- 20.0.0.2 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

Step 5: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:

(?m)^.+[Drop].+(ICMP traffic dropped).+$
Show output
10/10/2025-21:17:54.731563  [Drop] [**] [1:30:0] ICMP traffic dropped [**] [Classification: (null)] [Priority: 3] {ICMP} 40.0.0.2:8 -> 20.0.0.2:0

Test Simple Ruleset With Queues IDS Mode

Description

Configures the three DUTs that will be used and checks that they are capable of pinging each other and of connecting via SSH. Since the firewall is set to IDS mode, these connections are not being dropped.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set interfaces ethernet eth0 traffic nat source rule 1 address masquerade
set interfaces ethernet eth1 vif 101 address 40.0.0.1/8
set interfaces ethernet eth1 vif 201 address 20.0.0.1/8
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns static host-name WAN inet 10.215.168.1
set service firewall FW logging outputs fast
set service firewall FW mode monitor interfaces eth0,eth1
set service firewall FW ruleset file 'running://base.rules'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Ping IP address 20.0.0.2 from DUT1:

admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1
Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data.
64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.399 ms

--- 20.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.399/0.399/0.399/0.000 ms

Step 3: Ping IP address 40.0.0.2 from DUT2:

admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1
Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data.
64 bytes from 40.0.0.2: icmp_seq=1 ttl=63 time=0.351 ms

--- 40.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.351/0.351/0.351/0.000 ms

Step 4: Init an SSH connection from DUT1 to IP address 20.0.0.2 with the user admin:

admin@DUT1$ ssh admin@20.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1
Show output
Warning: Permanently added '20.0.0.2' (ECDSA) to the list of known hosts.
admin@20.0.0.2's password:
Welcome to Teldat OSDx v4.2.7.0

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Fri Oct 10 19:28:38 2025 from 10.215.168.64
admin@osdx$

Step 5: Init an SSH connection from DUT2 to IP address 40.0.0.2 with the user admin:

admin@DUT2$ ssh admin@40.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1
Show output
Warning: Permanently added '40.0.0.2' (ECDSA) to the list of known hosts.
admin@40.0.0.2's password:
Welcome to Teldat OSDx v4.2.7.0

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Fri Oct 10 19:26:46 2025
admin@osdx$

Step 6: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:

(?m)^.+[wDrop].+(SSH not allowed in this network).+$
Show output
10/10/2025-21:18:20.203898  [wDrop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:46548 -> 40.0.0.2:22
10/10/2025-21:18:20.203964  [wDrop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:46548 -> 40.0.0.2:22
10/10/2025-21:18:20.203765  [wDrop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:46548 -> 40.0.0.2:22
10/10/2025-21:18:20.203770  [wDrop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:46548 -> 40.0.0.2:22
10/10/2025-21:18:20.203896  [wDrop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:46548 -> 40.0.0.2:22
10/10/2025-21:18:20.203963  [wDrop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:46548 -> 40.0.0.2:22
10/10/2025-21:18:20.204003  [wDrop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:46548 -> 40.0.0.2:22
10/10/2025-21:18:20.204027  [wDrop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:46548 -> 40.0.0.2:22
10/10/2025-21:18:20.206766  [wDrop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:46548 -> 40.0.0.2:22
10/10/2025-21:18:20.206780  [wDrop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:46548 -> 40.0.0.2:22

Test Encrypted Ruleset

Description

Configures the three DUTs, encrypts an arbitrary ruleset file and checks that the firewall is handling said file as expected. The firewall behaves the same way as for Test Simple Ruleset With Queues but with an encrypted ruleset.

Scenario

Step 1: Run command file copy http://10.215.168.1/~robot/base-enc.rules running:// force at DUT0 and expect this output:

Show output
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   272  100   272    0     0   2044      0 --:--:-- --:--:-- --:--:--  2045

Step 2: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set interfaces ethernet eth0 traffic nat source rule 1 address masquerade
set interfaces ethernet eth1 vif 101 address 40.0.0.1/8
set interfaces ethernet eth1 vif 101 traffic policy in FW_PLAN
set interfaces ethernet eth1 vif 201 address 20.0.0.1/8
set interfaces ethernet eth1 vif 201 traffic policy in FW_PLAN
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns static host-name WAN inet 10.215.168.1
set service firewall FW logging level config
set service firewall FW logging outputs fast
set service firewall FW mode inline queue FW_Q
set service firewall FW ruleset file 'running://base-enc.rules' digest sha512
set service firewall FW ruleset file 'running://base-enc.rules' encrypted-password U2FsdGVkX1/nTFHvGnpX+mfRbaVGNCR/6xtYqj3req4htRZA+hpIi6gY0Y9criG9
set service firewall FW ruleset file 'running://base-enc.rules' iterations 100000
set service firewall FW ruleset file 'running://base-enc.rules' key-length 256
set service firewall FW validator-timeout 20
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set traffic policy FW_PLAN rule 1 action enqueue FW_Q
set traffic queue FW_Q elements 1

Step 3: Ping IP address 20.0.0.2 from DUT1:

admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1
Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data.
64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.482 ms

--- 20.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.482/0.482/0.482/0.000 ms

Step 4: Ping IP address 40.0.0.2 from DUT2:

admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1
Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data.
64 bytes from 40.0.0.2: icmp_seq=1 ttl=63 time=0.417 ms

--- 40.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.417/0.417/0.417/0.000 ms

Step 5: Expect a failure in the following command: Init an SSH connection from DUT1 to IP address 20.0.0.2 with the user admin:

admin@DUT1$ ssh admin@20.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1

Step 6: Expect a failure in the following command: Init an SSH connection from DUT2 to IP address 40.0.0.2 with the user admin:

admin@DUT2$ ssh admin@40.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1

Step 7: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:

(?m)^.+[Drop].+(SSH not allowed in this network).+$
Show output
10/10/2025-21:18:55.184420  [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:34424 -> 40.0.0.2:22
10/10/2025-21:18:55.328509  [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:34424 -> 40.0.0.2:22
10/10/2025-21:18:55.858293  [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:34424 -> 40.0.0.2:22
10/10/2025-21:18:56.048436  [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:34424 -> 40.0.0.2:22
10/10/2025-21:18:57.554281  [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:34424 -> 40.0.0.2:22
10/10/2025-21:18:57.744475  [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:34424 -> 40.0.0.2:22
10/10/2025-21:18:57.840260  [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 40.0.0.2:37868 -> 20.0.0.2:22
10/10/2025-21:18:57.970522  [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 40.0.0.2:37868 -> 20.0.0.2:22
10/10/2025-21:19:01.042347  [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:34424 -> 40.0.0.2:22
10/10/2025-21:19:01.168488  [Drop] [**] [1:2:0] SSH not allowed in this network [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:34424 -> 40.0.0.2:22

Test Encrypted Patch

Description

Configures three DUTs, encrypts a patch that allows SSH communication between the DUTs and enables bypass. The original input file was:

drop ssh any any -> any any (msg: "SSH not allowed in this network"; sid: 2;)
pass icmp any any -> any any (msg: "ICMP traffic ignored"; sid: 3;)

After applying the following patch:

1c1
< drop ssh any any -> any any (msg: "SSH not allowed in this network"; sid: 2;)
---
> alert ssh any any -> any any (msg: "SSH traffic detected - bypassing"; bypass; sid: 2;)

The resulting file must be:

alert ssh any any -> any any (msg: "SSH traffic detected - bypassing"; bypass; sid: 2;)
pass icmp any any -> any any (msg: "ICMP traffic ignored"; sid: 3;)

This not only allows SSH traffic but also enables the bypass feature (not tested here yet).

Scenario

Step 1: Run command file copy http://10.215.168.1/~robot/base-enc.rules running:// force at DUT0 and expect this output:

Show output
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   272  100   272    0     0  38450      0 --:--:-- --:--:-- --:--:-- 38857

Step 2: Run command file copy http://10.215.168.1/~robot/base-enc.diff1 running:// force at DUT0 and expect this output:

Show output
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   256  100   256    0     0   8656      0 --:--:-- --:--:-- --:--:--  8827

Step 3: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set interfaces ethernet eth0 traffic nat source rule 1 address masquerade
set interfaces ethernet eth1 vif 101 address 40.0.0.1/8
set interfaces ethernet eth1 vif 101 traffic policy in FW_PLAN
set interfaces ethernet eth1 vif 201 address 20.0.0.1/8
set interfaces ethernet eth1 vif 201 traffic policy in FW_PLAN
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns static host-name WAN inet 10.215.168.1
set service firewall FW logging level config
set service firewall FW logging outputs fast
set service firewall FW mode inline queue FW_Q
set service firewall FW ruleset file 'running://base-enc.rules' digest sha512
set service firewall FW ruleset file 'running://base-enc.rules' encrypted-password U2FsdGVkX18rWlGmGQxIYUBqdeyZA/eZkhoZuDKO+s5ATxOVQPJDk3vU+JfkDZk2
set service firewall FW ruleset file 'running://base-enc.rules' iterations 100000
set service firewall FW ruleset file 'running://base-enc.rules' key-length 256
set service firewall FW ruleset patch 'running://base-enc.diff1' digest sha512
set service firewall FW ruleset patch 'running://base-enc.diff1' encrypted-password U2FsdGVkX19DYXDCvGo6Z9W1eGOQslHCEpix630R81FdB30glVdKaQB4brxgoZ2O
set service firewall FW ruleset patch 'running://base-enc.diff1' iterations 100000
set service firewall FW ruleset patch 'running://base-enc.diff1' key-length 256
set service firewall FW validator-timeout 20
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set traffic policy FW_PLAN rule 1 action enqueue FW_Q
set traffic queue FW_Q elements 1

Step 4: Ping IP address 20.0.0.2 from DUT1:

admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1
Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data.
64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.549 ms

--- 20.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.549/0.549/0.549/0.000 ms

Step 5: Ping IP address 40.0.0.2 from DUT2:

admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1
Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data.
64 bytes from 40.0.0.2: icmp_seq=1 ttl=63 time=0.464 ms

--- 40.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.464/0.464/0.464/0.000 ms

Step 6: Init an SSH connection from DUT1 to IP address 20.0.0.2 with the user admin:

admin@DUT1$ ssh admin@20.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1
Show output
Warning: Permanently added '20.0.0.2' (ECDSA) to the list of known hosts.
admin@20.0.0.2's password:
Welcome to Teldat OSDx v4.2.7.0

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Fri Oct 10 21:18:19 2025 from 40.0.0.2
admin@osdx$

Step 7: Init an SSH connection from DUT2 to IP address 40.0.0.2 with the user admin:

admin@DUT2$ ssh admin@40.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1
Show output
Warning: Permanently added '40.0.0.2' (ECDSA) to the list of known hosts.
admin@40.0.0.2's password:
Welcome to Teldat OSDx v4.2.7.0

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Fri Oct 10 21:18:19 2025 from 20.0.0.2
admin@osdx$

Step 8: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:

(?m)^.+(SSH traffic detected - bypassing).+$
Show output
10/10/2025-21:19:28.013917  [**] [1:2:0] SSH traffic detected - bypassing [**] [Classification: (null)] [Priority: 3] {TCP} 40.0.0.2:50010 -> 20.0.0.2:22
10/10/2025-21:19:28.442963  [**] [1:2:0] SSH traffic detected - bypassing [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:50790 -> 40.0.0.2:22

Test Compressed Ruleset With Patch

Description

Configures three DUTs, places a patch between the DUTs that allows SSH communication, and enables bypass. In addition, there are two source rules that are compressed into a tar.gz file whose content is used by the firewall to define the rules. One of the files is named base.rules``and is the file that the patch is meant for. The second one is ``test-performance.rules whose contents are:: The original input file was:

alert tcp any any -> any 5001 (msg: "Skipping test network performance traffic"; bypass; flow: established, to_server; sid: 4;)

This rule simply bypasses traffic that is deemed “performance traffic”, which is directly associated with the monitor test performance command.

Scenario

Step 1: Run command file copy http://10.215.168.1/~robot/ruleset.tar.gz running:// force at DUT0 and expect this output:

Show output
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   331  100   331    0     0   100k      0 --:--:-- --:--:-- --:--:--  107k

Step 2: Run command file copy http://10.215.168.1/~robot/base.diff1 running:// force at DUT0 and expect this output:

Show output
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   238  100   238    0     0  40517      0 --:--:-- --:--:-- --:--:-- 47600

Step 3: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set interfaces ethernet eth0 traffic nat source rule 1 address masquerade
set interfaces ethernet eth1 vif 101 address 40.0.0.1/8
set interfaces ethernet eth1 vif 101 traffic policy in FW_PLAN
set interfaces ethernet eth1 vif 201 address 20.0.0.1/8
set interfaces ethernet eth1 vif 201 traffic policy in FW_PLAN
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns static host-name WAN inet 10.215.168.1
set service firewall FW logging level config
set service firewall FW logging outputs fast
set service firewall FW mode inline queue FW_Q
set service firewall FW ruleset compressed 'running://ruleset.tar.gz'
set service firewall FW ruleset patch 'running://base.diff1'
set service firewall FW validator-timeout 20
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set traffic policy FW_PLAN rule 1 action enqueue FW_Q
set traffic queue FW_Q elements 1

Step 4: Ping IP address 20.0.0.2 from DUT1:

admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1
Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data.
64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.798 ms

--- 20.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.798/0.798/0.798/0.000 ms

Step 5: Ping IP address 40.0.0.2 from DUT2:

admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1
Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data.
64 bytes from 40.0.0.2: icmp_seq=1 ttl=63 time=0.438 ms

--- 40.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.438/0.438/0.438/0.000 ms

Step 6: Init an SSH connection from DUT1 to IP address 20.0.0.2 with the user admin:

admin@DUT1$ ssh admin@20.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1
Show output
Warning: Permanently added '20.0.0.2' (ECDSA) to the list of known hosts.
admin@20.0.0.2's password:
Welcome to Teldat OSDx v4.2.7.0

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Fri Oct 10 21:19:27 2025 from 40.0.0.2
admin@osdx$

Step 7: Init an SSH connection from DUT2 to IP address 40.0.0.2 with the user admin:

admin@DUT2$ ssh admin@40.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1
Show output
Warning: Permanently added '40.0.0.2' (ECDSA) to the list of known hosts.
admin@40.0.0.2's password:
Welcome to Teldat OSDx v4.2.7.0

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Fri Oct 10 21:19:28 2025 from 20.0.0.2
admin@osdx$

Step 8: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:

(?m)^.+(SSH traffic detected - bypassing).+$
Show output
10/10/2025-21:19:56.367923  [**] [1:2:0] SSH traffic detected - bypassing [**] [Classification: (null)] [Priority: 3] {TCP} 40.0.0.2:54128 -> 20.0.0.2:22
10/10/2025-21:19:56.777487  [**] [1:2:0] SSH traffic detected - bypassing [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:45482 -> 40.0.0.2:22

Step 9: Initiate a bandwidth test from DUT2 to DUT1

admin@DUT1$ monitor test performance server port 5001
admin@DUT2$ monitor test performance client 40.0.0.2 duration 1 port 5001 parallel 1
Expect this output in DUT2:
Connecting to host 40.0.0.2, port 5001
[  5] local 20.0.0.2 port 57688 connected to 40.0.0.2 port 5001
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec   155 MBytes  1.30 Gbits/sec  106   1.79 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-1.00   sec   155 MBytes  1.30 Gbits/sec  106             sender
[  5]   0.00-1.01   sec   154 MBytes  1.29 Gbits/sec                  receiver

iperf Done.

Step 10: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:

(?m)^.+(Skipping test network performance traffic).+$
Show output
10/10/2025-21:19:56.367923  [**] [1:2:0] SSH traffic detected - bypassing [**] [Classification: (null)] [Priority: 3] {TCP} 40.0.0.2:54128 -> 20.0.0.2:22
10/10/2025-21:19:56.777487  [**] [1:2:0] SSH traffic detected - bypassing [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:45482 -> 40.0.0.2:22
10/10/2025-21:19:57.298523  [**] [1:40:0] Skipping test network performance traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:57682 -> 40.0.0.2:5001
10/10/2025-21:19:57.299550  [**] [1:40:0] Skipping test network performance traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:57688 -> 40.0.0.2:5001

Test Single File In Compressed Ruleset

Description

Compresses two ruleset files but only chooses the test-performance.rules from within the compressed file. Lastly, checks that performance traffic is detected but no message is generated for SSH traffic, indicating that only one file is being used.

Scenario

Step 1: Run command file copy http://10.215.168.1/~robot/ruleset.tar.gz running:// force at DUT0 and expect this output:

Show output
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   331  100   331    0     0  47977      0 --:--:-- --:--:-- --:--:-- 55166

Step 2: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set interfaces ethernet eth0 traffic nat source rule 1 address masquerade
set interfaces ethernet eth1 vif 101 address 40.0.0.1/8
set interfaces ethernet eth1 vif 101 traffic policy in FW_PLAN
set interfaces ethernet eth1 vif 201 address 20.0.0.1/8
set interfaces ethernet eth1 vif 201 traffic policy in FW_PLAN
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns static host-name WAN inet 10.215.168.1
set service firewall FW logging level config
set service firewall FW logging outputs fast
set service firewall FW mode inline queue FW_Q
set service firewall FW ruleset compressed 'running://ruleset.tar.gz' file test-performance.rules
set service firewall FW validator-timeout 20
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set traffic policy FW_PLAN rule 1 action enqueue FW_Q
set traffic queue FW_Q elements 1

Step 3: Ping IP address 20.0.0.2 from DUT1:

admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1
Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data.
64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.474 ms

--- 20.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.474/0.474/0.474/0.000 ms

Step 4: Ping IP address 40.0.0.2 from DUT2:

admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1
Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data.
64 bytes from 40.0.0.2: icmp_seq=1 ttl=63 time=0.494 ms

--- 40.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.494/0.494/0.494/0.000 ms

Step 5: Init an SSH connection from DUT1 to IP address 20.0.0.2 with the user admin:

admin@DUT1$ ssh admin@20.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1
Show output
Warning: Permanently added '20.0.0.2' (ECDSA) to the list of known hosts.
admin@20.0.0.2's password:
Welcome to Teldat OSDx v4.2.7.0

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Fri Oct 10 21:19:56 2025 from 40.0.0.2
admin@osdx$

