| Home Prev |  cOS Core 14.00.15 Administration Guide
|
Next |
|---|
It can sometimes be useful to control not only what functionality is enabled, but also when that functionality can be used.
For instance, an enterprise might require that web traffic from a certain department is only allowed Internet access during normal office hours. Another example might be that authentication using a specific VPN connection is only permitted on weekdays.
cOS Core addresses this time-based requirement using either of the following types of configuration objects:
Schedule Profile objects - These provide a simple scheduling capability.
Advanced Schedule Profile objects - These provide more advanced scheduling.
Either of these object types can be created and then assigned to the Schedule property of many different types of configuration objects, including IP rule set entries, traffic shaping rules, IDP rules and routing rules. The assigned schedule then determines when the object is enabled and when it is disabled.
![[Important]](images/important.png) |
Important: The system date and time should be correct |
|---|---|
|
As schedules depend on an accurate system date and time so it is important that this is set correctly. This can also be important for some other cOS Core features such as certificate usage with VPN tunnels. It is recommended that the automatic time synchronization feature in cOS Core is enabled to ensure the system time is set correctly. This is discussed further in Section 2.2, System Date and Time. |
A Schedule Profile object has the following properties:
Name
The name of the schedule. This is used in user interface display and as a reference to the schedule from other objects.
Scheduled Times
These are the times during each week when the schedule is applied. Times are specified as being to the nearest hour. A schedule is either active or inactive during each hour of each day of a week.
Start Date
If this option is used, it is the date after which this schedule object becomes active. If not specified, the schedule will apply as soon as it is assigned to an object.
End Date
If this option is used, it is the date after which this schedule object is no longer active. If not specified there will be no end date for the schedule
Example 3.50. Setting up a Schedule Profile with an IP Policy
This example creates a Schedule Profile object for office hours (08:00 to 17:00) on weekdays and uses it with a NATing IP Policy that allows HTTP and HTTPS traffic to flow from internal clients to the Internet. The schedule will begin to apply on the 24th of December, 2021 so the IP policy will not be active before that date.
Command-Line Interface
Device:/> add ScheduleProfile my_basic_schedule
Mon=8-17 Tue=8-17 Wed=8-17 Thu=8-17 Fri=8-17
StartDate=2021-12-24Create the IP policy that uses this schedule:
Device:/> add IPPolicy Name=my_client_access_policy
SourceInterface=lan
SourceNetwork=lan_net
DestinationInterface=any
DestinationNetwork=all-nets
Service=http-all
Action=Allow
SourceAddressTranslation=NAT
NATSourceAddressAction=OutgoingInterfaceIP
Schedule=my_basic_schedule
InControl
Follow similar steps to those used for the Web Interface below.
Web Interface
Create the IP policy that uses this schedule:
This provides the ability to create a more complex schedule when compared to the Schedule Profile object. For example, the Advanced Schedule Profile makes it possible to chain together multiple days without interruptions. It also allows schedules to be constructed based on months rather than just days of the week.
The Advanced Schedule Profile has no other properties apart from the Name and Comments properties. The Advance Schedule Occurrence objects added as children have the following properties:
Start Time
Start time specified in hours and minutes during the day when the occurrence begins.
End Time
End time specified in hours and minutes during the day when the occurrence begins. This must be specified.
Occurrence
The type of occurrence. This can be set to Weekly (the default) or Monthly.
Weekly
If the Occurrence property is set to Weekly, this property is set to the days in the week when the occurrence will apply.
Monthly
If the Occurrence property is set to Monthly, this property is set to the months in the year when the occurrence will apply.
Example 3.51. Setting up an Advanced Schedule Profile with an IP Policy
This example creates an Advanced Schedule Profile object that is used with a NATing IP Policy that allows HTTP and HTTPS traffic to flow from internal clients to the Internet during 7:15 to 17:45 from monday to friday and during 11:30 to 16:15 on saturday and sunday.
Command-Line Interface
Device:/>add AdvancedScheduleProfile my_adv_scheduleDevice:/>cc AdvancedScheduleProfile my_adv_scheduleDevice:/my_adv_schedule>add AdvancedScheduleOccurence StartTime=7:15 EndTime=17:45 Occurrence=Weekly Weekly=1-5
Add the second occurrence:
Device:/my_adv_schedule>add AdvancedScheduleOccurence StartTime=11:30 EndTime=16:15 Occurrence=Weekly Weekly=6-7Device:/my_adv_schedule>ccDevice:/>
Create the IP policy that uses this schedule:
Device:/> add IPPolicy Name=http_during_office_hour
SourceInterface=lan
SourceNetwork=lan_net
DestinationInterface=any
DestinationNetwork=all-nets
Service=http-all
Action=Allow
SourceAddressTranslation=NAT
NATSourceAddressAction=OutgoingInterfaceIP
Schedule=my_adv_scheduleInControl
Follow similar steps to those used for the Web Interface below.
Web Interface
Add the second occurrence:
Create the IP policy that uses this schedule:
Closing Existing Connections Related To Scheduled IP Rule Set Entries
A question that can arise is how to close existing connections when an IP rule set entry prevents specific connections opening according to a schedule. For example, an IP Policy might prevent connections to particular resources at certain times of the day or week. However, there may be existing connections that were established before the schedule triggered.This scenario is discussed in an article in the Clavister Knowledge Base at the following link:
