Firewall-and-NAT
Access Ruledef Configuration Mode Commands
The Firewall-and-NAT
Access Ruledef Configuration Mode is used to configure and manage
Access rule definitions used by the Stateful Firewall (FW) and Network
Address Translation (NAT) in-line services.
IMPORTANT:
The commands or keywords/variables
that are available are dependent on platform type, product version,
and installed license(s).
bearer 3gpp apn
This command configures
an access ruledef to analyze user traffic based on APN bearer.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] bearer
3gpp apn [ case-sensitive ] operator value
no
Removes previously
configured bearer ruledef.
case-sensitive
This keyword makes
the rule case sensitive.
By
default, ruledefs are not case sensitive.
Default: Disabled
operator
Specifies how to logically
match the APN name.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
value
The APN name to match
in bearer flow.
value must
be an alphanumeric string of 1 through 63 characters that can include
punctuation characters.
Usage:
Use this command to
specify an access ruledef to analyze user traffic based on APN name.
Example:
The following command
creates an access ruledef for analyzing user traffic for an APN named
apn12:
bearer 3gpp apn = apn12
bearer 3gpp imsi
This command configures
an access ruledef to analyze user traffic based on International
Mobile Station Identification (IMSI) number in bearer flow.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] bearer
3gpp imsi { operator msid | { !range | range } imsi-pool imsi_pool }
no
Removes previously
configured bearer ruledef.
operator
Specifies how to logically
match the MSID.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
msid
Specifies the Mobile
Station Identifier.
{ !range | range } imsi-pool imsi_pool
{ !range | range }:
Specifies the range criteria:
- !range: Not
in the range of
- range: In
the range of
imsi-pool imsi_pool: Specifies
the IMSI pool name. imsi_pool must
be an alphanumeric string of 1 through 63 characters.
Usage:
Use this command to
specify an access ruledef to analyze user traffic based on IMSI number
of mobile station.
Example:
The following command
creates an access ruledef to analyze user traffic for the IMSI number
9198838330912:
bearer 3gpp imsi = 9198838330912
bearer username
This command configures
an access ruledef to analyze user traffic based on user name of
the bearer flow.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] bearer
username [ case-sensitive ] operator value
no
Removes previously
configured bearer ruledef.
case-sensitive
This keyword makes
the rule case sensitive.
By default, ruledefs
are not case sensitive.
Default: Disabled
operator
Specifies how to logically
match the MSID.
operator must
be one of the following:
- !=:
Does not equal
- !contains:
Does not contain
- !ends-with:
Does not end with
- !starts-with:
Does not start with
- =:
Equals
- contains:
Contains
- ends-with:
Ends with
- starts-with:
Starts with
value
Specifies the user
name.
value must
be an alphanumeric string of 1 through 127 characters.
Usage:
Use this command to
specify a access ruledef to analyze user traffic based on user name
of the bearer flow.
Example:
The following command
creates an access ruledef for analyzing user traffic for the user name
user12:
bearer username = user12
create-log-record
This command enables/disables
access ruledef logging.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] create-log-record
no
Disables access ruledef
logging.
Usage:
Use this command to
enable/disable access ruledef logging.
Example:
The following command
enables access ruledef logging:
create-log-record
The following command
disables access ruledef logging:
no create-log-record
end
Exits the current
configuration mode and returns to the Exec mode.
Privilege:
Security Administrator,
Administrator
Usage:
Use this command to
return to the Exec mode.
exit
Exits the current
mode and returns to the parent configuration mode.
Privilege:
Security Administrator,
Administrator
Usage:
Use this command to
return to the parent configuration mode.
icmp any-match
This command configures
an access ruledef to match any ICMPv4 traffic for the user.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] icmp
any-match operator
condition
no
Removes previously
configured ICMPv4 any-match ruledef.
operator
Specifies how to logically
match the analyzed state.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to be matched for the user traffic.
condition must
be one of the following:
- FALSE: Specified
condition is FALSE.
- TRUE: Specified
condition is TRUE.
Usage:
Use this command to
specify an access ruledef to match any ICMPv4 traffic of the user.
