add access-rule type incoming-internal-and-vpn

In the R82.00.X releases, this command is available starting from the R82.00.00 version.

Description

Adds a new Firewall Access rule to the incoming / internal / VPN traffic policy.

Note - When you add a new Access rule, you can add only one Source, one Destination, and one Service (application / website) object.

Starting from R81.10.15, you can add more objects in these columns in an existing rule. See set access-rule type incoming-internal-and-vpn.

In WebUI, this corresponds to:

  1. Click the Access Policy view > Firewall section > Policy page.

  2. In the section Incoming, Internal and VPN Traffic, configure the required rule.

Syntax

add access-rule type incoming-internal-and-vpn

      [ action {accept | ask | block | block-inform | inform} ]

      [ comment "<Comment Text>" ]

      [ destination <Destination Object> ]

      [ destination-negate {true | false} ]

      [ disabled {true | false} ]

      [ hours-range-enabled ]

            true hours-range-from <HH:mm> hours-range-to <HH:mm>

            false

      [ log {account | alert | log | none} ]

      [ name <Name of Rule> ]

      [ { position <Rule Number> | position-above <Rule Number> | position-below <Rule Number>} ]

      [ service <Service Object> ]

      [ service-negate {true | false} ]

      [ source <Source Object> ]

      [ source-negate {true | false} ]

      [ vpn {true | false} ]

Parameters

Parameter

Description

action

Specifies the action for this manual rule:

  • ask

    Asks the user who initiated this traffic whether to accept or block the traffic that matched this rule

  • accept

    Accepts the traffic that matched this rule

  • block

    Blocks the traffic that matched this rule

  • block-inform

    Blocks the traffic that matched this rule and informs the user who initiated this traffic

  • inform

    Accepts the traffic that matched this rule and informs the user who initiated this traffic

comment

Description of this manual rule.

A string that contains less than 257 characters, of this set:

  • a-z (lower-case letters)

  • A-Z (upper-case letters)

  • 0-9 (digits)

  • ',' (comma)

  • '.' (period)

  • '-' (minus)

  • '(' (opening round bracket)

  • ')' (closing round bracket)

  • ':' (colon)

  • '@' (at)

destination

Specifies the destination Network object of the connection.

destination-negate

Specifies whether to negate (true) or not (false) the objects in the "Destination" column of this manual rule.

When set to "true", the traffic matches all destination objects except those you explicitly added in this rule.

disabled

Specifies whether to disable (true) or not (false) this manual rule.

When set to "true", the traffic never matches this rule.

hours-range-enabled

Specifies whether to enable (true) or not (false) this manual rule only during specific hours.

hours-range-from

Specifies the start time (in the format HH:mm) when to enable this manual rule.

Requires "hours-range-enabled true".

hours-range-to

Specifies the end time (in the format HH:mm) when to enable this manual rule.

Requires "hours-range-enabled true".

log

Specifies the logging for this manual rule:

  • account

    Creates an accounting log (shows the number of packets and bytes)

  • alert

    Creates an alert

  • log

    Creates a regular log (without the number of packets and bytes)

  • none

    Does not create a log or an alert

name

Specifies the name for this manual rule.

A string of alphanumeric characters without space between them:

  • a-z (lower-case letters)

  • A-Z (upper-case letters)

  • 0-9 (digits)

position

Specifies the number of this manual rule.

position-above

Specifies the number of an existing rule, above which to add this manual rule.

position-below

Specifies the number of an existing rule, below which to add this manual rule.

service

Specifies the service object.

service-negate

Specifies whether to negate (true) or not (false) the objects in the "Services" column of this manual rule.

When set to "true", the traffic matches all service objects except those you explicitly added in this rule.

source

Specifies the source Network object or User Group object that initiates the connection.

source-negate

Specifies whether to negate (true) or not (false) the objects in the "Source" column of this manual rule.

When set to "true", the traffic matches all source objects except those you explicitly added in this rule.

vpn

Specifies whether to match only encrypted traffic (true) or all traffic (false) to this manual rule.

Example Command

add access-rule type incoming-internal-and-vpn name MyRuleForWebDuringNight comment "Traffic to my Web Server during night" position 2 source any destination MyWebServer service HTTP action block log none hours-range-enabled true hours-range-from 22:00 hours-range-to 08:00