Use
the IpFilterRule statement to define one or more IP filters.
The
information provided on the IpFilterRule statement is combined to
generate IP filters. An IpFilterRule statement that is globally
defined can be referenced by an IpFilterPolicy statement and an IpFilterGroup
statement.
A generated IP filter consists of a source and destination
IP address specification, a service specification, an optional time
period specification, a security action, and an optional local start
action. The policy condition is formed by combining IP address information
with port, protocol, security class, direction, and routing information
from the IpService statement or the IpServiceGroup statement. An
IpTimeCondition statement identifies when the generated IP filter
is in effect. Security actions include the generic (permit, deny,
or ipsec) action (IpGenericFilterAction), the manual VPN tunnel action
(IpManVpnAction) and the dynamic VPN tunnel action (IpDynVpnAction).
The optional local start action (IpLocalStartAction) is used for
local on-demand or command-line activation of dynamic VPN tunnels.
Syntax
>>-IpFilterRule--name--| Put Braces and Parameters on Separate Lines |-><
Put Braces and Parameters on Separate Lines
|--+-{---------------------------+------------------------------|
+-| IPFilterRule Parameters |-+
'-}---------------------------'
IPFilterRule Parameters
.-IpSourceAddr All-------------------------.
|--+------------------------------------------+----------------->
+-IpSourceAddr--+-ipaddress--------------+-+
| +-ipaddress/prefixLength-+ |
| +-ipaddress-ipaddress----+ |
| +-All--------------------+ |
| +-All4-------------------+ |
| '-All6-------------------' |
+-IpSourceAddrRef name---------------------+
+-IpSourceAddrSetRef name------------------+
'-IpSourceAddrGroupRef name----------------'
.-IpDestAddr All-------------------------.
>--+----------------------------------------+------------------->
+-IpDestAddr--+-ipaddress--------------+-+
| +-ipaddress/prefixLength-+ |
| +-ipaddress-ipaddress----+ |
| +-All--------------------+ |
| +-All4-------------------+ |
| '-All6-------------------' |
+-IpDestAddrRef name---------------------+
+-IpDestAddrSetRef name------------------+
'-IpDestAddrGroupRef name----------------'
.---------------------.
V |
>--+------------------------+----+-----------------+-+---------->
+-RemoteIdentity---------+ '-IpTimeCondition-'
'-RemoteIdentityRef name-'
.----------------------------.
V |
>----+-IpService--------------+-+------------------------------->
+-IpServiceRef name------+
'-IpServiceGroupRef name-'
>--IpGenericFilterActionRef name--+-------------------------------------------------------+--|
+-IpManVpnActionRef name--------------------------------+
'-IpDynVpnActionRef name-+----------------------------+-'
'-IpLocalStartActionRef name-'
Parameters
- name
- A string of 1–32 characters specifying the name of this
IpFilterRule statement. The name cannot start with a dash (-) or
contain any commas (,).
- IpSourceAddr
- A source IP address specification.
- ipaddress
- A single IP address indicating the source address that must be
contained in an IP packet for this rule's action to be performed.
- ipaddress/prefixLength
- A prefix address specification indicating the applicable source
IP addresses that can be contained in an IP packet for this rule's
action to be performed. The prefixLength is
the number of unmasked leading bits in the ipaddress value.
The prefixLength value can be in the range
0 - 32 for IPv4 addresses and 0 - 128 for IPv6 addresses. An IP packet
matches this condition if its source address unmasked bits are identical
to the defined unmasked bits.
- ipaddress-ipaddress
- A range of IP addresses indicating applicable source addresses
that can be contained in an IP packet for this rule's action to be
performed.
- All
- Indicates that any source IPv4 address can be contained in an
IP packet for this rule's action to be performed. All and All4 are
interchangeable values.
- All4
- Indicates that any source IPv4 address can be contained in an
IP packet for this rule’s action to be performed.
- All6
- Indicates that any source IPv6 address can be contained in an
IP packet for this rule’s action to be performed.
- IpSourceAddrRef
- The name of a globally defined IpAddr statement to be used for
the source IP address specification.
- IpSourceAddrSetRef
- The name of a globally defined IpAddrSet statement to be used
for the source IP address prefix or range specification.
- IpSourceAddrGroupRef
- The name of a globally defined IpAddrGroup statement to be used
for the source IP address specification.
- IpDestAddr
- A destination IP address specification.
- ipaddress
- A single IP address indicating the destination address that must
be contained in an IP packet for this rule's action to be performed.
- ipaddress/prefixLength
- A prefix address specification indicating the applicable destination
IP addresses that can be contained in an IP packet for this rule's
action to be performed. The prefixLength value
is the number of unmasked leading bits in the specified ipaddress value.
The prefixLength value can be in the range
0 - 32 for IPv4 addresses and 0 - 128 for IPv6 addresses. An IP packet
matches this condition if its destination address unmasked bits are
identical to the defined unmasked bits.
