IpFilterRule statement

Use the IpFilterRule statement to define one or more IP filters.

The information provided on the IpFilterRule statement is combined to generate IP filters. An IpFilterRule statement that is globally defined can be referenced by an IpFilterPolicy statement and an IpFilterGroup statement.

A generated IP filter consists of a source and destination IP address specification, a service specification, an optional time period specification, a security action, and an optional local start action. The policy condition is formed by combining IP address information with port, protocol, security class, direction, and routing information from the IpService statement or the IpServiceGroup statement. An IpTimeCondition statement identifies when the generated IP filter is in effect. Security actions include the generic (permit, deny, or ipsec) action (IpGenericFilterAction), the manual VPN tunnel action (IpManVpnAction) and the dynamic VPN tunnel action (IpDynVpnAction). The optional local start action (IpLocalStartAction) is used for local on-demand or command-line activation of dynamic VPN tunnels.

Syntax


>>-IpFilterRule--name--| Put Braces and Parameters on Separate Lines |-><

Put Braces and Parameters on Separate Lines

|--+-{---------------------------+------------------------------|
   +-| IPFilterRule Parameters |-+   
   '-}---------------------------'   

IPFilterRule Parameters

   .-IpSourceAddr All-------------------------.   
|--+------------------------------------------+----------------->
   +-IpSourceAddr--+-ipaddress--------------+-+   
   |               +-ipaddress/prefixLength-+ |   
   |               +-ipaddress-ipaddress----+ |   
   |               +-All--------------------+ |   
   |               +-All4-------------------+ |   
   |               '-All6-------------------' |   
   +-IpSourceAddrRef name---------------------+   
   +-IpSourceAddrSetRef name------------------+   
   '-IpSourceAddrGroupRef name----------------'   

   .-IpDestAddr All-------------------------.   
>--+----------------------------------------+------------------->
   +-IpDestAddr--+-ipaddress--------------+-+   
   |             +-ipaddress/prefixLength-+ |   
   |             +-ipaddress-ipaddress----+ |   
   |             +-All--------------------+ |   
   |             +-All4-------------------+ |   
   |             '-All6-------------------' |   
   +-IpDestAddrRef name---------------------+   
   +-IpDestAddrSetRef name------------------+   
   '-IpDestAddrGroupRef name----------------'   

                               .---------------------.   
                               V                     |   
>--+------------------------+----+-----------------+-+---------->
   +-RemoteIdentity---------+    '-IpTimeCondition-'     
   '-RemoteIdentityRef name-'                            

   .----------------------------.   
   V                            |   
>----+-IpService--------------+-+------------------------------->
     +-IpServiceRef name------+     
     '-IpServiceGroupRef name-'     

>--IpGenericFilterActionRef name--+-------------------------------------------------------+--|
                                  +-IpManVpnActionRef name--------------------------------+   
                                  '-IpDynVpnActionRef name-+----------------------------+-'   
                                                           '-IpLocalStartActionRef name-'

Parameters

name

A string of 1–32 characters specifying the name of this IpFilterRule statement. The name cannot start with a dash (-) or contain any commas (,).

IpSourceAddr

A source IP address specification.

ipaddress: A single IP address indicating the source address that must be contained in an IP packet for this rule's action to be performed.
ipaddress/prefixLength: A prefix address specification indicating the applicable source IP addresses that can be contained in an IP packet for this rule's action to be performed. The prefixLength is the number of unmasked leading bits in the ipaddress value. The prefixLength value can be in the range 0 - 32 for IPv4 addresses and 0 - 128 for IPv6 addresses. An IP packet matches this condition if its source address unmasked bits are identical to the defined unmasked bits.
ipaddress-ipaddress: A range of IP addresses indicating applicable source addresses that can be contained in an IP packet for this rule's action to be performed.
All: Indicates that any source IPv4 address can be contained in an IP packet for this rule's action to be performed. All and All4 are interchangeable values.
All4: Indicates that any source IPv4 address can be contained in an IP packet for this rule’s action to be performed.
All6: Indicates that any source IPv6 address can be contained in an IP packet for this rule’s action to be performed.

IpSourceAddrRef

The name of a globally defined IpAddr statement to be used for the source IP address specification.

IpSourceAddrSetRef

The name of a globally defined IpAddrSet statement to be used for the source IP address prefix or range specification.

IpSourceAddrGroupRef

The name of a globally defined IpAddrGroup statement to be used for the source IP address specification.