Step 6: Init an SSH connection from DUT2 to IP address 40.0.0.2 with the user admin:

admin@DUT2$ ssh admin@40.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1
Show output
Warning: Permanently added '40.0.0.2' (ECDSA) to the list of known hosts.
admin@40.0.0.2's password:
Welcome to Teldat OSDx v4.2.7.0

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Fri Oct 10 21:19:56 2025 from 20.0.0.2
admin@osdx$

Step 7: Run command service firewall FW show logging fast | tail at DUT0 and check if output does not match the following regular expressions:

(?m)^.+(SSH traffic detected - bypassing).+$
Show output
No fast logs yet for client "FW"

Step 8: Initiate a bandwidth test from DUT2 to DUT1

admin@DUT1$ monitor test performance server port 5001
admin@DUT2$ monitor test performance client 40.0.0.2 duration 1 port 5001 parallel 1
Expect this output in DUT2:
Connecting to host 40.0.0.2, port 5001
[  5] local 20.0.0.2 port 37832 connected to 40.0.0.2 port 5001
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec   142 MBytes  1.19 Gbits/sec   51   1.81 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-1.00   sec   142 MBytes  1.19 Gbits/sec   51             sender
[  5]   0.00-1.01   sec   141 MBytes  1.18 Gbits/sec                  receiver

iperf Done.

Step 9: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:

(?m)^.+(Skipping test network performance traffic).+$
Show output
10/10/2025-21:20:22.375280  [**] [1:40:0] Skipping test network performance traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:37830 -> 40.0.0.2:5001
10/10/2025-21:20:22.376183  [**] [1:40:0] Skipping test network performance traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:37832 -> 40.0.0.2:5001

Test Selectors

Description

Builds a scenario with three DUTs in which some selectors are applied to traffic depending on the network detected. This allows specific selector-based rules to be applied to traffic and with only one firewall instance.

To demonstrate this behavior, two labels will be set:

  1. WAN label that is applied to every packet going outside the local network.

  2. LAN label that marks every packet present in the underlying network.

For this purpose, a whole scenario will be used to enable all the features to work:

  • A compressed, encrypted ruleset will be created that contains base.rules as well as test-performance.rules.

  • A patch that will upgrade base.rules so it contains rules based on labels. The expected final result will be:

    alert ssh any any -> any any (msg: "Local SSH traffic - bypassing..."; selector: LOCAL; bypass; sid: 1; flow: established, to_server;)
    drop ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23; selector: WAN;)
    pass icmp any any -> any any (msg: "ICMP traffic ignored"; sid: 3;)
    drop tcp any any -> any 5000 (msg: "Dropping TCP performance test traffic"; selector: WAN, LOCAL; sid: 4; flow: established, to_server;)
    

Hence, the following will be tested:

  1. SSH connection is working between the LAN nodes - DUT1 and DUT2

  2. It is impossible to get the nids.html file (i.e., a malicious file) from the WAN.

  3. ICMP messages are allowed from any node within the network.

  4. Traffic performance tests are allowed for both the WAN and LOCAL selectors but not on port 5000.

Scenario

Step 1: Run command file copy http://10.215.168.1/~robot/ruleset.tar.gz.aes256 running://ruleset.tar.gz force at DUT0 and expect this output:

Show output
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   352  100   352    0     0   9846      0 --:--:-- --:--:-- --:--:-- 10057

Step 2: Run command file copy http://10.215.168.1/~robot/base.diff2-aes256 running:// force at DUT0 and expect this output:

Show output
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   528  100   528    0     0  84983      0 --:--:-- --:--:-- --:--:-- 88000

Step 3: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set interfaces ethernet eth0 traffic nat source rule 1 address masquerade
set interfaces ethernet eth0 traffic policy in FW_PWAN
set interfaces ethernet eth0 traffic policy out FW_PWAN
set interfaces ethernet eth1 vif 101 address 40.0.0.1/8
set interfaces ethernet eth1 vif 101 traffic policy in FW_PLAN
set interfaces ethernet eth1 vif 201 address 20.0.0.1/8
set interfaces ethernet eth1 vif 201 traffic policy in FW_PLAN
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns static host-name WAN inet 10.215.168.1
set service firewall FW logging level config
set service firewall FW logging outputs fast
set service firewall FW mode inline queue FW_Q
set service firewall FW ruleset compressed 'running://ruleset.tar.gz' digest sha512
set service firewall FW ruleset compressed 'running://ruleset.tar.gz' encrypted-password U2FsdGVkX1/8TAKl+tv+0rAUUtWh36linosBLuyYZqevZXwKmAm5eZbRCRNzxZ30
set service firewall FW ruleset compressed 'running://ruleset.tar.gz' iterations 100000
set service firewall FW ruleset compressed 'running://ruleset.tar.gz' key-length 256
set service firewall FW ruleset patch 'running://base.diff2-aes256' digest sha512
set service firewall FW ruleset patch 'running://base.diff2-aes256' encrypted-password U2FsdGVkX18qqOCr3EUfk9QCyAlocjMDiTIpU774rMflecSU95fhhZEwV9DZJerw
set service firewall FW ruleset patch 'running://base.diff2-aes256' iterations 100000
set service firewall FW ruleset patch 'running://base.diff2-aes256' key-length 256
set service firewall FW validator-timeout 20
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set traffic group address LAN element 20.0.0.0/24
set traffic group address LAN element 40.0.0.0/24
set traffic label LOCAL
set traffic label WAN
set traffic policy FW_PLAN rule 1 action enqueue FW_Q
set traffic policy FW_PLAN rule 1 selector LAN
set traffic policy FW_PLAN rule 1 set label LOCAL
set traffic policy FW_PWAN rule 1 action enqueue FW_Q
set traffic policy FW_PWAN rule 1 set label WAN
set traffic queue FW_Q elements 1
set traffic selector LAN rule 1 destination address-group LAN
set traffic selector LAN rule 1 source address-group LAN

Step 4: Ping IP address 20.0.0.2 from DUT1:

admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1
Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data.
64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.503 ms

--- 20.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.503/0.503/0.503/0.000 ms

Step 5: Ping IP address 40.0.0.2 from DUT2:

admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1
Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data.
64 bytes from 40.0.0.2: icmp_seq=1 ttl=63 time=0.586 ms

