HP VPN Firewall Appliances Access Control Command Reference
Table Of Contents
- Title Page
- Contents
- ACL commands
- acl
- acl accelerate
- acl copy
- acl ipv6
- acl ipv6 copy
- acl ipv6 name
- acl name
- description
- display acl
- display acl accelerate
- display acl ipv6
- reset acl counter
- reset acl ipv6 counter
- rule (Ethernet frame header ACL view)
- rule (IPv4 advanced ACL view)
- rule (IPv4 basic ACL view)
- rule (IPv6 advanced ACL view)
- rule (IPv6 basic ACL view)
- rule comment
- rule remark
- step
- Security zone commands
- Address resource commands
- Service resource commands
- Time range resource commands
- Interzone policy commands
- Session management commands
- application aging-time
- display application aging-time
- display session aging-time
- display session relation-table
- display session statistics
- display session statistics history
- display session table
- reset session
- reset session statistics
- session aging-time
- session checksum
- session log bytes-active
- session log enable
- session log packets-active
- session log time-active
- session mode hybrid
- session persist acl
- session synchronization enable
- IP virtual fragment reassembly commands
- Connection limit commands
- Portal commands
- access-user detect
- display portal acl
- display portal connection statistics
- display portal free-rule
- display portal interface
- display portal local-server
- display portal server
- display portal server statistics
- display portal tcp-cheat statistics
- display portal user
- portal auth-network
- portal delete-user
- portal domain
- portal free-rule
- portal local-server
- portal max-user
- portal nas-id-profile
- portal nas-ip
- portal nas-port-id
- portal nas-port-type
- portal redirect-url
- portal server
- portal server banner
- portal server method
- portal server server-detect
- portal server user-sync
- reset portal connection statistics
- reset portal server statistics
- reset portal tcp-cheat statistics
- AAA commands
- General AAA commands
- aaa nas-id profile
- access-limit enable
- accounting command
- accounting default
- accounting dvpn
- accounting login
- accounting optional
- accounting portal
- accounting ppp
- accounting ssl-vpn
- authentication default
- authentication dvpn
- authentication login
- authentication portal
- authentication ppp
- authentication ssl-vpn
- authentication super
- authorization command
- authorization default
- authorization dvpn
- authorization login
- authorization portal
- authorization ppp
- authorization ssl-vpn
- cut connection
- display connection
- display domain
- domain
- domain default enable
- domain if-unknown
- idle-cut enable
- ip pool
- nas-id bind vlan
- self-service-url enable
- session-time include-idle-time
- state (ISP domain view)
- Local user commands
- RADIUS commands
- accounting-on enable
- attribute 25 car
- data-flow-format (RADIUS scheme view)
- display radius scheme
- display radius statistics
- display stop-accounting-buffer (for RADIUS)
- key (RADIUS scheme view)
- nas-ip (RADIUS scheme view)
- primary accounting (RADIUS scheme view)
- primary authentication (RADIUS scheme view)
- radius client
- radius nas-ip
- radius scheme
- radius trap
- reset radius statistics
- reset stop-accounting-buffer (for RADIUS)
- retry
- retry realtime-accounting
- retry stop-accounting (RADIUS scheme view)
- secondary accounting (RADIUS scheme view)
- secondary authentication (RADIUS scheme view)
- security-policy-server
- server-type (RADIUS scheme view)
- state primary
- state secondary
- stop-accounting-buffer enable (RADIUS scheme view)
- timer quiet (RADIUS scheme view)
- timer realtime-accounting (RADIUS scheme view)
- timer response-timeout (RADIUS scheme view)
- user-name-format (RADIUS scheme view)
- vpn-instance (RADIUS scheme view)
- HWTACACS commands
- data-flow-format (HWTACACS scheme view)
- display hwtacacs
- display stop-accounting-buffer (for HWTACACS)
- hwtacacs nas-ip
- hwtacacs scheme
- key (HWTACACS scheme view)
- nas-ip (HWTACACS scheme view)
- primary accounting (HWTACACS scheme view)
- primary authentication (HWTACACS scheme view)
- primary authorization
- reset hwtacacs statistics
- reset stop-accounting-buffer (for HWTACACS)
- retry stop-accounting (HWTACACS scheme view)
- secondary accounting (HWTACACS scheme view)
- secondary authentication (HWTACACS scheme view)
- secondary authorization
- stop-accounting-buffer enable (HWTACACS scheme view)
- timer quiet (HWTACACS scheme view)
- timer realtime-accounting (HWTACACS scheme view)
- timer response-timeout (HWTACACS scheme view)
- user-name-format (HWTACACS scheme view)
- vpn-instance (HWTACACS scheme view)
- General AAA commands
- Password control commands
- display password-control
- display password-control blacklist
- password
- password-control { aging | composition | history | length } enable
- password-control aging
- password-control alert-before-expire
- password-control authentication-timeout
- password-control complexity
- password-control composition
- password-control enable
- password-control expired-user-login
- password-control history
- password-control length
- password-control login idle-time
- password-control login-attempt
- password-control password update interval
- password-control super aging
- password-control super composition
- password-control super length
- reset password-control blacklist
- reset password-control history-record
- FIPS configuration commands
- Support and other resources
- Index
25
Default command level
2: System level
Parameters
rule-id: Specifies a rule ID, in the range of 0 to 65534. If no rule ID is provided when you create an ACL
rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the
numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is
5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
counting: Counts the number of times the ACL rule has been matched. In the software version, the device
counts the number of times the ACL rule has been matched no matter whether this keyword is specified.
fragment: Applies the rule only to non-first fragments. A rule without this keyword applies to both
fragments and non-fragments.
logging: Logs matching packets. This function requires that the module that uses the ACL supports
logging.
routing [ type routing-type ]: Matches a specific type of routing header or any type of routing header. The
routing-type argument is a value in the range of 0 to 255. If no routing header type is specified, the rule
matches any type of routing header.
source { source-address source-prefix | source-address/source-prefix | any }: Matches a source IP
address. The source-address and source-prefix arguments represent a source IPv6 address and address
prefix length in the range of 1 to 128. The any keyword represents any IPv6 source address.
time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a
case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not
configured, the system creates the rule. However, the rule using the time range can take effect only after
you configure the timer range.
vpn-instance vpn-instance-name: Applies the rule to packets in a VPN. The vpn-instance-name argument
is a case-sensitive string of 1 to 31 characters. If no VPN instance is specified, the rule applies to non-VPN
packets.
Usage guidelines
Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating
or editing has the same deny or permit statement as another rule in the ACL, your creation or editing
attempt fails.
To view rules in an ACL and their rule IDs, use the display acl ipv6 all command.
Examples
# Create an IPv6 basic ACL rule to deny the packets from any source IP segment but 1001::/16,
312 4 :1123::/32, or FE80:5060:1001::/48.
<Sysname> system-view
[Sysname] acl ipv6 number 2000
[Sysname-acl6-basic-2000] rule permit source 1001:: 16
[Sysname-acl6-basic-2000] rule permit source 3124:1123:: 32
[Sysname-acl6-basic-2000] rule permit source fe80:5060:1001:: 48
[Sysname-acl6-basic-2000] rule deny source any