Example:
The following command
creates an access ruledef to match any non-ICMPv4 traffic of the user:
icmp any-match = FALSE
icmp code
This command configures
an access ruledef to analyze user traffic based on ICMPv4 code.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] icmp
code operator code
no
Removes previously
configured ICMPv4 code ruledef.
operator
Specifies how to logically
match the ICMPv4 code.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Less than or equals
- =:
Equals
- >=:
Greater than or equals
code
Specifies the ICMPv4
code.
code must
be an integer from 0 through 255.
Usage:
Use this command to
define an access ruledef to analyze user traffic based on the ICMPv4 code.
Example:
The following command
creates an access ruledef for analyzing user traffic using the ICMPv4
code as
23:
icmp code = 23
icmp type
This command configures
an access ruledef to analyze user traffic based on ICMPv4 type.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] icmp
type operator type
no
Removes previously
configured ICMPv4 type ruledef.
operator
Specifies how to logically
match the ICMPv4 type.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Less than or equals
- =:
Equals
- >=:
Greater than or equals
type
Specifies the ICMPv4
type.
type must
be an integer from 0 through 255.
For example, 0 for
ECHO Reply, 3 for Dest. Unreachable, and 5 for Redirect.
Usage:
Use this command to
define an access ruledef to analyze user traffic based on the ICMPv4 type.
Example:
The following command
creates an access ruledef for analyzing user traffic using an ICMPv4
type as
123:
icmp type = 123
icmpv6 any-match
This command configures
an access ruledef to match any ICMPv6 traffic for the user.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] icmpv6
any-match operator
condition
no
Removes previously
configured ICMPv6 any-match ruledef.
operator
Specifies how to logically
match the analyzed state.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to be matched for the user traffic.
condition must
be one of the following:
- FALSE: Specified
condition is FALSE.
- TRUE: Specified
condition is TRUE.
Usage:
Use this command to
specify an access ruledef to match any ICMPv6 traffic of the user.
Example:
The following command
creates an access ruledef to match any non-ICMPv6 traffic of the user:
icmpv6 any-match = FALSE
icmpv6 code
This command configures
an access ruledef to analyze user traffic based on ICMPv6 code.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] icmpv6
code operator
code
no
Removes previously
configured ICMPv6 code ruledef.
operator
Specifies how to logically
match the ICMPv6 code.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Less than or equals
- =:
Equals
- >=:
Greater than or equals
code
Specifies the ICMPv6
code.
code must
be an integer from 0 through 255.
Usage:
Use this command to
define an access ruledef to analyze user traffic based on the ICMPv6 code.
Example:
The following command
creates an access ruledef for analyzing user traffic using the ICMPv6
code as
23:
icmpv6 code = 23
icmpv6 type
This command configures
an access ruledef to analyze user traffic based on ICMPv6 type.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] icmpv6
type operator
type
no
Removes previously
configured ICMPv6 type ruledef.
operator
Specifies how to logically
match the ICMPv6 type.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Less than or equals
- =:
Equals
- >=:
Greater than or equals
type
Specifies the ICMPv6
type.
type must
be an integer from 0 through 255.
For example, 0 for
ECHO Reply, 3 for Dest. Unreachable, and 5 for Redirect.
Usage:
Use this command to
define an access ruledef to analyze user traffic based on the ICMPv6 type.
Example:
The following command
creates an access ruledef for analyzing user traffic using an ICMPv6
type as
123:
icmpv6 type = 123
ip any-match
This command configures
an access ruledef to match any IP traffic for the user.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ip
any-match operator
condition
no
Removes previously
configured IP any-match ruledef.
operator
Specifies how to logically
match the analyzed state.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to be matched for the user traffic.
condition must
be one of the following:
- FALSE: Specified
condition is FALSE.
- TRUE: Specified
condition is TRUE.
Usage:
Use this command to
specify an access ruledef to match any IP traffic of the user.
Example:
The following command
creates an access ruledef to match any non-IP traffic of the user:
ip any-match = FALSE
ip downlink
This command configures
an access ruledef to analyze user traffic based on IP packet flow
in downlink direction (to subscriber).
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ip
downlink operator
condition
no
Removes previously
configured IP ruledef.
operator
Specifies how to logically
match the packet flow direction.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
- TRUE: Analyzed
- FALSE: Not
analyzed
Usage:
Use this command to
define an access ruledef to analyze user traffic based on the IP
packet flow direction as downlink.