--- 40.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.586/0.586/0.586/0.000 ms

Step 6: Init an SSH connection from DUT1 to IP address 20.0.0.2 with the user admin:

admin@DUT1$ ssh admin@20.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1
Show output
Warning: Permanently added '20.0.0.2' (ECDSA) to the list of known hosts.
admin@20.0.0.2's password:
Welcome to Teldat OSDx v4.2.7.0

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Fri Oct 10 21:20:22 2025 from 40.0.0.2
admin@osdx$

Step 7: Init an SSH connection from DUT2 to IP address 40.0.0.2 with the user admin:

admin@DUT2$ ssh admin@40.0.0.2 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1
Show output
Warning: Permanently added '40.0.0.2' (ECDSA) to the list of known hosts.
admin@40.0.0.2's password:
Welcome to Teldat OSDx v4.2.7.0

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Fri Oct 10 21:20:22 2025 from 20.0.0.2
admin@osdx$

Step 8: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:

(?m)^.+(Local SSH traffic - bypassing...).+$
Show output
10/10/2025-21:20:48.393781  [**] [1:1:0] Local SSH traffic - bypassing... [**] [Classification: (null)] [Priority: 3] {TCP} 40.0.0.2:42892 -> 20.0.0.2:22
10/10/2025-21:20:48.793154  [**] [1:1:0] Local SSH traffic - bypassing... [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:56880 -> 40.0.0.2:22

Step 9: Expect a failure in the following command: Init an SSH connection from DUT1 to IP address 10.215.168.1 with the user admin:

admin@DUT1$ ssh admin@10.215.168.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1

Step 10: Expect a failure in the following command: Init an SSH connection from DUT2 to IP address 10.215.168.1 with the user admin:

admin@DUT2$ ssh admin@10.215.168.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null option ConnectTimeout=1 option ServerAliveInterval=1 option ServerAliveCountMax=1

Step 11: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:

(?m)^.+(Outgoing TCP traffic to port 22 from LAN to WAN).+$
Show output
10/10/2025-21:20:48.393781  [**] [1:1:0] Local SSH traffic - bypassing... [**] [Classification: (null)] [Priority: 3] {TCP} 40.0.0.2:42892 -> 20.0.0.2:22
10/10/2025-21:20:48.793154  [**] [1:1:0] Local SSH traffic - bypassing... [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:56880 -> 40.0.0.2:22
10/10/2025-21:20:49.261860  [Drop] [**] [1:5:0] Outgoing TCP traffic to port 22 from LAN to WAN [**] [Classification: (null)] [Priority: 3] {TCP} 40.0.0.2:47334 -> 10.215.168.1:22
10/10/2025-21:20:59.384181  [Drop] [**] [1:5:0] Outgoing TCP traffic to port 22 from LAN to WAN [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:36728 -> 10.215.168.1:22

Step 12: Initiate a bandwidth test from DUT2 to DUT1

admin@DUT1$ monitor test performance server port 5001
admin@DUT2$ monitor test performance client 40.0.0.2 duration 10 port 5001 parallel 1
Expect this output in DUT2:
Connecting to host 40.0.0.2, port 5001
[  5] local 20.0.0.2 port 39886 connected to 40.0.0.2 port 5001
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec   108 MBytes   905 Mbits/sec  106   1.82 MBytes
[  5]   1.00-2.00   sec  98.8 MBytes   831 Mbits/sec  109   1.37 MBytes
[  5]   2.00-3.00   sec   122 MBytes  1.03 Gbits/sec    0   1.45 MBytes
[  5]   3.00-4.00   sec   142 MBytes  1.20 Gbits/sec    0   1.51 MBytes
[  5]   4.00-5.00   sec   145 MBytes  1.22 Gbits/sec    0   1.54 MBytes
[  5]   5.00-6.00   sec   141 MBytes  1.18 Gbits/sec  125   1.14 MBytes
[  5]   6.00-7.00   sec   141 MBytes  1.18 Gbits/sec    0   1.23 MBytes
[  5]   7.00-8.00   sec   139 MBytes  1.16 Gbits/sec    0   1.31 MBytes
[  5]   8.00-9.00   sec   138 MBytes  1.15 Gbits/sec    0   1.39 MBytes
[  5]   9.00-10.00  sec   138 MBytes  1.15 Gbits/sec    0   1.46 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec  1.28 GBytes  1.10 Gbits/sec  340             sender
[  5]   0.00-10.01  sec  1.28 GBytes  1.10 Gbits/sec                  receiver

iperf Done.

Step 13: Initiate a bandwidth test from DUT2 to DUT1

admin@DUT1$ monitor test performance server port 5000
admin@DUT2$ monitor test performance client 40.0.0.2 duration 10 port 5000 parallel 1
Expect this output in DUT2:
^C- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
iperf3: interrupt - the client has terminated
admin@osdx$

Step 14: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:

(?m)^.+(Dropping TCP performance test traffic).+$
Show output
10/10/2025-21:21:09.619151  [**] [1:40:0] Skipping test network performance traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:39882 -> 40.0.0.2:5001
10/10/2025-21:21:09.620154  [**] [1:40:0] Skipping test network performance traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:39886 -> 40.0.0.2:5001
10/10/2025-21:21:19.893162  [Drop] [**] [1:4:0] Dropping TCP performance test traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:54728 -> 40.0.0.2:5000
10/10/2025-21:21:20.098649  [Drop] [**] [1:4:0] Dropping TCP performance test traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:54728 -> 40.0.0.2:5000
10/10/2025-21:21:20.306486  [Drop] [**] [1:4:0] Dropping TCP performance test traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:54728 -> 40.0.0.2:5000
10/10/2025-21:21:20.746552  [Drop] [**] [1:4:0] Dropping TCP performance test traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:54728 -> 40.0.0.2:5000
10/10/2025-21:21:21.578552  [Drop] [**] [1:4:0] Dropping TCP performance test traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:54728 -> 40.0.0.2:5000
10/10/2025-21:21:23.006557  [Drop] [**] [1:4:0] Dropping TCP performance test traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:54728 -> 40.0.0.2:5000
10/10/2025-21:21:23.028435  [Drop] [**] [1:4:0] Dropping TCP performance test traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:54728 -> 40.0.0.2:5000
10/10/2025-21:21:23.032562  [Drop] [**] [1:4:0] Dropping TCP performance test traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:54728 -> 40.0.0.2:5000

