Firewall-and-NAT Access Ruledef Configuration Mode Commands

The Firewall-and-NAT Access Ruledef Configuration Mode is used to configure and manage Access rule definitions used by the Stateful Firewall (FW) and Network Address Translation (NAT) in-line services.

IMPORTANT:

The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).

bearer 3gpp apn

This command configures an access ruledef to analyze user traffic based on APN bearer.

Platform:

ASR 5000

Product:

FW, NAT


Privilege:

Security Administrator, Administrator


Syntax
[ no ] bearer
3gpp apn [ case-sensitive ] operator value
no

Removes previously configured bearer ruledef.

case-sensitive

This keyword makes the rule case sensitive.

By default, ruledefs are not case sensitive.

Default: Disabled

operator

Specifies how to logically match the APN name.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
value

The APN name to match in bearer flow.

value must be an alphanumeric string of 1 through 63 characters that can include punctuation characters.


Usage:

Use this command to specify an access ruledef to analyze user traffic based on APN name.


Example:
The following command creates an access ruledef for analyzing user traffic for an APN named apn12:
bearer 3gpp apn = apn12
bearer 3gpp imsi

This command configures an access ruledef to analyze user traffic based on International Mobile Station Identification (IMSI) number in bearer flow.

Platform:

ASR 5000

Product:

FW, NAT


Privilege:

Security Administrator, Administrator


Syntax
[ no ] bearer
3gpp imsi { operator msid | { !range | range } imsi-pool imsi_pool }
no

Removes previously configured bearer ruledef.

operator

Specifies how to logically match the MSID.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
msid

Specifies the Mobile Station Identifier.

{ !range | range } imsi-pool imsi_pool

{ !range | range }: Specifies the range criteria:

  • !range: Not in the range of
  • range: In the range of

imsi-pool imsi_pool: Specifies the IMSI pool name. imsi_pool must be an alphanumeric string of 1 through 63 characters.


Usage:

Use this command to specify an access ruledef to analyze user traffic based on IMSI number of mobile station.


Example:
The following command creates an access ruledef to analyze user traffic for the IMSI number 9198838330912:
bearer 3gpp imsi = 9198838330912
bearer username

This command configures an access ruledef to analyze user traffic based on user name of the bearer flow.

Platform:

ASR 5000

Product:

FW, NAT


Privilege:

Security Administrator, Administrator


Syntax
[ no ] bearer
username [ case-sensitive ] operator value
no

Removes previously configured bearer ruledef.

case-sensitive

This keyword makes the rule case sensitive.

By default, ruledefs are not case sensitive.

Default: Disabled

operator

Specifies how to logically match the MSID.

operator must be one of the following:

  • !=: Does not equal
  • !contains: Does not contain
  • !ends-with: Does not end with
  • !starts-with: Does not start with
  • =: Equals
  • contains: Contains
  • ends-with: Ends with
  • starts-with: Starts with
value

Specifies the user name.

value must be an alphanumeric string of 1 through 127 characters.


Usage:

Use this command to specify a access ruledef to analyze user traffic based on user name of the bearer flow.


Example:
The following command creates an access ruledef for analyzing user traffic for the user name user12:
bearer username = user12
create-log-record

This command enables/disables access ruledef logging.

Platform:

ASR 5000

Product:

FW, NAT


Privilege:

Security Administrator, Administrator


Syntax
[ no ] create-log-record
no

Disables access ruledef logging.


Usage:

Use this command to enable/disable access ruledef logging.


Example:
The following command enables access ruledef logging:
create-log-record
The following command disables access ruledef logging:
no create-log-record
end

Exits the current configuration mode and returns to the Exec mode.

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
end

Usage:

Use this command to return to the Exec mode.

exit

Exits the current mode and returns to the parent configuration mode.

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
exit

Usage:

Use this command to return to the parent configuration mode.

icmp any-match

This command configures an access ruledef to match any ICMPv4 traffic for the user.