Example:
The following command
creates access ruledef for analyzing user traffic using an IP packet direction
to downlink (to subscriber):
ip downlink = TRUE
ip dst-address
This command configures
an access ruledef to analyze user traffic based on IP destination
address.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ip
dst-address { operator { ipv4/ipv6_address | ipv4/ipv6_address/mask } | { !range | range } host-pool host_pool }
no
Removes previously
configured IP destination address ruledef.
operator { ipv4/ipv6_address | ipv4/ipv6_address/mask }
operator specifies
how to logically match the IP destination address.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Less than or equals
- =:
Equals
- >=:
Greater than or equals
ipv4/ipv6_address:
Specifies the IP address of destination node for outgoing traffic. ipv4/ipv6_address must
be the IP address entered using IPv4 dotted-decimal notation or
IPv6 colon-separated-hexadecimal notation.
ipv4/ipv6_address/mask:
Specifies the IP address of destination node for outgoing traffic. ipv4/ipv6_address/mask must
be the IP address entered using IPv4 dotted-decimal notation or
IPv6 colon-separated-hexadecimal notation. The mask bit is a numeric
value which is the number of bits in the subnet mask.
{ !range | range } host-pool host_pool }
!range | range:
Specifies the range criteria:
- !range: Not
in the range of
- range: In
the range of
host-pool host_pool: Specifies
the host pool name. host_pool must
be an alphanumeric string of 1 through 63 characters.
Usage:
Use this command to
specify an access ruledef to analyze user traffic based on the IP destination
address.
Example:
The following command
creates IP ruledef for analyzing user traffic using an IP destination address
of
10.1.1.1:
ip dst-address = 10.1.1.1
ip protocol
This command configures
an access ruledef to analyze user traffic based on the protocol
being transported by IP packets.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ip
protocol { { operator { protocol | protocol_assignment } } | { operator protocol_assignment } }
no
Removes previously
configured IP protocol address ruledef.
operator { protocol | protocol_assignment }
operator:
Specifies how to logically match the IP protocol.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
protocol:
Specifies the protocol by name.
protocol must
be one of the following:
protocol_assignment:
Specifies the protocol by assignment number. protocol_assignment must
be an integer from 0 through 255 (for example, 1 for ICMP, 6 for
TCP, and 17 for UDP).
operator protocol_assignment
operator:
Specifies how to logically match the IP protocol.
operator must
be one of the following:
- <=:
Less than or equals
- >=:
Greater than or equals
protocol_assignment:
Specifies the protocol by assignment number.
protocol_assignment must
be an integer from 0 through 255 (for example, 1 for ICMP, 6 for
TCP, and 17 for UDP).
Usage:
Use this command to
specify an access ruledef to analyze user traffic based on the IP protocol.
Example:
The following command
creates IP ruledef for analyzing user traffic using a protocol assignment
of
1:
ip protocol = 1
ip src-address
This command configures
an access ruledef to analyze user traffic based on IP source address.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ip
src-address { operator { ipv4/ipv6_address | ipv4/ipv6_address/mask } | { !range | range } host-pool host_pool }
no
Removes previously
configured IP destination address ruledef.
operator { ipv4/ipv6_address | ipv4/ipv6_address/mask }
operator:
Specifies how to logically match the IP source address.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Less than or equals
- =:
Equals
- >=:
Greater than or equals
ipv4/ipv6_address:
Specifies the IP address using IPv4 dotted-decimal notation or IPv6
colon-separated-hexadecimal notation.
ipv4/ipv6_address/mask:
Specifies the IP address using IPV4 dotted-decimal notation or IPv6
colon-separated-hexadecimal notation with subnet mask bit. The mask
bit is a numeric value which is the number of bits in the subnet mask.
{ !range | range } host-pool host_pool
!range | range:
Specifies the range criteria:
- !range: Not
in the range of
- range: In
the range of
host-pool host_pool: Specifies
the host pool name. host_pool must
be an alphanumeric string of 1 through 63 characters.
Usage:
Use this command to
specify an access ruledef to analyze user traffic based on the IP source
address.
Example:
The following command
creates IP ruledef for analyzing user traffic using an IP source address
of
10.1.1.1:
ip src-address = 10.1.1.1
ip uplink
This command configures
an access ruledef to analyze user traffic based on IP packet flow
in the uplink direction (from subscriber).