Test Hashset

Description

Configures the three DUTs although only DUT0 is used for the test. First, a probe file is downloaded by DUT0. The probe file is detected by the service firewall running in DUT0 and md5, sha1 and sha256 hashes are logged. Lastly, the service firewall is configured for blocking the download of the probe file when is recognized through the configured md5, sha1 or sha256 hashset files.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set interfaces ethernet eth0 traffic nat source rule 1 address masquerade
set interfaces ethernet eth0 traffic policy in FW_PWAN
set interfaces ethernet eth0 traffic policy out FW_PWAN
set interfaces ethernet eth1 vif 101 address 40.0.0.1/8
set interfaces ethernet eth1 vif 201 address 20.0.0.1/8
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns static host-name WAN inet 10.215.168.1
set service firewall FW logging level config
set service firewall FW logging outputs eve types files force-hash md5
set service firewall FW logging outputs eve types files force-hash sha1
set service firewall FW logging outputs eve types files force-hash sha256
set service firewall FW logging outputs fast
set service firewall FW mode inline queue FW_Q
set service firewall FW ruleset file 'running://http-alert.rules'
set service firewall FW validator-timeout 20
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set traffic policy FW_PWAN rule 1 action enqueue FW_Q
set traffic queue FW_Q elements 1

Step 2: Ping IP address 20.0.0.2 from DUT1:

admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1
Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data.
64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.437 ms

--- 20.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.437/0.437/0.437/0.000 ms

Step 3: Ping IP address 40.0.0.2 from DUT2:

admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1
Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data.
64 bytes from 40.0.0.2: icmp_seq=1 ttl=63 time=0.385 ms

--- 40.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.385/0.385/0.385/0.000 ms

Step 4: Run command file show running://http-alert.rules at DUT0 and expect this output:

Show output
alert http any any -> any any (msg:"HTTP ALERT Test by Teldat"; sid:10001 ; rev: 1;)

Step 5: Run command file copy http://10.215.168.1/~robot/nids.html running:// force at DUT0 and expect this output:

Show output
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   220  100   220    0     0  31842      0 --:--:-- --:--:-- --:--:-- 36666

Step 6: Run command service firewall FW show logging eve | grep -E "HTTP ALERT Test by Teldat.*md5.*:.*c533c963702d7e99b2aa52713d3cf63c" at DUT0 and check if output matches the following regular expressions:

(?m)^.+("signature_id":10001).+$
Show output
{"timestamp":"2025-10-10T21:21:49.630376+0000","flow_id":1578415709964027,"event_type":"alert","src_ip":"10.215.168.1","src_port":80,"dest_ip":"10.215.168.64","dest_port":49890,"proto":"TCP","pkt_src":"wire/pcap","alert":{"action":"allowed","gid":1,"signature_id":10001,"rev":1,"signature":"HTTP ALERT Test by Teldat","category":"","severity":3},"http":{"hostname":"10.215.168.1","url":"/~robot/nids.
html","http_user_agent":"PycURL/7.45.2 libcurl/7.88.1 OpenSSL/3.0.17 zlib/1.2.13 brotli/1.0.9 zstd/1.5.4 libidn2/2.3.3 libpsl/0.21.2 (+libidn2/2.3.3) libssh2/1.10.0 nghttp2/1.52.0 librtmp/2.3 OpenLDAP/2.5.13","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":220},"files":[{"filename":"/~robot/nids.html","gaps":false,"state":"CLOSED","md5":"c533c963702d
7e99b2aa52713d3cf63c","sha1":"edbfd7fc5eba4b93b8299e4b31352578a74f5773","sha256":"11b4ce07fad40ff666d4c67fe9f9aa7eacecbb3876c0c8c5ee0298202bd9cd6d","stored":false,"size":220,"tx_id":0}],"app_proto":"http","direction":"to_client","flow":{"pkts_toserver":3,"pkts_toclient":3,"bytes_toserver":427,"bytes_toclient":621,"start":"2025-10-10T21:21:49.629647+0000","src_ip":"10.215.168.64","dest_ip":"10.215.
168.1","src_port":49890,"dest_port":80}}

Step 7: Run command service firewall FW show logging eve | grep -E "HTTP ALERT Test by Teldat.*sha1.*:.*edbfd7fc5eba4b93b8299e4b31352578a74f5773" at DUT0 and check if output matches the following regular expressions:

(?m)^.+("signature_id":10001).+$
Show output
{"timestamp":"2025-10-10T21:21:49.630376+0000","flow_id":1578415709964027,"event_type":"alert","src_ip":"10.215.168.1","src_port":80,"dest_ip":"10.215.168.64","dest_port":49890,"proto":"TCP","pkt_src":"wire/pcap","alert":{"action":"allowed","gid":1,"signature_id":10001,"rev":1,"signature":"HTTP ALERT Test by Teldat","category":"","severity":3},"http":{"hostname":"10.215.168.1","url":"/~robot/nids.
html","http_user_agent":"PycURL/7.45.2 libcurl/7.88.1 OpenSSL/3.0.17 zlib/1.2.13 brotli/1.0.9 zstd/1.5.4 libidn2/2.3.3 libpsl/0.21.2 (+libidn2/2.3.3) libssh2/1.10.0 nghttp2/1.52.0 librtmp/2.3 OpenLDAP/2.5.13","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":220},"files":[{"filename":"/~robot/nids.html","gaps":false,"state":"CLOSED","md5":"c533c963702d
7e99b2aa52713d3cf63c","sha1":"edbfd7fc5eba4b93b8299e4b31352578a74f5773","sha256":"11b4ce07fad40ff666d4c67fe9f9aa7eacecbb3876c0c8c5ee0298202bd9cd6d","stored":false,"size":220,"tx_id":0}],"app_proto":"http","direction":"to_client","flow":{"pkts_toserver":3,"pkts_toclient":3,"bytes_toserver":427,"bytes_toclient":621,"start":"2025-10-10T21:21:49.629647+0000","src_ip":"10.215.168.64","dest_ip":"10.215.
168.1","src_port":49890,"dest_port":80}}

