H3C MSR Series Command Reference Manual page 991
Comware 7 security
Hide thumbs
Also See for MSR Series:
- Command reference manual (174 pages) ,
- Configuration manual (80 pages) ,
- Manual (33 pages)
Table of Contents
Advertisement
app-group app-group-name: Specifies an application group by its name, a case-insensitive string of
1 to 63 characters. The invalid and other application groups are not supported.
counting: Enables match counting for the rule in an IPv6 object policy. By default, rule match
counting is disabled.
disable: Disables the IPv6 object policy rule.
logging: Logs the packets that match the rule.
time-range time-range-name: Specifies the rule effective time range by its name, a case-insensitive
string of 1 to 32 characters. If you configure a rule without setting the effective time period, the
system creates the rule and prompts you to configure the time period. The rule takes effect after you
set the time period. For more information about time range configuration, see ACL and QoS
Configuration Guide.
Usage guidelines
If the specified rule ID does not exist, this command creates a rule. Otherwise, this command
changes the configuration of the specified rule.
The rule matches all IPv6 packets if no criteria are specified.
If you specify a nonexistent object group in a rule, the command creates the specified object group
with empty configuration. A rule that contains an object group with empty configuration does not
match any packets.
If you do not specify any options in the undo rule command, the command deletes the entire rule.
Otherwise, the command deletes only the specified part of the rule statement.
You cannot delete a nonexistent rule. You can use the display object-policy ipv6 command to
display rules in an IPv6 object policy.
To use applications or application groups in an object policy, use only PBAR-classified applications.
NBAR-classified applications cannot match any packets. For more information about PBAR and
NBAR, see Security Configuration Guide.
Examples
# Configure a rule to allow packets that match source IPv6 address object group sourceip1 to pass
through during time range time1.
<Sysname> system-view
[Sysname] object-policy ipv6 permit
[Sysname-object-policy-ipv6-permit] rule pass source-ip sourceip1 logging time-range
time1
# Configure a rule to apply DPI application profile profile1 to packets that match source IPv4
address object group sourceip1.
<Sysname> system-view
[Sysname] object-policy ipv6 dpiproc
[Sysname-object-policy-ipv6-dpiproc] rule inspect profile1 source-ip sourceip1 logging
# Configure a rule to permit packets that match application aaa.
<Sysname> system-view
[Sysname] object-policy ipv6 dpiproc
[Sysname-object-policy-ipv6-dpiproc] rule pass application aaa
Related commands
app-profile (DPI Command Reference)
display object-policy ipv6
move rule
object-policy ipv6
968
Advertisement
Table of Contents