Platform:

ASR 5000

Product:

FW, NAT


Privilege:

Security Administrator, Administrator


Syntax
[ no ] icmp
any-match operator
condition
no

Removes previously configured ICMPv4 any-match ruledef.

operator

Specifies how to logically match the analyzed state.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to be matched for the user traffic.

condition must be one of the following:

  • FALSE: Specified condition is FALSE.
  • TRUE: Specified condition is TRUE.

Usage:

Use this command to specify an access ruledef to match any ICMPv4 traffic of the user.


Example:
The following command creates an access ruledef to match any non-ICMPv4 traffic of the user:
icmp any-match = FALSE
icmp code

This command configures an access ruledef to analyze user traffic based on ICMPv4 code.

Platform:

ASR 5000

Product:

FW, NAT


Privilege:

Security Administrator, Administrator


Syntax
[ no ] icmp
code operator code
no

Removes previously configured ICMPv4 code ruledef.

operator

Specifies how to logically match the ICMPv4 code.

operator must be one of the following:

  • !=: Does not equal
  • <=: Less than or equals
  • =: Equals
  • >=: Greater than or equals
code

Specifies the ICMPv4 code.

code must be an integer from 0 through 255.


Usage:

Use this command to define an access ruledef to analyze user traffic based on the ICMPv4 code.


Example:
The following command creates an access ruledef for analyzing user traffic using the ICMPv4 code as 23:
icmp code = 23
icmp type

This command configures an access ruledef to analyze user traffic based on ICMPv4 type.

Platform:

ASR 5000

Product:

FW, NAT


Privilege:

Security Administrator, Administrator


Syntax
[ no ] icmp
type operator type
no

Removes previously configured ICMPv4 type ruledef.

operator

Specifies how to logically match the ICMPv4 type.

operator must be one of the following:

  • !=: Does not equal
  • <=: Less than or equals
  • =: Equals
  • >=: Greater than or equals
type

Specifies the ICMPv4 type.

type must be an integer from 0 through 255.

For example, 0 for ECHO Reply, 3 for Dest. Unreachable, and 5 for Redirect.


Usage:

Use this command to define an access ruledef to analyze user traffic based on the ICMPv4 type.


Example:
The following command creates an access ruledef for analyzing user traffic using an ICMPv4 type as 123:
icmp type = 123
icmpv6 any-match

This command configures an access ruledef to match any ICMPv6 traffic for the user.

Platform:

ASR 5000

Product:

FW, NAT


Privilege:

Security Administrator, Administrator


Syntax
[ no ] icmpv6
any-match operator
condition
no

Removes previously configured ICMPv6 any-match ruledef.

operator

Specifies how to logically match the analyzed state.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to be matched for the user traffic.

condition must be one of the following:

  • FALSE: Specified condition is FALSE.
  • TRUE: Specified condition is TRUE.

Usage:

Use this command to specify an access ruledef to match any ICMPv6 traffic of the user.


Example:
The following command creates an access ruledef to match any non-ICMPv6 traffic of the user:
icmpv6 any-match = FALSE
icmpv6 code

This command configures an access ruledef to analyze user traffic based on ICMPv6 code.

Platform:

ASR 5000

Product:

FW, NAT


Privilege:

Security Administrator, Administrator


Syntax
[ no ] icmpv6
code operator
code
no

Removes previously configured ICMPv6 code ruledef.

operator

Specifies how to logically match the ICMPv6 code.

operator must be one of the following:

  • !=: Does not equal
  • <=: Less than or equals
  • =: Equals
  • >=: Greater than or equals
code

Specifies the ICMPv6 code.

code must be an integer from 0 through 255.


Usage:

Use this command to define an access ruledef to analyze user traffic based on the ICMPv6 code.


Example:
The following command creates an access ruledef for analyzing user traffic using the ICMPv6 code as 23:
icmpv6 code = 23
icmpv6 type

This command configures an access ruledef to analyze user traffic based on ICMPv6 type.

