Is there a way to use VCS API to change "Firewall rules"?
Good day Dear colleagues,
I'm trying to setup some highly automatic VCS environment when one component piece will analyze VCS logs and another component piece will find some matches in VCS logs then based on the matches add & enable some new firewall rules in the built in VCS firewall. The purpose for this kind of automation is to automatically detect & stop pesky SIP spam and toll fraud calls. I have very good stop & deny call policy rules in place but I don't want these calls to even get to my VCS or if they get I don't want my VCS to process them at all. I have these rules setup & working for more than two years now and they've proved to be very efficient but the next and a natural step, I think, is to stop these calls at the networking layer. Let's say, VCS sees suspicious calls coming from some IP address and my script will automatically add a corresponding firewall rule to block this IP address for some predefined period of time.
There are three assumptions which I know I have to take into consideration:
1. Bad boys can spoof an IP address and cause me to block some valid IP but at this moment I can live with this assumption,
2. I want to use built in VCS firewall, don't want to touch my corporate firewall,
3. I'll have to "review & clean" my VCS firewall rules from time to time.
P.S. of course if Cisco R&D will implement some better control over the VCS built in firewall functionality then this discussion can or will take another route but right now I'm looking for some API commands that will allow me to manupulate with VCS firewall rules from CLI interface or any other scripting environment.
Re: Is there a way to use VCS API to change "Firewall rules"?
Thank you Alok! Nice to speak with you again, you rule as always :-)
I had a discussion with Cisco SE not so long time ago and my very preliminary impression of the relevant features was that v. 8.x will not address many of my concerns. Anyway, thank you for this prompt reply and let's see what security measurements will be implemented in the 8.x SW.
I personally think that if there is a chance that Cisco tries to listen to their customers that write on this forum (hey, I do not challenge the Cisco's ability to listen to their customers :-) I can compile some very comprehensive document or a list that will contain my suggestions to address these security issues. You know that I'm supporting a very big number of customers and security issues including SIP spam and toll fraud calls is in the top of their mind.
I'm not able to access my old voice mail messages all of a sudden. The recording says something like 'the message is currently not available'. This has never happened before in all the years I have been using this system. I have t...
If you have 2 ISR routers, one acting as Failover, do we need to have both the same number of SRST licenses on the 2 routers?
No. You will only need the SRST licenses on the primary router. Because this feature...