set access-rule type outgoing

In the R81.10.X releases, this command is available starting from the R81.10.00 version.

Description

Configures an existing firewall access rule to the outgoing (clear) traffic Rule Base by position or name.

Syntax

set access-rule type outgoing

      { name <Name of Rule> | position <Rule Number> }

            [ action {accept | ask | block | block-inform | inform} ]

            [ add ]

                  [ destination <Name of Object> ]

                  [ service <Name of Object> ]

                  [ source <Name of Object> ]

            [ app-and-service-negate {true | false} ]

            [ { application-name <Application-Name> | application-id <Application-ID> } ]

            [ application-negate {true | false} ]

            [ { category-name <Category-Name> | category-id <Category-ID> } ]

            [ comment "<Comment Text>" ]

            [ destination <Destination Object> ]

            [ destination-negate {true | false} ]

            [ disabled {true | false} ]

            [ hours-range-enabled ]

                  true hours-range-from <HH:mm> hours-range-to <HH:mm>

                  false

            [ log {account | alert | log | none} ]

            [ new-name <New Name of Rule> ]

            [ { position <Rule Number> | position-above <Rule Number> | position-below <Rule Number>} ]

            [ remove ]

                  [ destination <Name of Object> ]

                  [ source <Name of Object> ]

            [ set ]

                  [ application-or-service any ]

                  [ destination any ]

                  [ source any ]

            [ service <Service Object> ]

            [ service-negate {true | false} ]

            [ source <Source Object> ]

            [ source-negate {true | false} ]

            [ vpn {true | false} ]

Parameters

Parameter

Description

action

Specifies the action for this manual rule:

  • ask - Ask the user who initiated this traffic whether to accept or block the traffic that matched this rule

  • accept - Accept the traffic that matched this rule

  • block - Block the traffic that matched this rule

  • block-inform - Block the traffic that matched this rule and inform the user who initiated this traffic

  • inform - Accept the traffic that matched this rule and inform the user who initiated this traffic

add

Notes:

  • In the R81.10.X releases, this parameter is available starting from the R81.10.15 version.

  • You can add only one object at a time in the supported columns.

  • You can add a maximum of 100 objects in the supported columns.

Adds the specified object on one of these columns in this manual rule:

  • application-id <ID of Object>

    Adds an object in the "Applications and Services" column

  • application-name <Name of Object>

    Adds an object in the "Applications and Services" column

  • category-name <Name of Object>

    Adds an object in the "Applications and Services" column

  • destination <Name of Object>

    Adds an object in the "Destination" column

  • service <Name of Object>

    Adds an object in the "Applications and Services" column

  • source <Name of Object>

    Adds an object in the "Source" column

application-id

Specifies the application by its ID.

Press the TAB key to see the available options.

application-name

Specifies the application by its name.

Press the TAB key to see the available options.

application-negate

Note - Starting from R81.10.15, this parameter is deprecated.

Use the parameter "app-and-service-negate".

Specifies whether to negate (true) or not (false) the objects in the "Applications and Services" column of this manual rule.

When set to "true", the traffic matches all service objects except those you explicitly added in this rule.

app-and-service-negate

Note - In the R81.10.X releases, this parameter is available starting from the R81.10.15 version.

This parameter deprecates the parameters "application-negate" and "service-negate".

Specifies whether to negate (true) or not (false) the objects in the "Applications and Services" column of this manual rule.

When set to "true", the traffic matches all service objects except those you explicitly added in this rule.

category-id

Specifies the application category by its ID.

Press the TAB key to see the available options.

category-name

Specifies the application category by its name.

Press the TAB key to see the available options.

comment

Description of this manual rule.

A string that contains less than 257 characters, of this set:

  • a-z (lower-case letters)

  • A-Z (upper-case letters)

  • 0-9 (digits)

  • ',' (comma)

  • '.' (period)

  • '-' (minus)

  • '(' (opening round bracket)

  • ')' (closing round bracket)

  • ':' (colon)

  • '@' (at)

destination

Specifies the destination Network object of the connection.

destination-negate

Specifies whether to negate (true) or not (false) the objects in the "Destination" column of this manual rule.

When set to "true", the traffic matches all destination objects except those you explicitly added in this rule.

disabled

Specifies whether to disable (true) or not (false) this manual rule.

When set to "true", the traffic never matches this rule.

hours-range-enabled

Specifies whether to enable (true) or not (false) this manual rule only during specific hours.

hours-range-from

Specifies the start time (in the format HH:mm) when to enable this manual rule.

Requires "hours-range-enabled true".

hours-range-to

Specifies the end time (in the format HH:mm) when to enable this manual rule.

Requires "hours-range-enabled true".

log

Specifies the logging for this manual rule:

  • account

    Creates an accounting log (shows the number of packets and bytes)

  • alert

    Creates an alert

  • log

    Creates a regular log (without the number of packets and bytes)

  • none

    Does not create a log or an alert

name

Specifies the current name for this manual rule.

A string of alphanumeric characters without space between them:

  • a-z (lower-case letters)

  • A-Z (upper-case letters)

  • 0-9 (digits)

new-name

Note - In the R81.10.X releases, this parameter is available starting from the R81.10.15 version.

Specifies the new name for this manual rule.

A string of alphanumeric characters without space between them:

  • a-z (lower-case letters)

  • A-Z (upper-case letters)

  • 0-9 (digits)

position

Specifies the number of this manual rule.

position-above

Specifies the number of an existing rule, above which to add this manual rule.

position-below

Specifies the number of an existing rule, below which to add this manual rule.

remove

Note - In the R81.10.X releases, this parameter is available starting from the R81.10.15 version.

Removes the specified object from one of these columns in this manual rule:

  • application-name <Name of Object>

    Removes an object from the "Applications and Services" column

  • category-name <Name of Object>

    Removes an object from the "Applications and Services" column

  • destination <Name of Object>

    Removes an object from the "Destination" column

  • source <Name of Object>

    Removes an object from the "Source" column

set

Note - In the R81.10.X releases, this parameter is available starting from the R81.10.15 version.

Specifies the value "any" for one of these columns in this manual rule:

  • application-or-service any

    Configures the value "any" in the "Applications and Services" column

  • destination any

    Configures the value "any" in the "Destination" column

  • source any

    Configures the value "any" in the "Source" column

service

Specifies the service object.

service-negate

Note - Starting from R81.10.15, this parameter is deprecated.

Use the parameter "app-and-service-negate".

Specifies whether to negate (true) or not (false) the objects in the "Applications and Services" column of this manual rule.

When set to "true", the traffic matches all service objects except those you explicitly added in this rule.

source

Specifies the source Network object or User Group object that initiates the connection.

source-negate

Specifies whether to negate (true) or not (false) the objects in the "Source" column of this manual rule.

When set to "true", the traffic matches all source objects except those you explicitly added in this rule.

vpn

Specifies whether to match only encrypted traffic (true) or all traffic (false) to this manual rule.

Example Command

set access-rule type outgoing action block log none source MyHost source-negate true destination MyServer destination-negate true service HTTP service-negate true comment "Block non-HTTP traffic from Host to Server" hours-range-enabled true hours-range-from 23:00 hours-range-to 08:00 position 2 name MyRule application-name Zoom application-negate true limit-application-download true limit 200 limit-application-upload true limit 5

set access-rule type outgoing name MyRule add service HTTPS