Platform:

ASR 5000

Product:

FW, NAT


Privilege:

Security Administrator, Administrator


Syntax
[ no ] icmpv6
type operator
type
no

Removes previously configured ICMPv6 type ruledef.

operator

Specifies how to logically match the ICMPv6 type.

operator must be one of the following:

  • !=: Does not equal
  • <=: Less than or equals
  • =: Equals
  • >=: Greater than or equals
type

Specifies the ICMPv6 type.

type must be an integer from 0 through 255.

For example, 0 for ECHO Reply, 3 for Dest. Unreachable, and 5 for Redirect.


Usage:

Use this command to define an access ruledef to analyze user traffic based on the ICMPv6 type.


Example:
The following command creates an access ruledef for analyzing user traffic using an ICMPv6 type as 123:
icmpv6 type = 123
ip any-match

This command configures an access ruledef to match any IP traffic for the user.

Platform:

ASR 5000

Product:

FW, NAT


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ip
any-match operator
condition
no

Removes previously configured IP any-match ruledef.

operator

Specifies how to logically match the analyzed state.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to be matched for the user traffic.

condition must be one of the following:

  • FALSE: Specified condition is FALSE.
  • TRUE: Specified condition is TRUE.

Usage:

Use this command to specify an access ruledef to match any IP traffic of the user.


Example:
The following command creates an access ruledef to match any non-IP traffic of the user:
ip any-match = FALSE
ip downlink

This command configures an access ruledef to analyze user traffic based on IP packet flow in downlink direction (to subscriber).

Platform:

ASR 5000

Product:

FW, NAT


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ip
downlink operator
condition
no

Removes previously configured IP ruledef.

operator

Specifies how to logically match the packet flow direction.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • TRUE: Analyzed
  • FALSE: Not analyzed

Usage:

Use this command to define an access ruledef to analyze user traffic based on the IP packet flow direction as downlink.


Example:
The following command creates access ruledef for analyzing user traffic using an IP packet direction to downlink (to subscriber):
ip downlink = TRUE
ip dst-address

This command configures an access ruledef to analyze user traffic based on IP destination address.

Platform:

ASR 5000

Product:

FW, NAT


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ip
dst-address { operator { ipv4/ipv6_address | ipv4/ipv6_address/mask } | { !range | range } host-pool host_pool }
no

Removes previously configured IP destination address ruledef.

operator { ipv4/ipv6_address | ipv4/ipv6_address/mask }

operator specifies how to logically match the IP destination address.

operator must be one of the following:

  • !=: Does not equal
  • <=: Less than or equals
  • =: Equals
  • >=: Greater than or equals

ipv4/ipv6_address: Specifies the IP address of destination node for outgoing traffic. ipv4/ipv6_address must be the IP address entered using IPv4 dotted-decimal notation or IPv6 colon-separated-hexadecimal notation.

ipv4/ipv6_address/mask: Specifies the IP address of destination node for outgoing traffic. ipv4/ipv6_address/mask must be the IP address entered using IPv4 dotted-decimal notation or IPv6 colon-separated-hexadecimal notation. The mask bit is a numeric value which is the number of bits in the subnet mask.

{ !range | range } host-pool host_pool }
!range | range: Specifies the range criteria:
  • !range: Not in the range of
  • range: In the range of

host-pool host_pool: Specifies the host pool name. host_pool must be an alphanumeric string of 1 through 63 characters.


Usage:

Use this command to specify an access ruledef to analyze user traffic based on the IP destination address.


Example:
The following command creates IP ruledef for analyzing user traffic using an IP destination address of 10.1.1.1:
ip dst-address = 10.1.1.1
ip protocol

This command configures an access ruledef to analyze user traffic based on the protocol being transported by IP packets.