- ipaddress-ipaddress
- A range of IP addresses indicating applicable destination addresses
that can be contained in an IP packet for this rule's action to be
performed.
- All
- Indicates that any destination IPv4 address can be contained in
an IP packet for this rule's action to be performed. All and All4 are
interchangeable values.
- All4
- Indicates that any destination IPv4 address can be contained in
an IP packet for this rule’s action to be performed.
- All6
- Indicates that any destination IPv6 address can be contained in
an IP packet for this rule’s action to be performed.
- IpDestAddrRef
- The name of a globally defined IpAddr statement to be used for
the destination IP address specification.
- IpDestAddrSetRef
- The name of a globally defined IpAddrSet statement to be used
for the destination IP address prefix or range specification.
- IpDestAddrGroupRef
- The name of a globally defined IpAddrGroup statement to be used
for the destination IP address specification.
- IpTimeCondition
- An inline specification of an IpTimeCondition statement. There
is a limit of 25 IpTimeCondition specifications and references on
the IpFilterRule statement.
- RemoteIdentity
- An inline specification of a RemoteIdentity statement. If specified,
the RemoteIdentity value limits traffic that matches this filter rule.
Only IPSec traffic for which the remote IKE identity matches or is
contained by the RemoteIdentity matches this filter rule.
Rules: - You can specify the RemoteIdentity parameter only for filter rules
that reference an IpDynVpnAction statement.
- This parameter requires a remote activation so that the user's
identity and location become known.
- Because local activations are not valid, you cannot specify the
RemoteIdentity parameter for filter rules that reference an IpLocalStartAction
statement.
Tip: Specify the RemoteIdentity for mobile users
whose IKE identity is known but whose IP address is unknown or unpredictable.
Guideline: When
you create an IpFilterRule and you specify RemoteIdentity, specify
FilterByIdentity Yes on the KeyExchangeAction statement for the corresponding
KeyExchangeRule statement. When you create an IPSec IpFilterRule
without a RemoteIdentity, specify FilterByIdentity No on the KeyExchangeAction
statement for the corresponding KeyExchangeRule statement.
Restriction: This
parameter, as well as the RemoteIdentityRef parameter, is valid only
for V1R10 and later releases. See General syntax rules for Policy Agent for details.
- RemoteIdentityRef
- The name of a globally defined RemoteIdentity statement.
- IpTimeConditionRef
- The name of a globally defined IpTimeCondition statement. There
is a limit of 25 IpTimeCondition specifications and references on
the IpFilterRule statement.
- IpService
- An inline specification of an IpService statement.
- IpServiceRef
- The name of a globally defined IpService statement.
- IpServiceGroupRef
- The name of a globally defined IpServiceGroup statement.
- IpGenericFilterActionRef
- The name of a globally defined IpGenericFilterAction statement.
- IpManVpnActionRef
- The name of a globally defined IpManVpnAction statement.
Rule: If
a manual tunnel should be used to provide IPSec protection of the
data, then an IpManVpnAction reference is needed in addition to the
IpGenericFilterAction reference. The IpGenericFilterAction reference
must specify an IpFilterAction value of IpSec.
- IpDynVpnActionRef
- The name of a globally defined IpDynVpnAction statement.
Rule: If
a dynamic tunnel should be used to provide IPSec protection, then
an IpDynVpnAction reference is needed in addition to the IpGenericFilterAction
reference. The IpGenericFilterAction must specify an IpFilterAction
value of IpSec.
- IpLocalStartActionRef
- The name of a globally defined IpLocalStartAction statement.
Requirement: An
IpLocalStartAction statement can be specified only in conjunction
with an IpDynVpnAction statement. The IpLocalStartAction statement
is required if the dynamic VPN is not a host-to-host configuration
and is locally activated.
Results: - If the IpSourceAddrGroupRef, IpDestAddrGroupRef, or IpServiceGroupRef
statement is specified, multiple filters might be generated. If more
than one inline or referenced IpService statement is specified, multiple
filters might be generated. If the associated IpService is bidirectional,
then multiple filters are generated. In this case, the base name has
a number appended to uniquely identify the generated filters.
- On an ipsec -f display -n IpFilterRuleName
command, all IP filter rules with a base name matching the IpFilterRuleName
value are displayed.
Guideline: The
IP address of a remote system, represented by a filter rule's destination
address specification, is always a public address when the peer is
behind a NAT device. The NAT device uses the private IP address of
the peer to choose a public address and replaces it in the IP header.
If the peer system is behind a security gateway that is behind a NAT
device, the NAT device uses the private IP address of the gateway
to choose a public address because the gateway first encapsulates
the peer packet in a packet with the private address of the gateway.
Rules: - Filter rules that reference an IpManVpnAction or IpDynVpnAction
statement must have a direction of bidirectional specified in the
IpService statement.
- All IpFilterRule statement addresses must be in the same address
family (IPv4 or IPv6).
- For any IpFilterRule statement, all of its associated actions
and the associated IP addresses must be in the same address family
(IPv4 or IPv6).