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ip
uplink operator condition
no
Removes previously
configured IP uplink match ruledef.
operator
Specifies how to logically
match the IP packet flow direction.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to match.
condition must
be one of the following:
- TRUE: Not
analyzed
- FALSE: Analyzed
Usage:
Use this command to
define an access ruledef to analyze user traffic based on the IP
packet flow direction as uplink.
Example:
The following command
creates access ruledef for analyzing user traffic using an IP packet direction
to uplink (from subscriber):
ip uplink = TRUE
ip version
This command defines
rule expressions to match version number in IP header.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] ip
version = { ipv4 | ipv6 }
no
Deletes the specified
rule expression.
ipv4
Specifies the rule
expression for IP version 4.
ipv6
Specifies the rule
expression for IP version 6.
Usage:
Use this command to
define rule expressions to match IPv4/IPv6 version number
in IP header.
Example:
The following command
defines a rule expression to match user traffic for the IP version
ipv6:
ip version = ipv6
tcp any-match
This command configures
an access ruledef to match any TCP traffic for the user.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] tcp
any-match operator
condition
no
Removes previously
configured TCP any-match ruledef.
operator
Specifies how to logically
match the analyzed state.
operator must
be one of the following:
- !=:
Does not equal
- =:
Equals
condition
Specifies the condition
to be matched for the user traffic.
condition must
be one of the following:
- FALSE: Specified
condition is FALSE.
- TRUE: Specified
condition is TRUE.
Usage:
Use this command to
specify an access ruledef to match any TCP traffic of the user.
Example:
The following command
creates an access ruledef to match any non-TCP traffic of the user:
tcp any-match = FALSE
tcp dst-port
This command configures
an access ruledef to analyze user traffic based on destination TCP
port.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] tcp
dst-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map } }
no
Removes the previously
configured destination TCP port ruledef.
operator
Specifies how to logically
match the port number.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Less than or equals
- =:
Equals
- >=:
Greater than or equals
port_number
Specifies the port
number to match.
port_number must
be an integer from 1 through 65535.
range | !range
Specifies the range
criteria:
- !range: Not
in the range
- range: In
the range
start_range to end_range
Specifies the starting
and ending port numbers for the range of destination TCP ports.
start_range must
be an integer from 1 through 65535.
end_range must
be an integer from 1 through 65535 that is greater than start_range.
port-map port_map
Specifies name of the
port-map for the port range.
port_map must
be an alphanumeric string of 1 through 63 characters.
Usage:
Use this command to
specify an access ruledef to analyze user traffic based on destination TCP
port.
Example:
The following command
creates an access ruledef for analyzing user traffic matching destination
port for TCP as
10:
tcp dst-port = 10
tcp either-port
This command configures
an access ruledef to analyze user traffic based on either (destination
or source) TCP ports.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] tcp
either-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map } }
no
Removes previously
configured TCP either-port (destination or source) ruledef.
operator
Specifies how to logically
match the port number.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Less than or equals
- =:
Equals
- >=:
Greater than or equals
port_number
Specifies the port
number to match.
port_number must
be an integer from 1 through 65535.
range | !range
Specifies the range
criteria:
- !range: Not
in the range
- range: In
the range
start_range to end_range
Specifies the starting
and ending port numbers for the port range.
start_range must
be an integer from 1 through 65535.
end_range must
be an integer from 1 through 65535 that is greater than start_range.
port-map port_map
Specifies name of the
port-map for the port range.
port_map must
be an alphanumeric string of 1 through 63 characters.
Usage:
Use this command to
specify an access ruledef to analyze user traffic based on either
TCP port.
Example:
The following command
creates an access ruledef for analyzing user traffic matching destination
or source port for TCP as
10:
tcp either-port = 10
tcp src-port
This command configures
an access ruledef to analyze user traffic based on source TCP port.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] tcp
src-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map } }
no
Removes previously
configured source TCP port ruledef.
operator
Specifies how to logically
match the port number.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Less than or equals
- =:
Equals
- >=:
Greater than or equals
port_number
Specifies the port
number to match.
port_number must
be an integer from 1 to 65535.
range | !range
Specifies the range
criteria:
- !range: Not
in the range
- range: In
the range
start_range to end_range
Specifies the starting
and ending port numbers for the port range.
start_range must
be an integer from 1 through 65535.
end_range must
be an integer from 1 through 65535 that is greater than start_range.
port-map port_map
Specifies name of the
port-map for the port range.
port_map must
be an alphanumeric string of 1 through 63 characters.