Platform:

ASR 5000

Product:

FW, NAT


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ip
protocol { { operator { protocol | protocol_assignment } } | { operator protocol_assignment } }
no

Removes previously configured IP protocol address ruledef.

operator { protocol | protocol_assignment }

operator: Specifies how to logically match the IP protocol.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals

protocol: Specifies the protocol by name.

protocol must be one of the following:

  • ah
  • esp
  • gre
  • icmp
  • tcp
  • udp

protocol_assignment: Specifies the protocol by assignment number. protocol_assignment must be an integer from 0 through 255 (for example, 1 for ICMP, 6 for TCP, and 17 for UDP).

operator protocol_assignment

operator: Specifies how to logically match the IP protocol.

operator must be one of the following:

  • <=: Less than or equals
  • >=: Greater than or equals

protocol_assignment: Specifies the protocol by assignment number.

protocol_assignment must be an integer from 0 through 255 (for example, 1 for ICMP, 6 for TCP, and 17 for UDP).


Usage:

Use this command to specify an access ruledef to analyze user traffic based on the IP protocol.


Example:
The following command creates IP ruledef for analyzing user traffic using a protocol assignment of 1:
ip protocol = 1
ip src-address

This command configures an access ruledef to analyze user traffic based on IP source address.

Platform:

ASR 5000

Product:

FW, NAT


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ip
src-address { operator { ipv4/ipv6_address | ipv4/ipv6_address/mask } | { !range | range } host-pool host_pool }
no

Removes previously configured IP destination address ruledef.

operator { ipv4/ipv6_address | ipv4/ipv6_address/mask }

operator: Specifies how to logically match the IP source address.

operator must be one of the following:

  • !=: Does not equal
  • <=: Less than or equals
  • =: Equals
  • >=: Greater than or equals

ipv4/ipv6_address: Specifies the IP address using IPv4 dotted-decimal notation or IPv6 colon-separated-hexadecimal notation.

ipv4/ipv6_address/mask: Specifies the IP address using IPV4 dotted-decimal notation or IPv6 colon-separated-hexadecimal notation with subnet mask bit. The mask bit is a numeric value which is the number of bits in the subnet mask.

{ !range | range } host-pool host_pool

!range | range: Specifies the range criteria:

  • !range: Not in the range of
  • range: In the range of

host-pool host_pool: Specifies the host pool name. host_pool must be an alphanumeric string of 1 through 63 characters.


Usage:

Use this command to specify an access ruledef to analyze user traffic based on the IP source address.


Example:
The following command creates IP ruledef for analyzing user traffic using an IP source address of 10.1.1.1:
ip src-address = 10.1.1.1
ip uplink

This command configures an access ruledef to analyze user traffic based on IP packet flow in the uplink direction (from subscriber).

Platform:

ASR 5000

Product:

FW, NAT


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ip
uplink operator condition
no

Removes previously configured IP uplink match ruledef.

operator

Specifies how to logically match the IP packet flow direction.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to match.

condition must be one of the following:

  • TRUE: Not analyzed
  • FALSE: Analyzed

Usage:

Use this command to define an access ruledef to analyze user traffic based on the IP packet flow direction as uplink.


Example:
The following command creates access ruledef for analyzing user traffic using an IP packet direction to uplink (from subscriber):
ip uplink = TRUE
ip version

This command defines rule expressions to match version number in IP header.

Platform:

ASR 5000

Product:

FW, NAT


Privilege:

Security Administrator, Administrator


Syntax
[ no ] ip
version = { ipv4 | ipv6 }
no

Deletes the specified rule expression.

ipv4

Specifies the rule expression for IP version 4.

ipv6

Specifies the rule expression for IP version 6.


Usage:

Use this command to define rule expressions to match IPv4/IPv6 version number in IP header.


Example:
The following command defines a rule expression to match user traffic for the IP version ipv6:
ip version = ipv6
tcp any-match

This command configures an access ruledef to match any TCP traffic for the user.

Platform:

ASR 5000

Product:

FW, NAT


Privilege:

Security Administrator, Administrator


Syntax
[ no ] tcp
any-match operator
condition
no

Removes previously configured TCP any-match ruledef.

operator

Specifies how to logically match the analyzed state.

operator must be one of the following:

  • !=: Does not equal
  • =: Equals
condition

Specifies the condition to be matched for the user traffic.

condition must be one of the following:

  • FALSE: Specified condition is FALSE.
  • TRUE: Specified condition is TRUE.

