Manualshelf

R3721-F3210-F3171-HP High-End Firewalls Access Control Command Reference-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
21222324252627282930
19
rule (IPv4 basic ACL view)
Syntax
rule [ rule-id ] { deny | permit } [ counting | fragment | logging | source { sour-addr sour-wildcard | any }
| time-range time-range-name | vpn-instance vpn-instance-name ] *
undo rule rule-id [ counting | fragment | logging | source | time-range | vpn-instance ] *
View
IPv4 basic ACL view
Default level
2: System level
Parameters
rule-id: Specifies a rule ID, which ranges from 0 to 65534. If no rule ID is provided when you create an
ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of the
numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is
5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
counting: Counts the number of times the IPv4 ACL rule has been matched.
fragment: Applies the rule only to non-first fragments. A rule without this keyword applies to both
fragments and non-fragments.
logging: Logs matching packets. This function is available only when the application module (such as the
firewall) that uses the ACL supports the logging function.
source { sour-addr sour-wildcard | any }: Matches a source address. The sour-addr sour-wildcard
arguments represent a source IP address and wildcard mask in dotted decimal notation. A wildcard
mask of zeros specifies a host address. The any keyword represents any source IP address.
time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a
case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not
configured, the system creates the rule; however, the rule using the time range can take effect only after
you configure the timer range.
vpn-instance vpn-instance-name: Applies the rule to packets in a VPN instance. The vpn-instance-name
argument takes a case-sensitive string of 1 to 31 characters. If no VPN instance is specified, the rule
applies only to non-VPN packets.
Description
Use rule to create or edit an IPv4 basic ACL rule. You can edit ACL rules only when the match order is
config.
Use undo rule to delete an entire IPv4 basic ACL rule or some attributes in the rule. If no optional
keywords are provided, you delete the entire rule. If optional keywords or arguments are provided, you
delete the specific attributes.
By default, an IPv4 basic ACL does not contain any rule.
Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating
or editing has the same deny or permit statement as another rule in the ACL, your creation or editing
attempt will fail.