security-config [firewall-ipv4-dmz-wan-inbound] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you
wan_user_start_ip ipaddress There are two options:
• The IP address if the wan_users keyword is set to
SINGLE_ADDRESS.
• The start IP address if the wan_users keyword is set to ADDRESS_RANGE.
wan_user_end_ip ipaddress The end IP address if the wan_users keyword is set to ADDRESS_RANGE.
QoS profile, logging, and NAT IP address
qos_priority Normal-Service, Minimize-Cost, Maximize-Reliability,
Maximize-Throughput, or Minimize-Delay
The type of QoS that applies to the rule.
log NEVER or ALWAYS Enables or disables logging.
nat_ip type WAN_INTERFACE_ADDRESS or SINGLE_ADDRESS
Specifies the type of NAT IP address:
• WAN_INTERFACE_ADDRESS.
The IP address of the WAN (broadband) interface.
• SINGLE_ADDRESS. Another IP address, which you need to configure using the nat_ip address keywords.
nat_ip address ipaddress The NAT IP address, if the nat_ip type keywords are set to
SINGLE_ADDRESS.
Keyword (might consist of two separate words)
Associated Keyword to Select or Parameter to Type
Description
prefer. However, note that the setting of the action keyword determines which other keywords and parameters can you can apply to a rule.
Step 1 Format security firewall ipv4 add_rule dmz_wan inbound Mode security
Step 2 Format service_name {default_services <default service name> | {custom_services <custom service name>}
action {ALWAYS_BLOCK | ALWAYS_ALLOW |
BLOCK_BY_SCHEDULE_ELSE_ALLOW {schedule {Schedule1 | Schedule2 | Schedule3}} | ALLOW_BY_SCHEDULE_ELSE_BLOCK {schedule {Schedule1 | Schedule2 | Schedule3}}}
send_to_dmz_server_ip <ipaddress>
translate_to_port_number enable {N | Y {translate_to_port_number port <number>}}
wan_destination_ip_address {WAN | OTHERS
{wan_destination_ip_address_start <ipaddress>}
dmz_users {ANY | SINGLE_ADDRESS {dmz_user_start_ip <ipaddress>}
| ADDRESS_RANGE {dmz_user_start_ip <ipaddress>}
{dmz_user_end_ip <ipaddress>}}
wan_users {ANY | SINGLE_ADDRESS {wan_user_start_ip <ipaddress>}
| ADDRESS_RANGE {wan_user_start_ip <ipaddress>}
{wan_user_end_ip <ipaddress>}}
log {NEVER | ALWAYS}
Mode security-config [firewall-ipv4-dmz-wan-inbound]
Keyword (might consist of two separate words)
Associated Keyword to Select or Parameter to Type
Description
Service name, action, and schedule service_name
default_services
ANY, AIM, BGP, BOOTP_CLIENT, BOOTP_SERVER, CU-SEEME:UDP, CU-SEEME:TCP, DNS:UDP, DNS:TCP, FINGER, FTP, HTTP, HTTPS, ICMP-TYPE-3, ICMP-TYPE-4, ICMP-TYPE-5, ICMP-TYPE-6, ICMP-TYPE-7, ICMP-TYPE-8, ICMP-TYPE-9, ICMP-TYPE-10, ICMP-TYPE-11, ICMP-TYPE-13, ICQ, IMAP2, IMAP3, IRC, NEWS, NFS, NNTP, PING, POP3, PPTP, RCMD, REAL-AUDIO, REXEC, RLOGIN, RTELNET, RTSP:TCP, RTSP:UDP, SFTP, SMTP, SNMP:TCP, SNMP:UDP, SNMP-TRAPS:TCP,
SNMP-TRAPS:UDP, SQL-NET, SSH:TCP, SSH:UDP, STRMWORKS, TACACS, TELNET, TFTP, RIP, IKE, SHTTPD, IPSEC-UDP-ENCAP, IDENT, VDOLIVE, SSH, SIP-TCP, or SIP-UDP
The default service and protocol to which the firewall rule applies.
service_name custom_services
custom service name The custom service that you have configured with the security services add command.
action ALWAYS_BLOCK, ALWAYS_ALLOW, BLOCK_BY_SCHEDULE_ELSE_ALLOW, or ALLOW_BY_SCHEDULE_ELSE_BLOCK
The type of action to be enforced by the rule.
schedule Schedule1, Schedule2, or Schedule3
The schedule, if any, that is applicable to the rule.
DMZ server address, port number translation, and WAN destination address
send_to_dmz_server_ip ipaddress The IP address of the DMZ server.
translate_to_port_number
number The port number (integer) if port forwarding is enabled. Valid numbers are 0 through 65535.
wan_destination_ip_address WAN or OTHERS The type of destination WAN address for an inbound rule:
• WAN. The default IP address of the WAN (broadband) interface.
• OTHERS. Another public IP address, which you need to configure by issuing the
wan_destination_ip_address_start
keyword and specifying an IPv4 address.
wan_destination_ip_address_start ipaddress The IP address if the
wan_destination_ip_address keyword is set to OTHERS.
DMZ user addresses and WAN user addresses
dmz_users ANY, SINGLE_ADDRESS, or ADDRESS_RANGE
The type of DMZ address.
For an inbound rule, this option is available only when the WAN mode is Classical Routing.
dmz_user_start_ip ipaddress There are two options:
• The IP address if the dmz_users keyword is set to
SINGLE_ADDRESS.
• The start IP address if the dmz_users keyword is set to ADDRESS_RANGE.
dmz_user_end_ip ipaddress The end IP address if the dmz_users keyword is set to ADDRESS_RANGE.
wan_users ANY, SINGLE_ADDRESS, or ADDRESS_RANGE
The type of WAN address.
wan_user_start_ip ipaddress There are two options:
• The IP address if the wan_users keyword is set to
SINGLE_ADDRESS.
• The start IP address if the wan_users keyword is set to ADDRESS_RANGE.
wan_user_end_ip ipaddress The end IP address if the wan_users keyword is set to ADDRESS_RANGE.
Logging
log NEVER or ALWAYS Enables or disables logging.
Keyword (might consist of two separate words)
Associated Keyword to Select or Parameter to Type
Description
Command example:
FVS318N> security firewall ipv4 add_rule dmz_wan inbound
security-config[firewall-ipv4-dmz-wan-inbound]> service_name custom_services Traceroute security-config[firewall-ipv4-lan-wan-inbound]> action ALWAYS_ALLOW
security-config[firewall-ipv4-lan-wan-inbound]> send_to_dmz_server_ip 176.21.214.2 security-config[firewall-ipv4-lan-wan-inbound]> translate_to_port_number enable Y security-config[firewall-ipv4-lan-wan-inbound]> translate_to_port_number port 4500 security-config[firewall-ipv4-lan-wan-inbound]> wan_destination_ip_address OTHERS
security-config[firewall-ipv4-lan-wan-inbound]> wan_destination_ip_address_start 10.115.97.174 security-config[firewall-ipv4-lan-wan-inbound]> wan_users ANY
security-config[firewall-ipv4-lan-wan-inbound]> log Always security-config[firewall-ipv4-lan-wan-inbound]> save
Related show command: show security firewall ipv4 setup dmz_wan