Usage:

Use this command to specify an access ruledef to match any TCP traffic of the user.


Example:
The following command creates an access ruledef to match any non-TCP traffic of the user:
tcp any-match = FALSE
tcp dst-port

This command configures an access ruledef to analyze user traffic based on destination TCP port.

Platform:

ASR 5000

Product:

FW, NAT


Privilege:

Security Administrator, Administrator


Syntax
[ no ] tcp
dst-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map } }
no

Removes the previously configured destination TCP port ruledef.

operator

Specifies how to logically match the port number.

operator must be one of the following:

  • !=: Does not equal
  • <=: Less than or equals
  • =: Equals
  • >=: Greater than or equals
port_number

Specifies the port number to match.

port_number must be an integer from 1 through 65535.

range | !range

Specifies the range criteria:

  • !range: Not in the range
  • range: In the range
start_range to end_range

Specifies the starting and ending port numbers for the range of destination TCP ports.

start_range must be an integer from 1 through 65535.

end_range must be an integer from 1 through 65535 that is greater than start_range.

port-map port_map

Specifies name of the port-map for the port range.

port_map must be an alphanumeric string of 1 through 63 characters.


Usage:

Use this command to specify an access ruledef to analyze user traffic based on destination TCP port.


Example:
The following command creates an access ruledef for analyzing user traffic matching destination port for TCP as 10:
tcp dst-port = 10
tcp either-port

This command configures an access ruledef to analyze user traffic based on either (destination or source) TCP ports.

Platform:

ASR 5000

Product:

FW, NAT


Privilege:

Security Administrator, Administrator


Syntax
[ no ] tcp
either-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map } }
no

Removes previously configured TCP either-port (destination or source) ruledef.

operator

Specifies how to logically match the port number.

operator must be one of the following:

  • !=: Does not equal
  • <=: Less than or equals
  • =: Equals
  • >=: Greater than or equals
port_number

Specifies the port number to match.

port_number must be an integer from 1 through 65535.

range | !range

Specifies the range criteria:

  • !range: Not in the range
  • range: In the range
start_range to end_range

Specifies the starting and ending port numbers for the port range.

start_range must be an integer from 1 through 65535.

end_range must be an integer from 1 through 65535 that is greater than start_range.

port-map port_map

Specifies name of the port-map for the port range.

port_map must be an alphanumeric string of 1 through 63 characters.


Usage:

Use this command to specify an access ruledef to analyze user traffic based on either TCP port.


Example:
The following command creates an access ruledef for analyzing user traffic matching destination or source port for TCP as 10:
tcp either-port = 10
tcp src-port

This command configures an access ruledef to analyze user traffic based on source TCP port.

Platform:

ASR 5000

Product:

FW, NAT


Privilege:

Security Administrator, Administrator


Syntax
[ no ] tcp
src-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map } }
no

Removes previously configured source TCP port ruledef.

operator

Specifies how to logically match the port number.

operator must be one of the following:

  • !=: Does not equal
  • <=: Less than or equals
  • =: Equals
  • >=: Greater than or equals
port_number

Specifies the port number to match.

port_number must be an integer from 1 to 65535.

range | !range

Specifies the range criteria:

  • !range: Not in the range
  • range: In the range
start_range to end_range

Specifies the starting and ending port numbers for the port range.

start_range must be an integer from 1 through 65535.

end_range must be an integer from 1 through 65535 that is greater than start_range.

port-map port_map

Specifies name of the port-map for the port range.

port_map must be an alphanumeric string of 1 through 63 characters.


Usage:

Use this command to specify an access ruledef to analyze user traffic based on source TCP port.


Example:
The following command creates an access ruledef for analyzing user traffic matching source port for TCP as 10:
tcp src-port = 10 
udp any-match

This command configures an access ruledef to match any UDP traffic for the user.