Step 8: Run command service firewall FW show logging eve | grep -E "HTTP ALERT Test by Teldat.*sha256.*:.*11b4ce07fad40ff666d4c67fe9f9aa7eacecbb3876c0c8c5ee0298202bd9cd6d" at DUT0 and check if output matches the following regular expressions:

(?m)^.+("signature_id":10001).+$
Show output
{"timestamp":"2025-10-10T21:21:49.630376+0000","flow_id":1578415709964027,"event_type":"alert","src_ip":"10.215.168.1","src_port":80,"dest_ip":"10.215.168.64","dest_port":49890,"proto":"TCP","pkt_src":"wire/pcap","alert":{"action":"allowed","gid":1,"signature_id":10001,"rev":1,"signature":"HTTP ALERT Test by Teldat","category":"","severity":3},"http":{"hostname":"10.215.168.1","url":"/~robot/nids.
html","http_user_agent":"PycURL/7.45.2 libcurl/7.88.1 OpenSSL/3.0.17 zlib/1.2.13 brotli/1.0.9 zstd/1.5.4 libidn2/2.3.3 libpsl/0.21.2 (+libidn2/2.3.3) libssh2/1.10.0 nghttp2/1.52.0 librtmp/2.3 OpenLDAP/2.5.13","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":220},"files":[{"filename":"/~robot/nids.html","gaps":false,"state":"CLOSED","md5":"c533c963702d
7e99b2aa52713d3cf63c","sha1":"edbfd7fc5eba4b93b8299e4b31352578a74f5773","sha256":"11b4ce07fad40ff666d4c67fe9f9aa7eacecbb3876c0c8c5ee0298202bd9cd6d","stored":false,"size":220,"tx_id":0}],"app_proto":"http","direction":"to_client","flow":{"pkts_toserver":3,"pkts_toclient":3,"bytes_toserver":427,"bytes_toclient":621,"start":"2025-10-10T21:21:49.629647+0000","src_ip":"10.215.168.64","dest_ip":"10.215.
168.1","src_port":49890,"dest_port":80}}

Step 9: Run command file copy http://10.215.168.1/~robot/hashset-md5.list running:// force at DUT0 and expect this output:

Show output
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    33  100    33    0     0    123      0 --:--:-- --:--:-- --:--:--   123

Step 10: Run command file copy http://10.215.168.1/~robot/filehash-md5-drop.rules running:// force at DUT0 and expect this output:

Show output
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   113  100   113    0     0   3541      0 --:--:-- --:--:-- --:--:--  3645

Step 11: Run command file show running://hashset-md5.list at DUT0 and expect this output:

Show output
c533c963702d7e99b2aa52713d3cf63c

Step 12: Run command file show running://filehash-md5-drop.rules at DUT0 and expect this output:

Show output
drop http any any -> any any (msg:"HTTP MD5 DROP Test by Teldat"; filemd5:hashset-md5.list; sid:10002 ; rev: 1;)

Step 13: Modify the following configuration lines in DUT0 :

set service firewall FW hashset file 'running://hashset-md5.list'
set service firewall FW ruleset file 'running://filehash-md5-drop.rules'

Step 14: Run command file copy http://10.215.168.1/~robot/nids.html running:// force at DUT0, press Ctrl+C after 10 seconds and expect this output:

Show output
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:09 --:--:--     0^C


Operation aborted by user.

admin@osdx$

Step 15: Run command service firewall FW show logging eve | grep -E "HTTP MD5 DROP Test by Teldat.*md5.*:.*c533c963702d7e99b2aa52713d3cf63c" at DUT0 and check if output matches the following regular expressions:

(?m)^.+("signature_id":10002).+$
Show output
{"timestamp":"2025-10-10T21:21:54.395110+0000","flow_id":568879738356325,"event_type":"alert","src_ip":"10.215.168.1","src_port":80,"dest_ip":"10.215.168.64","dest_port":40970,"proto":"TCP","pkt_src":"wire/pcap","tx_id":0,"alert":{"action":"blocked","gid":1,"signature_id":10002,"rev":1,"signature":"HTTP MD5 DROP Test by Teldat","category":"","severity":3},"http":{"hostname":"10.215.168.1","url":"/
~robot/nids.html","http_user_agent":"PycURL/7.45.2 libcurl/7.88.1 OpenSSL/3.0.17 zlib/1.2.13 brotli/1.0.9 zstd/1.5.4 libidn2/2.3.3 libpsl/0.21.2 (+libidn2/2.3.3) libssh2/1.10.0 nghttp2/1.52.0 librtmp/2.3 OpenLDAP/2.5.13","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":220},"files":[{"filename":"/~robot/nids.html","gaps":false,"state":"CLOSED","md5":"
c533c963702d7e99b2aa52713d3cf63c","sha1":"edbfd7fc5eba4b93b8299e4b31352578a74f5773","sha256":"11b4ce07fad40ff666d4c67fe9f9aa7eacecbb3876c0c8c5ee0298202bd9cd6d","stored":false,"size":220,"tx_id":0}],"app_proto":"http","direction":"to_client","flow":{"pkts_toserver":3,"pkts_toclient":3,"bytes_toserver":427,"bytes_toclient":621,"start":"2025-10-10T21:21:54.394596+0000","src_ip":"10.215.168.64","dest_
ip":"10.215.168.1","src_port":40970,"dest_port":80}}

Step 16: Run command file copy http://10.215.168.1/~robot/hashset-sha1.list running:// force at DUT0 and expect this output:

Show output
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    40  100    40    0     0     58      0 --:--:-- --:--:-- --:--:--    58

Step 17: Run command file copy http://10.215.168.1/~robot/filehash-sha1-drop.rules running:// force at DUT0 and expect this output:

Show output
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   116  100   116    0     0   1262      0 --:--:-- --:--:-- --:--:--  1274

Step 18: Run command file show running://hashset-sha1.list at DUT0 and expect this output:

Show output
edbfd7fc5eba4b93b8299e4b31352578a74f5773

Step 19: Run command file show running://filehash-sha1-drop.rules at DUT0 and expect this output:

Show output
drop http any any -> any any (msg:"HTTP SHA1 DROP Test by Teldat"; filesha1:hashset-sha1.list; sid:10003 ; rev: 1;)

