This command configures a new IPv4 DMZ WAN outbound firewall rule. After you issue the security firewall ipv4 add_rule dmz_wan outbound command, you enter the security-config [firewall-ipv4-dmz-wan-outbound] mode and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer. However, note that the setting of the action keyword determines which other keywords and parameters you can apply to a rule.
Step 1 Format
Mode security
wan_user_start_ip ipaddress The following two options are available:
• The IP address if the
wan_user keyword is set to SINGLE_ADDRESS.
• The start IP address if the wan_user keyword is set to ADDRESS_RANGE.
wan_user_end_ip ipaddress The end IP address if the wan_user keyword is set to ADDRESS_RANGE.
wan_users group_wise group name The name of the WAN IP group.
The WAN IP group name is a name that you specify with the security services ip_group add command.
The address_wise and group_wise keywords are mutually exclusive.
QoS profile, logging, and bandwidth profile
qos_profile profile name The name of the QoS profile that you specify with the security services qos_profile add command.
log NEVER or ALWAYS Specifies whether logging is
disabled or enabled.
bandwidth_profile profile name The name of the bandwidth profile that you specify with the security bandwidth profile add command.
security firewall ipv4 add_rule dmz_wan outbound Keyword (might consist of two
separate words)
Associated Keyword to Select or Parameter to Type
Description
Step 2 Format
Mode security-config [firewall-ipv4-dmz-wan-outbound]
service_name {default_services <default service name> | {custom_services <custom service name>}
action {ALWAYS_BLOCK | ALWAYS_ALLOW |
BLOCK_BY_SCHEDULE_ELSE_ALLOW {schedule {Schedule1 | Schedule2 | Schedule3}} | ALLOW_BY_SCHEDULE_ELSE_BLOCK {schedule {Schedule1 | Schedule2 | Schedule3}}}
dmz_users {ANY | SINGLE_ADDRESS {dmz_user_start_ip <ipaddress>}
| ADDRESS_RANGE {dmz_user_start_ip <ipaddress>}
{dmz_user_end_ip <ipaddress>}}
wan_users {address_wise {ANY | SINGLE_ADDRESS {wan_user_start_ip <ipaddress>} | ADDRESS_RANGE {wan_user_start_ip <ipaddress>}
{wan_user_end_ip <ipaddress>}} | group_wise <group name>}
qos_profile <profile name>
log {NEVER | ALWAYS}
nat_ip {type {Auto | WAN1 | WAN2}} | address <ipaddress>}
Keyword (might consist of two separate words)
Associated Keyword to Select or Parameter to Type
Description
Service name, action, and schedule service_name
default_services
ANY, AIM, BGP, BOOTP_CLIENT, BOOTP_SERVER, CU-SEEME:UDP, CU-SEEME:TCP, DNS:UDP, DNS:TCP, FINGER, FTP, HTTP, HTTPS,
ICMP-TYPE-3, ICMP-TYPE-4, ICMP-TYPE-5, ICMP-TYPE-6, ICMP-TYPE-7, ICMP-TYPE-8, ICMP-TYPE-9, ICMP-TYPE-10, ICMP-TYPE-11, ICMP-TYPE-13, ICQ, IMAP2, IMAP3, IRC, NEWS, NFS, NNTP, PING, POP3, PPTP, RCMD, REAL-AUDIO, REXEC, RLOGIN, RTELNET, RTSP:TCP, RTSP:UDP, SFTP, SMTP, SNMP:TCP, SNMP:UDP, SNMP-TRAPS:TCP,
SNMP-TRAPS:UDP, SQL-NET, SSH:TCP, SSH:UDP, STRMWORKS, TACACS, TELNET, TFTP, RIP, IKE, SHTTPD, IPSEC-UDP-ENCAP, IDENT, VDOLIVE, SSH, SIP-TCP, SIP-UDP, NFS-TCP, or RPC-TCP
Specifies the default service and protocol to which the firewall rule applies.
service_name custom_services
custom service name The custom service that you configure with the security services add command and to which the firewall rule applies.
action ALWAYS_BLOCK, ALWAYS_ALLOW, BLOCK_BY_SCHEDULE_ELSE_ALLOW, or
ALLOW_BY_SCHEDULE_ELSE_BLOCK
Specifies the type of action to be enforced by the rule.
schedule Schedule1, Schedule2, or Schedule3
Specifies the schedule, if any, that applies to the rule.
DMZ user addresses and WAN user addresses
dmz_users ANY, SINGLE_ADDRESS, or ADDRESS_RANGE
Specifies the type of DMZ address.
dmz_user_start_ip ipaddress The following two options are available:
• The IP address if the
dmz_users keyword is set to SINGLE_ADDRESS.
• The start IP address if the dmz_users keyword is set to ADDRESS_RANGE.
dmz_user_end_ip ipaddress The end IP address if the dmz_users keyword is set to ADDRESS_RANGE.
wan_users address_wise ANY, SINGLE_ADDRESS, or ADDRESS_RANGE
Specifies the type of WAN address.
The address_wise and group_wise keywords are mutually exclusive.
wan_user_start_ip ipaddress The following two options are available:
• The IP address if the
wan_user keyword is set to SINGLE_ADDRESS.
• The start IP address if the wan_user keyword is set to ADDRESS_RANGE.
wan_user_end_ip ipaddress The end IP address if the wan_user keyword is set to ADDRESS_RANGE.
wan_users group_wise group name The name of the WAN IP group.
The WAN IP group name is a name that you specify with the security services ip_group add command.
The address_wise and group_wise keywords are mutually exclusive.
Keyword (might consist of two separate words)
Associated Keyword to Select or Parameter to Type
Description
Command example:
FVS336Gv2> security firewall ipv4 add_rule dmz_wan outbound
security-config[firewall-ipv4-dmz-wan-outbound]> service_name default_services CU-SEEME:TCP security-config[firewall-ipv4-dmz-wan-outbound]> action BLOCK_BY_SCHEDULE_ELSE_BLOCK security-config[firewall-ipv4-dmz-wan-outbound]> schedule Schedule2
security-config[firewall-ipv4-dmz-wan-outbound]> dmz_users ANY security-config[firewall-ipv4-dmz-wan-outbound]> wan_users ANY security-config[firewall-ipv4-dmz-wan-outbound]> qos_profile Video security-config[firewall-ipv4-dmz-wan-outbound]> log Never
security-config[firewall-ipv4-dmz-wan-outbound]> nat_ip type WAN1 security-config[firewall-ipv4-dmz-wan-outbound]> save