Fabric-Wide Distribution Of The Authorization Policy; Ip Filter Policy - HP StoreFabric SN6500B Administrator's Manual

Starting FCAP authentication
1. Log in to the switch using an account with admin permissions, or an account with OM
2. Enter the authUtil --authinit command to start the authentication using the newly imported
3. Enter the authUtil --policy
NOTE
This authentication-policy change does not affect online EX_Ports.

Fabric-wide distribution of the authorization policy

The AUTH policy can be manually distributed to the fabric by command; there is no support for
automatic distribution. To distribute the AUTH policy, see
page 227 for instructions.
Local Switch configuration parameters are needed to control whether a switch accepts or rejects
distributions of the AUTH policy using the distribute command and whether the switch may initiate
distribution of the policy. To set the local switch configuration parameter, refer to
distribution"
NOTE
This is not supported for Access Gateway mode.

IP Filter policy

The IP Filter policy is a set of rules applied to the IP management interfaces as a packet filtering
firewall. The firewall permits or denies the traffic to go through the IP management interfaces
according to the policy rules.
Fabric OS supports multiple IP Filter policies to be defined at the same time. Each IP Filter policy is
identified by a name and has an associated type. Two IP Filter policy types, IPv4 and IPv6, exist to
provide separate packet filtering for IPv4 and IPv6. It is not allowed to specify an IPv6 address in
the IPv4 filter, or specify an IPv4 address in the IPv6 filter. There can be up to six different IP Filter
policies defined for both types. Only one IP Filter policy for each IP type can be activated on the
affected management IP interfaces.
Audit messages will be generated for any changes to the IP Filter policies.
The rules in the IP Filter policy are examined one at a time until the end of the list of rules. For
performance reasons, the most commonly used rules should be specified at the top.
On a chassis system, changes to persistent IP Filter policies are automatically synchronized to the
standby CP when the changes are saved persistently on the active CP. The standby CP will enforce
the filter policies to its management interface after policies are synchronized with the active CP.
Fabric OS Administrator's Guide
53-1002745-02
permissions for the Authentication RBAC class of commands.
certificates. (This command is not supported in Access Gateway mode.)
makes the changes permanent and forces the switch to request authentication. (For Access
Gateway mode, the defaults for sw policy and dev policy are off, and there is no passive option
for sw policy.)
on page 224.
sw command and select active or on, the default is passive. This
-

IP Filter policy

"Distributing the local ACL policies"
"Policy database
7
on
217