row to be edited (for row information, see the output of the show security firewall ipv4 setup lan_wan command), you enter the security-config [firewall-ipv4-lan-wan-outbound] mode. You can then edit one keyword and associated parameter or associated keyword at a time in the order that you prefer. However, note that the setting of the action keyword determines which other keywords and parameters you can apply to a rule.
Step 1 Format
Mode security Step 2 Format
qos_profile <profile name>
bandwidth_profile <profile name>
Mode security-config [firewall-ipv4-lan-wan-inbound]
security firewall ipv4 edit_rule lan_wan inbound <row id>
service_name {default_services <default service name> | {custom_services <custom service name>}
action {ALWAYS_BLOCK | ALWAYS_ALLOW |
BLOCK_BY_SCHEDULE_ELSE_ALLOW {schedule {Schedule1 | Schedule2 | Schedule3}} | ALLOW_BY_SCHEDULE_ELSE_BLOCK {schedule {Schedule1 | Schedule2 | Schedule3}}}
send_to_lan_server {SINGLE_ADDRESS {send_to_lan_server_start_ip <ipaddress>} | ADDRESS_RANGE {send_to_lan_server_start_ip <ipaddress>} {send_to_lan_server_end_ip <ipaddress>}}
translate_to_port_number enable {N | Y {translate_to_port_number port <number>}}
{wan_destination_ip_address {WAN1 | WAN2} | RANGE {wan_destination_ip_address_start <ipaddress>}
{wan_destination_ip_address_end <ipaddress>} | OTHER {wan_destination_ip_address_start <ipaddress>}}
lan_user {address_wise {ANY | SINGLE_ADDRESS {lan_user_start_ip <ipaddress>} | ADDRESS_RANGE {lan_user_start_ip <ipaddress>}
{lan_user_end_ip <ipaddress>}} | group_wise <group name>}
wan_users {address_wise {ANY | SINGLE_ADDRESS {wan_user_start_ip <ipaddress>} | ADDRESS_RANGE {wan_user_start_ip <ipaddress>}
{wan_user_end_ip <ipaddress>}} | group_wise <group name>}
log {NEVER | ALWAYS}
Keyword (might consist of two separate words)
Associated Keyword to Select or Parameter to Type
Description
Service name, action, and schedule service_name
default_services
ANY, AIM, BGP, BOOTP_CLIENT, BOOTP_SERVER, CU-SEEME:UDP, CU-SEEME:TCP, DNS:UDP, DNS:TCP, FINGER, FTP, HTTP, HTTPS, ICMP-TYPE-3, ICMP-TYPE-4, ICMP-TYPE-5, ICMP-TYPE-6, ICMP-TYPE-7, ICMP-TYPE-8, ICMP-TYPE-9, ICMP-TYPE-10, ICMP-TYPE-11, ICMP-TYPE-13, ICQ, IMAP2, IMAP3, IRC, NEWS, NFS, NNTP, PING, POP3, PPTP, RCMD, REAL-AUDIO, REXEC, RLOGIN, RTELNET, RTSP:TCP, RTSP:UDP, SFTP, SMTP, SNMP:TCP, SNMP:UDP, SNMP-TRAPS:TCP,
SNMP-TRAPS:UDP, SQL-NET, SSH:TCP, SSH:UDP, STRMWORKS, TACACS, TELNET, TFTP, RIP, IKE, SHTTPD, IPSEC-UDP-ENCAP, IDENT, VDOLIVE, SSH, SIP-TCP, SIP-UDP, NFS-TCP, or RPC-TCP
Specifies the default service and protocol to which the firewall rule applies.
service_name custom_services
custom service name The custom service that you configure with the security services add command and to which the firewall rule applies.
action ALWAYS_BLOCK, ALWAYS_ALLOW,
BLOCK_BY_SCHEDULE_ELSE_ALLOW, or
ALLOW_BY_SCHEDULE_ELSE_BLOCK
Specifies the type of action to be enforced by the rule.
schedule Schedule1, Schedule2, or Schedule3
Specifies the schedule, if any, that applies to the rule.
LAN server addresses, port number translation, and WAN destination addresses send_to_lan_server ANY, SINGLE_ADDRESS, or
ADDRESS_RANGE
Specifies the type of LAN address.
send_to_lan_server_start_ip ipaddress The following two options are available:
send_to_lan_server_end_ip ipaddress The end IP address if the
send_to_lan_server keyword is set to ADDRESS_RANGE.
translate_to_port_number
number The port number (integer) if port forwarding is enabled. Valid numbers are 0 through 65,535.
wan_destination_ip_address WAN1, WAN2, or RANGE Specifies the type of destination WAN address for an inbound rule:
• WAN1 or WAN2. The IP address of the selected WAN interface.
• RANGE. A range of public IP addresses, which you must configure by issuing the
wan_destination_ip_address_start
and
wan_destination_ip_address_end
keywords and specifying IPv4 addresses.
• OTHER. If the IP address is a single IP address that is different from the IP address of a WAN interface, for example, a secondary WAN IP address, issue the
wan_destination_ip_address_start
keyword to specify the address.
wan_destination_ip_address _start
ipaddress The following two options are available:
• The start IP address if the wan_destination_ip_address keyword is set to RANGE.
• The IP address if the wan_destination_ip_address keyword is set to OTHER.
wan_destination_ip_address _end
ipaddress The end IP address if the wan_destination_ip_address keyword is set to RANGE.
Keyword (might consist of two separate words)
Associated Keyword to Select or Parameter to Type
Description
LAN user addresses or LAN group and WAN user addresses lan_user address_wise ANY, SINGLE_ADDRESS, or
ADDRESS_RANGE
Specifies the type of LAN address.
The address_wise and group_wise keywords are mutually exclusive.
For an inbound rule, this option is available only when the WAN mode is Classical Routing.
lan_user_start_ip ipaddress The following two options are available:
• The IP address if the lan_user address_wise keywords are set to
SINGLE_ADDRESS.
• The start IP address if the lan_user address_wise keywords are set to
ADDRESS_RANGE.
lan_user_end_ip ipaddress The end IP address if the lan_user address_wise keywords are set to
ADDRESS_RANGE.
lan_user group_wise group name The name of the LAN group or LAN IP group. The LAN group name is either a default name (Group1, Group2, Group3, and so on) or a custom name that you specify with the net lan lan_groups edit <row id> <newgroupname> command.
The LAN IP group name is a name that you specify with the security services ip_group add command.
The address_wise and group_wise keywords are mutually exclusive.
For an inbound rule, this option is available only when the WAN mode is Classical Routing.
wan_users address_wise ANY, SINGLE_ADDRESS, or ADDRESS_RANGE
Specifies the type of WAN address.
The address_wise and group_wise keywords are mutually exclusive.
Keyword (might consist of two separate words)
Associated Keyword to Select or Parameter to Type
Description