Support User Manuals

Enterasys Networks XSR CLI Router User Manual

Open as PDF

of 684

Firewall Feature Set Commands

16-124 Configuring Security

Syntax

ip firewall policy policy_name src_net_name dst_net_name serv_name {allow | allow-

log | allow-auth group_name | reject | log | url-b | url-w | cls name ...

name}[before policy_name | after policy_name | first] [bidirectional]

Syntax of the “no” Form

Thenoformofthiscommanddisablesanearlierconfiguredpolicy:

no ip firewall policy policy_name

Defaults

Denyall

Mode

Globalconfiguration:XSR(config)#

src_net_name

Nameofsourcenetworkobject,nottoexceed16characters.Thisvaluemust

match

networknameexactly.

dst_net_name

Nameofdestinationnetworkobject,nottoexceed16characters.Thisvalue

mustmatch

networknameexactly.

serv_name

Nameofserviceobject,nottoexceed16characters.

allow

Letpacketspassthroughthefirewall.

allow-log

Letpacketsthroughthefirewallandlogtheactivity.

allow-auth

group_name

LetpacketspassifthesourceIPaddresshasbeenauthenticatedagainstthe

group_name(lengthnottoexceed16characters).Thisvaluemustmatch

network-groupnameexactly.

reject

Dropallpacketsmatchingthepolicy.

log

Dropallmatchingpacketsandlogtheactivity.

url-b | url-w

FiltersHTTPtraffic(TCPconnectionwithadestinationportof80or8080)

usingtheblack(url‐b)URLlist.

Filtershttptrafficusingthewhite(url‐w)URLlist.HTTPaccesstoURLs

matchinganentryinthewhiteURLlistareallowed,non‐matchingURLs

areblocked.

cls name

Letpacketspassthroughthefirewalliftheapplicationmessagetype

matchesoneofthe10typenames.Namesmustnotexceed16characters.

before or after

policy_name

Placepolicybeforeorafterthepolicycitedbypolicy_name(whichmust

alreadyhavebeenset).Ifnotspecified,theobjectwillbethelastlisted.

first

Placepolicyfirst.

bidirectional

Policyappliesinbothdirections.Thatis,forasessioninitiatedatthesource

aswellasthedestination.

Note: If the action is allow-auth the group_name must be specified. All users who are members of

this group are allowed authenticated access. Also, be sure to match the group_name and AAA

group name.

previous next