Platform:

ASR 5000

Product:

FW, NAT


Privilege:

Security Administrator, Administrator


Syntax
[ no ] udp
any-match operator
condition
no

Removes previously configured UDP any-match ruledef.

operator

Specifies how to logically match the analyzed state.

operator must be one of the following:

  • !=: does not equal
  • =: equals
condition

Specifies the condition to be matched for the user traffic.

condition must be one of the following:

  • FALSE: Specified condition is FALSE.
  • TRUE: Specified condition is TRUE.

Usage:

Use this command to specify an access ruledef to match any UDP traffic of the user.


Example:
The following command creates an access ruledef to match any UDP traffic of the user:
udp any-match = TRUE
udp dst-port

This command configures an access ruledef to analyze user traffic based on destination UDP port.

Platform:

ASR 5000

Product:

FW, NAT


Privilege:

Security Administrator, Administrator


Syntax
[ no ] udp
dst-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map } }
no

Removes previously configured destination UDP ports ruledef.

operator

Specifies how to logically match the port number.

operator must be one of the following:

  • !=: Does not equal
  • <=: Less than or equals
  • =: Equals
  • >=: Greater than or equals
port_number

Specifies the port number to match.

port_number must be an integer from 1 through 65535.

!range | range

Specifies the range criteria.

  • !range: Not in the range
  • range: In the range
start_range to end_range

Specifies the starting and ending port numbers for the port range.

start_range must be an integer from 1 through 65535.

end_range must be an integer from 1 through 65535 that is greater than start_range.

port-map port_map

Specifies name of the port-map for the port range.

port_map must be an alphanumeric string of 1 through 63 characters.


Usage:

Use this command to specify an access ruledef to analyze user traffic based on destination UDP port.


Example:
The following command creates an access ruledef for analyzing user traffic matching destination port for UDP as 10:
udp dst-port = 10
udp either-port

This command configures an access ruledef to analyze user traffic based on either (destination or source) UDP port.

Platform:

ASR 5000

Product:

FW, NAT


Privilege:

Security Administrator, Administrator


Syntax
[ no ] udp
either-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map } }
no

Removes previously configured either-port (destination or source) UDP ruledef.

operator

Specifies how to logically match the port number.

operator must be one of the following:

  • !=: Does not equal
  • <=: Less than or equals
  • =: Equals
  • >=: Greater than or equals
port_number

Specifies the port number to match.

port_number must be an integer from 1 through 65535.

!range | range

Specifies the range criteria.

  • !range: Not in the range
  • range: In the range
start_range to end_range

Specifies the starting and ending port numbers for the port range.

start_range must be an integer from 1 through 65535.

end_range must be an integer from 1 through 65535 that is greater than start_range.

port-map port_map

Specifies name of the port-map for the port range.

port_map must be an alphanumeric string of 1 through 63 characters.


Usage:

Use this command to specify an access ruledef to analyze user traffic based on either UDP port.


Example:
The following command creates an access ruledef for analyzing user traffic matching destination or source port for UDP as 10:
udp either-port = 10
udp src-port

This command configures an access ruledef to analyze user traffic based on source UDP port.

Platform:

ASR 5000

Product:

FW, NAT


Privilege:

Security Administrator, Administrator


Syntax
[ no ] udp
src-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map } }
no

Removes previously configured source UDP port ruledef.

operator

Specifies how to logically match the port number.

operator must be one of the following:

  • !=: Does not equal
  • <=: Less than or equals
  • =: Equals
  • >=: Greater than or equals
port_number

Specifies the port number to match.

port_number must be an integer from 1 through 65535.

!range | range

Specifies the range criteria.

  • !range: Not in the range
  • range: In the range
start_range to end_range

Specifies the starting and ending port numbers for the port range.

start_range must be an integer from 1 through 65535.

end_range must be an integer from 1 through 65535 that is greater than start_range.

port-map port_map

Specifies name of the port-map for the port range.

port_map must be an alphanumeric string of 1 through 63 characters.


Usage:

Use this command to specify an access ruledef to analyze user traffic based on source UDP port.


Example:
The following command creates an access ruledef for analyzing user traffic matching source port for UDP as 10:
udp src-port = 10