Enterasys Networks X-Pedition XSR CLI User Manual
Page 668
Firewall Feature Set Commands
16-124 Configuring Security
Syntax
ip firewall policy policy_name src_net_name dst_net_name serv_name {allow | allow-
log | allow-auth group_name | reject | log | url-b | url-w | cls name ...
name}[before policy_name | after policy_name | first] [bidirectional]
Syntax of the “no” Form
The no form of this command disables an earlier configured policy:
no ip firewall policy policy_name
Defaults
Deny all
Mode
Global configuration:
XSR(config)#
src_net_name
Name of source network object, not to exceed 16 characters. This value must
match
network
name exactly.
dst_net_name
Name of destination network object, not to exceed 16 characters. This value
must match
network
name exactly.
serv_name
Name of service object, not to exceed 16 characters.
allow
Let packets pass through the firewall.
allow-log
Let packets through the firewall and log the activity.
allow-auth
group_name
Let packets pass if the source IP address has been authenticated against the
group_name (length not to exceed 16
characters). This value must match
network-group
name exactly.
reject
Drop all packets matching the policy.
log
Drop all matching packets and log the activity.
url-b | url-w
Filters HTTP traffic (TCP connection with a destination port of 80 or 8080)
using the black (url‐b) URL list.
Filters http traffic using the white (url‐w) URL list. HTTP access to URLs
matching an entry in the white URL list are allowed, non‐matching URLs
are blocked.
cls name
Let packets pass through the firewall if the application message type
matches one of the 10 type names. Names must not exceed 16 characters.
before or after
policy_name
Place policy before or after the policy cited by policy_name (which must
already have been set). If not specified, the object will be the last listed.
first
Place policy first.
bidirectional
Policy applies in both directions. That is, for a session initiated at the source
as well as the destination.
Note: If the action is allow-auth the group_name must be specified. All users who are members of
this group are allowed authenticated access. Also, be sure to match the group_name and AAA
group name.