IpDestAddr

A destination IP address specification.

ipaddress: A single IP address indicating the destination address that must be contained in an IP packet for this rule's action to be performed.
ipaddress/prefixLength: A prefix address specification indicating the applicable destination IP addresses that can be contained in an IP packet for this rule's action to be performed. The prefixLength value is the number of unmasked leading bits in the specified ipaddress value. The prefixLength value can be in the range 0 - 32 for IPv4 addresses and 0 - 128 for IPv6 addresses. An IP packet matches this condition if its destination address unmasked bits are identical to the defined unmasked bits.
ipaddress-ipaddress: A range of IP addresses indicating applicable destination addresses that can be contained in an IP packet for this rule's action to be performed.
All: Indicates that any destination IPv4 address can be contained in an IP packet for this rule's action to be performed. All and All4 are interchangeable values.
All4: Indicates that any destination IPv4 address can be contained in an IP packet for this rule’s action to be performed.
All6: Indicates that any destination IPv6 address can be contained in an IP packet for this rule’s action to be performed.

IpDestAddrRef

The name of a globally defined IpAddr statement to be used for the destination IP address specification.

IpDestAddrSetRef

The name of a globally defined IpAddrSet statement to be used for the destination IP address prefix or range specification.

IpDestAddrGroupRef

The name of a globally defined IpAddrGroup statement to be used for the destination IP address specification.

IpTimeCondition

An inline specification of an IpTimeCondition statement. There is a limit of 25 IpTimeCondition specifications and references on the IpFilterRule statement.

RemoteIdentity

An inline specification of a RemoteIdentity statement. If specified, the RemoteIdentity value limits traffic that matches this filter rule. Only IPSec traffic for which the remote IKE identity matches or is contained by the RemoteIdentity matches this filter rule.

Rules:

You can specify the RemoteIdentity parameter only for filter rules that reference an IpDynVpnAction statement.
This parameter requires a remote activation so that the user's identity and location become known.
Because local activations are not valid, you cannot specify the RemoteIdentity parameter for filter rules that reference an IpLocalStartAction statement.

Tip: Specify the RemoteIdentity for mobile users whose IKE identity is known but whose IP address is unknown or unpredictable.

Guideline: When you create an IpFilterRule and you specify RemoteIdentity, specify FilterByIdentity Yes on the KeyExchangeAction statement for the corresponding KeyExchangeRule statement. When you create an IPSec IpFilterRule without a RemoteIdentity, specify FilterByIdentity No on the KeyExchangeAction statement for the corresponding KeyExchangeRule statement.

Restriction: This parameter, as well as the RemoteIdentityRef parameter, is valid only for V1R10 and later releases. See General syntax rules for Policy Agent for details.

RemoteIdentityRef

The name of a globally defined RemoteIdentity statement.

IpTimeConditionRef

The name of a globally defined IpTimeCondition statement. There is a limit of 25 IpTimeCondition specifications and references on the IpFilterRule statement.

IpService

An inline specification of an IpService statement.

IpServiceRef

The name of a globally defined IpService statement.

IpServiceGroupRef

The name of a globally defined IpServiceGroup statement.

IpGenericFilterActionRef

The name of a globally defined IpGenericFilterAction statement.

IpManVpnActionRef

The name of a globally defined IpManVpnAction statement.

Rule: If a manual tunnel should be used to provide IPSec protection of the data, then an IpManVpnAction reference is needed in addition to the IpGenericFilterAction reference. The IpGenericFilterAction reference must specify an IpFilterAction value of IpSec.

IpDynVpnActionRef

The name of a globally defined IpDynVpnAction statement.

Rule: If a dynamic tunnel should be used to provide IPSec protection, then an IpDynVpnAction reference is needed in addition to the IpGenericFilterAction reference. The IpGenericFilterAction must specify an IpFilterAction value of IpSec.

IpLocalStartActionRef

The name of a globally defined IpLocalStartAction statement.

Requirement: An IpLocalStartAction statement can be specified only in conjunction with an IpDynVpnAction statement. The IpLocalStartAction statement is required if the dynamic VPN is not a host-to-host configuration and is locally activated.

Results:

If the IpSourceAddrGroupRef, IpDestAddrGroupRef, or IpServiceGroupRef statement is specified, multiple filters might be generated. If more than one inline or referenced IpService statement is specified, multiple filters might be generated. If the associated IpService is bidirectional, then multiple filters are generated. In this case, the base name has a number appended to uniquely identify the generated filters.
On an ipsec -f display -n IpFilterRuleName command, all IP filter rules with a base name matching the IpFilterRuleName value are displayed.

Guideline: The IP address of a remote system, represented by a filter rule's destination address specification, is always a public address when the peer is behind a NAT device. The NAT device uses the private IP address of the peer to choose a public address and replaces it in the IP header. If the peer system is behind a security gateway that is behind a NAT device, the NAT device uses the private IP address of the gateway to choose a public address because the gateway first encapsulates the peer packet in a packet with the private address of the gateway.

Rules:

Filter rules that reference an IpManVpnAction or IpDynVpnAction statement must have a direction of bidirectional specified in the IpService statement.
All IpFilterRule statement addresses must be in the same address family (IPv4 or IPv6).
For any IpFilterRule statement, all of its associated actions and the associated IP addresses must be in the same address family (IPv4 or IPv6).