Setting up an access rule – Amer Networks E5Web GUI User Manual

•

Network: The IP span that the sender address should belong to.

Access Rule Actions

The Access Rule actions that can be specified are:

•

Drop: Discard the packets that match the defined fields.

•

Accept: Accept the packets that match the defined fields for further inspection in the rule set.

•

Expect: If the sender address of the packet matches the Network specified by this rule, the
receiving interface is compared to the specified interface. If the interface matches, the packet
is accepted in the same way as an Accept action. If the interfaces do not match, the packet is
dropped in the same way as a Drop action.

Note: Enabling logging

Logging can be enabled as required for these actions.

Turning Off Default Access Rule Messages

If, for some reason, the Default Access Rule log message is continuously being generated by some
source and needs to be turned off, then the way to do this is to specify an Access Rule for that
source with an action of Drop.

Troubleshooting Access Rule Related Problems

It should be noted that Access Rules are a first filter of traffic before any other cOS Core modules
can see it. Sometimes problems can appear, such as setting up VPN tunnels, precisely because of
this. It is always advisable to check Access Rules when troubleshooting puzzling problems in case
a rule is preventing some other function, such as VPN tunnel establishment, from working
properly.

Example 6.1. Setting up an Access Rule

A rule is to be defined that ensures no traffic with a source address not within the lan_net
network is received on the lan interface.

Command-Line Interface

Device:/> add Access Name=lan_Access

Interface=lan
Network=lan_net
Action=Expect

InControl

Follow the same steps used for the Web Interface below.

Web Interface

Chapter 6: Security Mechanisms

382