Enterasys Networks X-Pedition XSR CLI User Manual

Page 668

Advertising
background image

Firewall Feature Set Commands

16-124 Configuring Security

Syntax

ip firewall policy policy_name src_net_name dst_net_name serv_name {allow | allow-
log | allow-auth group_name | reject | log | url-b | url-w | cls name ...
name}[before policy_name | after policy_name | first] [bidirectional]

Syntax of the “no” Form

The no form of this command disables an earlier configured policy:

no ip firewall policy policy_name

Defaults

Deny all

Mode

Global configuration: 

XSR(config)#

src_net_name

Name of source network object, not to exceed 16 characters. This value must 
match 

network

 name exactly.

dst_net_name

Name of destination network object, not to exceed 16 characters. This value 
must match 

network

 name exactly.

serv_name

Name of service object, not to exceed 16 characters.

allow

Let packets pass through the firewall.

allow-log

Let packets through the firewall and log the activity.

allow-auth
group_name

Let packets pass if the source IP address has been authenticated against the 
group_name (length not to exceed 16

 

characters). This value must match 

network-group

 name exactly.

reject

Drop all packets matching the policy.

log

Drop all matching packets and log the activity.

url-b | url-w

Filters HTTP traffic (TCP connection with a destination port of 80 or 8080) 
using the black (url‐b) URL list.

Filters http traffic using the white (url‐w) URL list. HTTP access to URLs 
matching an entry in the white URL list are allowed,  non‐matching URLs 
are blocked.

cls name

Let packets pass through the firewall if the application message type 
matches one of the 10 type names. Names must not exceed 16 characters.

before or after
policy_name

Place policy before or after the policy cited by policy_name (which must 
already have been set). If not specified, the object will be the last listed.

first

Place policy first.

bidirectional

Policy applies in both directions. That is, for a session initiated at the source 
as well as the destination.

Note: If the action is allow-auth the group_name must be specified. All users who are members of
this group are allowed authenticated access. Also, be sure to match the group_name and AAA
group name.

Advertising
Popular Brands
Popular manuals