firewall {acl | acl6}
Use this command to create/configure access control lists for IPv4 and IPv6 addresses.
Use firewall acl
for IPv4 access control lists.
Use firewall acl6
for IPv6 access control lists.
config firewall acl edit {policyid} # Configure IPv4 access control list. set policyid {integer} Policy ID. range[0-9999] set status {enable | disable} Enable/disable access control list status. set comments {string} Comment. size[1023] set interface {string} Interface name. size[35] - datasource(s): system.zone.name,system.interface.name config srcaddr edit {name} # Source address name. set name {string} Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name next config dstaddr edit {name} # Destination address name. set name {string} Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name next config service edit {name} # Service name. set name {string} Address name. size[64] - datasource(s): firewall.service.custom.name,firewall.service.group.name next next end
config firewall acl6 edit {policyid} # Configure IPv6 access control list. set policyid {integer} Policy ID. range[0-9999] set status {enable | disable} Enable/disable access control list status. set comments {string} Comment. size[1023] set interface {string} Interface name. size[35] - datasource(s): system.zone.name,system.interface.name config srcaddr edit {name} # Source address name. set name {string} Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name next config dstaddr edit {name} # Destination address name. set name {string} Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name next config service edit {name} # Service name. set name {string} Address name. size[64] - datasource(s): firewall.service.custom.name,firewall.service.group.name next next end
Additional information
The following section is for those options that require additional explanation.
Managing objects
Some commands such as this center around the management and configuration of programming objects that are discrete chunks of information that are intended to be consistent for the purpose of being used by other processes within the software. These objects are used so that by changing the settings of the object, that information is changed throughout the software where-ever it is used. In reality, these objects are a number of values in the row of a table in the software, but it is simpler to think of them as a self-contained objects.
The configuration of settings within the individual objects is the most common activity in the configuration process, but there is also a need to manage the objects as a whole and there are some commands that are used for that purpose.
Depending on which configuration command you are using these are some of the object management commands that will be available to you (not all options will be available for all objects):
edit
This command is used to select or create an individual object for the purpose of configuring or editing setting values.
Some objects use a string of characters and others use an ID number, where the number is an integer. To know which identification type is being used, check the listing of options above. If the option refers to a variable with ID in the name or the value type is designated as "{ integer }", it uses an ID number. If the variable used is along the lines of "{ name }" or the value type is designated as "{ string }", it will have a name that you can enter.
{ string }
To get a list of all of the existing objects, type the command:
edit ?
If you are creating a new object, just type the name you wish to used after the edit
command. If there are spaces in the name, use quotation marks.
{ integer } or ID #
When creating a new object with an ID #, you can use the command:
edit 0
The system will automatically give the new object an ID # of the next available number.
delete
This command is used to delete an existing object.
delete <object name> or <object ID #>
- The <address_name> can be a string of up to 64 characters.
purge
Used delete all of the existing objects for this type of configuration object. It deletes all of the values within the table that holds the information about these objects within the VDOM.
- There are no options, parameters or qualifiers. Just use the enter key after entering the command
- This command has a serious impact. Use cautiously.
move
Some objects, usually those that are policies or similar in function, are handled in a sequential process so there order is important. The move command is used to change the sequence of these objects in relation to each other. The syntax for this command is:
move <id#> [before|after] <id#>
The command is essential a sentence stating move one object before or after another.
rename
Used to change the name of the object.
rename <name of object> to <new name of object>
show
This command will show the non-default contents of all the objects of this type. IPv4 and IPv6 versions of the type are treated separately.
The command show full-configuration
will give you an output of all the current settings reqardless of whether the values are default or not.
dstaddr
This value will be chosen from an existing list of address options that have already been configured. Information on creating a new address though the CLI can be found at firewall {address | address6}
interface
This value will be chosen from an existing list of the devices interfaces.
service
This value will be chosen from an existing list of service options that have already been configured. Information on creating a new service though the CLI can be found at firewall service custom
srcaddr
This value will be chosen from an existing list of address options that have already been configured. Information on creating a new address though the CLI can be found at firewall {address | address6}