This command configures a new IPv4 LAN DMZ outbound firewall rule. After you issue the security firewall ipv4 add_rule lan_dmz outbound command, you enter the security-config [firewall-ipv4-lan-dmz-outbound] mode and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer. However, note that the setting of the action keyword determines which other keywords and parameters you can apply to a rule.
Step 1 Format
Mode security
wan_user_start_ip ipaddress The following two options are available:
• The IP address if the
wan_user keyword is set to SINGLE_ADDRESS.
• The start IP address if the wan_user keyword is set to ADDRESS_RANGE.
wan_user_end_ip ipaddress The end IP address if the wan_user keyword is set to ADDRESS_RANGE.
wan_users group_wise group name The name of the WAN IP group.
The WAN IP group name is a name that you specify with the security services ip_group add command.
The address_wise and group_wise keywords are mutually exclusive.
QoS profile and logging
qos_profile profile name The name of the QoS profile that you specify with the security services qos_profile add command.
log NEVER or ALWAYS Specifies whether logging is
disabled or enabled.
security firewall ipv4 add_rule lan_dmz outbound Keyword (might consist of two
separate words)
Associated Keyword to Select or Parameter to Type
Description
Step 2 Format
Mode security-config [firewall-ipv4-lan-dmz-outbound]
service_name {default_services <default service name> | {custom_services <custom service name>}
action {ALWAYS_BLOCK | ALWAYS_ALLOW |
BLOCK_BY_SCHEDULE_ELSE_ALLOW {schedule {Schedule1 | Schedule2 | Schedule3}} | ALLOW_BY_SCHEDULE_ELSE_BLOCK {schedule {Schedule1 | Schedule2 | Schedule3}}}
lan_users {address_wise {ANY | SINGLE_ADDRESS {lan_user_start_ip <ipaddress>} | ADDRESS_RANGE {lan_user_start_ip <ipaddress>}
{lan_user_end_ip <ipaddress>}} | group_wise <group name>}
dmz_users {ANY | SINGLE_ADDRESS {dmz_user_start_ip <ipaddress>}
| ADDRESS_RANGE {dmz_user_start_ip <ipaddress>}
{dmz_user_end_ip <ipaddress>}}
log {NEVER | ALWAYS}
Keyword (might consist of two separate words)
Associated Keyword to Select or Parameter to Type
Description
Service name, action, and schedule service_name
default_services
ANY, AIM, BGP, BOOTP_CLIENT, BOOTP_SERVER, CU-SEEME:UDP, CU-SEEME:TCP, DNS:UDP, DNS:TCP, FINGER, FTP, HTTP, HTTPS,
ICMP-TYPE-3, ICMP-TYPE-4, ICMP-TYPE-5, ICMP-TYPE-6, ICMP-TYPE-7, ICMP-TYPE-8, ICMP-TYPE-9, ICMP-TYPE-10, ICMP-TYPE-11, ICMP-TYPE-13, ICQ, IMAP2, IMAP3, IRC, NEWS, NFS, NNTP, PING, POP3, PPTP, RCMD, REAL-AUDIO, REXEC, RLOGIN, RTELNET, RTSP:TCP, RTSP:UDP, SFTP, SMTP, SNMP:TCP, SNMP:UDP, SNMP-TRAPS:TCP,
SNMP-TRAPS:UDP, SQL-NET, SSH:TCP, SSH:UDP, STRMWORKS, TACACS, TELNET, TFTP, RIP, IKE, SHTTPD, IPSEC-UDP-ENCAP, IDENT, VDOLIVE, SSH, SIP-TCP, SIP-UDP, NFS-TCP, or RPC-TCP
Specifies the default service and protocol to which the firewall rule applies.
service_name custom_services
custom service name The custom service that you configure with the security services add command and to which the firewall rule applies.
action ALWAYS_BLOCK, ALWAYS_ALLOW,
BLOCK_BY_SCHEDULE_ELSE_ALLOW, or
ALLOW_BY_SCHEDULE_ELSE_BLOCK
Specifies the type of action to be enforced by the rule.
schedule Schedule1, Schedule2, or Schedule3
Specifies the schedule, if any, that applies to the rule.
LAN user addresses or LAN group and DMZ user addresses lan_users address_wise ANY, SINGLE_ADDRESS, or
ADDRESS_RANGE
Specifies the type of LAN address.
The address_wise and group_wise keywords are mutually exclusive.
lan_user_start_ip ipaddress The following two options are available:
• The IP address if the lan_users address_wise keywords are set to
SINGLE_ADDRESS.
• The start IP address if the lan_users address_wise keywords are set to
ADDRESS_RANGE.
lan_user_end_ip ipaddress The end IP address if the lan_users address_wise keywords are set to
ADDRESS_RANGE.
lan_users group_wise group name The name of the LAN group or LAN IP group. The LAN group name is either a default name (Group1, Group2, Group3, and so on) or a custom name that you specify with the net lan lan_groups edit <row id>
<newgroupname> command. The LAN IP group name is a name that you specify with the security services ip_group add command.
The address_wise and group_wise keywords are mutually exclusive.
dmz_users ANY, SINGLE_ADDRESS, or ADDRESS_RANGE
Specifies the type of DMZ address.
dmz_user_start_ip ipaddress The following two options are available:
• The IP address if the
dmz_users keyword is set to SINGLE_ADDRESS.
• The start IP address if the dmz_users keyword is set to ADDRESS_RANGE.
Keyword (might consist of two separate words)
Associated Keyword to Select or Parameter to Type
Description
Command example:
FVS336Gv2> security firewall ipv4 add_rule lan_dmz outbound
security-config[firewall-ipv4-lan-dmz-outbound]> service_name default_services FTP security-config[firewall-ipv4-lan-dmz-outbound]> action ALWAYS_ALLOW
security-config[firewall-ipv4-lan-dmz-outbound]> lan_users group_wise GROUP4 security-config[firewall-ipv4-lan-dmz-outbound]> dmz_users ADDRESS_RANGE security-config[firewall-ipv4-lan-dmz-outbound]> dmz_user_start_ip 176.14.2.30 security-config[firewall-ipv4-lan-dmz-outbound]> dmz_user_end_ip 176.14.2.79 security-config[firewall-ipv4-lan-dmz-outbound]> log Never
security-config[firewall-ipv4-lan-dmz-outbound]> save