Usage:
Use this command to
specify an access ruledef to analyze user traffic based on source
TCP port.
Example:
The following command
creates an access ruledef for analyzing user traffic matching source port
for TCP as
10:
tcp src-port = 10
udp any-match
This command configures
an access ruledef to match any UDP traffic for the user.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] udp
any-match operator
condition
no
Removes previously
configured UDP any-match ruledef.
operator
Specifies how to logically
match the analyzed state.
operator must
be one of the following:
- !=:
does not equal
- =:
equals
condition
Specifies the condition
to be matched for the user traffic.
condition must
be one of the following:
- FALSE: Specified
condition is FALSE.
- TRUE: Specified
condition is TRUE.
Usage:
Use this command to
specify an access ruledef to match any UDP traffic of the user.
Example:
The following command
creates an access ruledef to match any UDP traffic of the user:
udp any-match = TRUE
udp dst-port
This command configures
an access ruledef to analyze user traffic based on destination UDP
port.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] udp
dst-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map } }
no
Removes previously
configured destination UDP ports ruledef.
operator
Specifies how to logically
match the port number.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Less than or equals
- =:
Equals
- >=:
Greater than or equals
port_number
Specifies the port
number to match.
port_number must
be an integer from 1 through 65535.
!range | range
Specifies the range
criteria.
- !range: Not
in the range
- range: In
the range
start_range to end_range
Specifies the starting
and ending port numbers for the port range.
start_range must
be an integer from 1 through 65535.
end_range must
be an integer from 1 through 65535 that is greater than start_range.
port-map port_map
Specifies name of the
port-map for the port range.
port_map must
be an alphanumeric string of 1 through 63 characters.
Usage:
Use this command to
specify an access ruledef to analyze user traffic based on destination UDP
port.
Example:
The following command
creates an access ruledef for analyzing user traffic matching destination
port for UDP as
10:
udp dst-port = 10
udp either-port
This command configures
an access ruledef to analyze user traffic based on either (destination
or source) UDP port.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] udp
either-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map } }
no
Removes previously
configured either-port (destination or source) UDP ruledef.
operator
Specifies how to logically
match the port number.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Less than or equals
- =:
Equals
- >=:
Greater than or equals
port_number
Specifies the port
number to match.
port_number must
be an integer from 1 through 65535.
!range | range
Specifies the range
criteria.
- !range: Not
in the range
- range: In
the range
start_range to end_range
Specifies the starting
and ending port numbers for the port range.
start_range must
be an integer from 1 through 65535.
end_range must
be an integer from 1 through 65535 that is greater than start_range.
port-map port_map
Specifies name of the
port-map for the port range.
port_map must
be an alphanumeric string of 1 through 63 characters.
Usage:
Use this command to
specify an access ruledef to analyze user traffic based on either
UDP port.
Example:
The following command
creates an access ruledef for analyzing user traffic matching destination
or source port for UDP as
10:
udp either-port = 10
udp src-port
This command configures
an access ruledef to analyze user traffic based on source UDP port.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] udp
src-port { operator port_number | { !range | range } { start_range to end_range | port-map port_map } }
no
Removes previously
configured source UDP port ruledef.
operator
Specifies how to logically
match the port number.
operator must
be one of the following:
- !=:
Does not equal
- <=:
Less than or equals
- =:
Equals
- >=:
Greater than or equals
port_number
Specifies the port
number to match.
port_number must
be an integer from 1 through 65535.
!range | range
Specifies the range
criteria.
- !range: Not
in the range
- range: In
the range
start_range to end_range
Specifies the starting
and ending port numbers for the port range.
start_range must
be an integer from 1 through 65535.
end_range must
be an integer from 1 through 65535 that is greater than start_range.
port-map port_map
Specifies name of the
port-map for the port range.
port_map must
be an alphanumeric string of 1 through 63 characters.
Usage:
Use this command to
specify an access ruledef to analyze user traffic based on source
UDP port.
Example:
The following command
creates an access ruledef for analyzing user traffic matching source port
for UDP as
10:
udp src-port = 10