Step 20: Modify the following configuration lines in DUT0 :

delete service firewall FW hashset file 'running://hashset-md5.list'
delete service firewall FW ruleset file 'running://filehash-md5-drop.rules'
set service firewall FW hashset file 'running://hashset-sha1.list'
set service firewall FW ruleset file 'running://filehash-sha1-drop.rules'

Step 21: Run command file copy http://10.215.168.1/~robot/nids.html running:// force at DUT0, press Ctrl+C after 10 seconds and expect this output:

Show output
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:09 --:--:--     0^C


Operation aborted by user.

admin@osdx$

Step 22: Run command service firewall FW show logging eve | grep -E "HTTP SHA1 DROP Test by Teldat.*md5.*:.*edbfd7fc5eba4b93b8299e4b31352578a74f5773" at DUT0 and check if output matches the following regular expressions:

(?m)^.+("signature_id":10003).+$
Show output
{"timestamp":"2025-10-10T21:22:08.633288+0000","flow_id":184106751195179,"event_type":"alert","src_ip":"10.215.168.1","src_port":80,"dest_ip":"10.215.168.64","dest_port":33594,"proto":"TCP","pkt_src":"wire/pcap","tx_id":0,"alert":{"action":"blocked","gid":1,"signature_id":10003,"rev":1,"signature":"HTTP SHA1 DROP Test by Teldat","category":"","severity":3},"http":{"hostname":"10.215.168.1","url":"
/~robot/nids.html","http_user_agent":"PycURL/7.45.2 libcurl/7.88.1 OpenSSL/3.0.17 zlib/1.2.13 brotli/1.0.9 zstd/1.5.4 libidn2/2.3.3 libpsl/0.21.2 (+libidn2/2.3.3) libssh2/1.10.0 nghttp2/1.52.0 librtmp/2.3 OpenLDAP/2.5.13","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":220},"files":[{"filename":"/~robot/nids.html","gaps":false,"state":"CLOSED","md5":
"c533c963702d7e99b2aa52713d3cf63c","sha1":"edbfd7fc5eba4b93b8299e4b31352578a74f5773","sha256":"11b4ce07fad40ff666d4c67fe9f9aa7eacecbb3876c0c8c5ee0298202bd9cd6d","stored":false,"size":220,"tx_id":0}],"app_proto":"http","direction":"to_client","flow":{"pkts_toserver":3,"pkts_toclient":3,"bytes_toserver":427,"bytes_toclient":621,"start":"2025-10-10T21:22:08.632689+0000","src_ip":"10.215.168.64","dest
_ip":"10.215.168.1","src_port":33594,"dest_port":80}}

Step 23: Run command file copy http://10.215.168.1/~robot/hashset-sha256.list running:// force at DUT0 and expect this output:

Show output
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    65  100    65    0     0    279      0 --:--:-- --:--:-- --:--:--   278

Step 24: Run command file copy http://10.215.168.1/~robot/filehash-sha256-drop.rules running:// force at DUT0 and expect this output:

Show output
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   122  100   122    0     0   5713      0 --:--:-- --:--:-- --:--:--  5809

Step 25: Run command file show running://hashset-sha256.list at DUT0 and expect this output:

Show output
11b4ce07fad40ff666d4c67fe9f9aa7eacecbb3876c0c8c5ee0298202bd9cd6d

Step 26: Run command file show running://filehash-sha256-drop.rules at DUT0 and expect this output:

Show output
drop http any any -> any any (msg:"HTTP SHA256 DROP Test by Teldat"; filesha256:hashset-sha256.list; sid:10004 ; rev: 1;)

Step 27: Modify the following configuration lines in DUT0 :

delete service firewall FW hashset file 'running://hashset-sha1.list'
delete service firewall FW ruleset file 'running://filehash-sha1-drop.rules'
set service firewall FW hashset file 'running://hashset-sha256.list'
set service firewall FW ruleset file 'running://filehash-sha256-drop.rules'

Step 28: Run command file copy http://10.215.168.1/~robot/nids.html running:// force at DUT0, press Ctrl+C after 10 seconds and expect this output:

Show output
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:09 --:--:--     0^C


Operation aborted by user.

admin@osdx$

Step 29: Run command service firewall FW show logging eve | grep -E "HTTP SHA256 DROP Test by Teldat.*md5.*:.*11b4ce07fad40ff666d4c67fe9f9aa7eacecbb3876c0c8c5ee0298202bd9cd6d" at DUT0 and check if output matches the following regular expressions:

(?m)^.+("signature_id":10004).+$
Show output
{"timestamp":"2025-10-10T21:22:22.950018+0000","flow_id":1826296565706277,"event_type":"alert","src_ip":"10.215.168.1","src_port":80,"dest_ip":"10.215.168.64","dest_port":36746,"proto":"TCP","pkt_src":"wire/pcap","tx_id":0,"alert":{"action":"blocked","gid":1,"signature_id":10004,"rev":1,"signature":"HTTP SHA256 DROP Test by Teldat","category":"","severity":3},"http":{"hostname":"10.215.168.1","url
":"/~robot/nids.html","http_user_agent":"PycURL/7.45.2 libcurl/7.88.1 OpenSSL/3.0.17 zlib/1.2.13 brotli/1.0.9 zstd/1.5.4 libidn2/2.3.3 libpsl/0.21.2 (+libidn2/2.3.3) libssh2/1.10.0 nghttp2/1.52.0 librtmp/2.3 OpenLDAP/2.5.13","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":220},"files":[{"filename":"/~robot/nids.html","gaps":false,"state":"CLOSED","md
5":"c533c963702d7e99b2aa52713d3cf63c","sha1":"edbfd7fc5eba4b93b8299e4b31352578a74f5773","sha256":"11b4ce07fad40ff666d4c67fe9f9aa7eacecbb3876c0c8c5ee0298202bd9cd6d","stored":false,"size":220,"tx_id":0}],"app_proto":"http","direction":"to_client","flow":{"pkts_toserver":3,"pkts_toclient":3,"bytes_toserver":427,"bytes_toclient":621,"start":"2025-10-10T21:22:22.949505+0000","src_ip":"10.215.168.64","d
est_ip":"10.215.168.1","src_port":36746,"dest_port":80}}