Adding an advanced rule set – H3C Technologies H3C Intelligent Management Center User Manual
Page 851
837
{
Click the radio button to the left of No in the Fragment option if you want to apply the rule to
first fragments.
Traditional packet filtering matched only first fragments of IPv4 packets and allowed all
subsequent non-first fragments to pass through. This resulted in security risks as hackers can
fabricate non-first fragments to attack networks.
19.
Click the radio button to the left of Yes in the Logging option if you want to enable logging for
this rule.
This feature enables the logging of packet filtering only when a module (for example, a firewall) is
using the ACL supports logging.
20.
Enter the VPN instance you want to apply to this rule by entering the VPN-instance-name in the
VPN Instance field.
A valid entry must be 0 – 31 characters that cannot contain question marks or blank spaces. This
field is case sensitive. If no VPN instance is specified in this field, the rule applies only to non-VPN
packets.
21.
Enter the VPN
22.
Click OK to create the rule you have just configured.
23.
To add more rules, modify, copy, sort, optimize or delete existing rules, select one of the following:
{
To add more rules to the ACL, repeat Steps 14-21.
{
To modify rules you have already created, click the Modify icon associated with the rule
sequence you want to modify. For more information about modifying a rule set, see "
modifying a basic rule in a basic ACL rule set
{
To copy rules you have already created, click the Copy icon
associated with the rule
sequence you want to copy. For more information about copying a rule set, see "
{
Rules that belong to a rule set that is configured with a Match Order of 'Config' are executed in
the order in which they appear in the rule set. The order in which rules appear in a rule set is
initially defined by the order in which they are created. You can reorder the rules in a rule set
using the Sort feature. For more information about using Sort to redefine the order of
appearance of rules in a rule set, see "
Using sort to reorder the rules in an ACL rules set
{
ACLs can have a profound effect on the performance of networks. ACL Management
automatically evaluates the effectiveness of rules and their effect on overall network
performance as you add rules to a rule set. You can also manually perform an analysis of a rule
set and optimize its effect on network performance using the Optimize feature. For more
information about using this feature, see "
Optimizing the rules in a rule set
{
To delete one or more rules from a rule set, see "
Deleting rules from an ACL rule set
24.
Click Finish when you have finished creating rules for this rule set.
Once you have created an ACL you are ready to deploy the ACL to devices using the ACL
Management's ACL Deployment wizard. For more information about deploying ACLs, see
"
Deploying ACLs using IMC ACL deployment wizard
Adding an advanced rule set
Advanced ACLs enable you to define rules based on Layer three and Layer four information including IP
source and destination addresses, TCP and UDP port information, as well as protocol specific features.
A valid numeric range for assigning ACL Identifiers to advanced ACLs is 100-199, 2000-2699, or
3000-3999.