Description
An IP Rule Folder can be used to group IP Rules into logical groups for better overview and simplified management.
Properties
- Index
- The index of the object, starting at 1. (Identifier)
- Name
- Specifies the name of the folder.
- Attribute
- Special Attribute of the current object. (Optional)
- Comments
- Text describing the current object. (Optional)
![[Note]](images/note.png) |
Note |
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
Multiplex Static Address Translation. The Multicast rule is used to achieve duplication and forwarding of packets through
more than one interface.
Properties
- Index
- The index of the object, starting at 1. (Identifier)
- Name
- Specifies a symbolic name for the policy.
- RequireIGMP
- Multicast traffic must have been requested using IGMP before it is forwarded. (Default: Yes)
- MultiplexArgument
- Specifies how the traffic should be forwarded and translated.
- MultiplexAllToOne
- Rewrite all destination IPs to a single IP. (Default: No)
- SourceInterface
- Specifies the name of the receiving interface to be compared to the received packet.
- DestinationInterface
- Specifies the destination interface to be compared to the received packet.
- SourceNetwork
- Specifies the sender span of IP addresses to be compared to the received packet.
- DestinationNetwork
- Specifies the span of IP addresses to be compared to the destination IP of the received packet.
- SourceUserGroup
- Specifies the User Group object, with username or group, that the source must be a part of. (Optional)
- DestinationUserGroup
- Specifies the User Group object, with username or group, that the destination must be a part of. (Optional)
- Service
- Specifies a service that will be used as a filter parameter when matching traffic with this rule. Changing the service to
a service a protocol set will reveal additional configuration options, e.g. FTP, PPTP, TLS.
- Schedule
- By adding a schedule to a rule, the firewall will only allow that rule to trigger at those designated times. (Optional)
- Attribute
- Special Attribute of the current object. (Optional)
- SourceAddressTranslation
- Action to take on source address. (Default: None)
- NATSourceAddressAction
- Specify method to determine which sender address to use. (Default: OutgoingInterfaceIP)
- SATSourceAddressAction
- Specify method to determine which sender address to use.
- SourceNewIP
- Specifies which sender address will be used.
- SourceBaseIP
- Specifies base address for sender address.
- SourceNATPool
- Specifies NAT Pool to fetch sender address to be used.
- SourcePortAction
- Specify method to determine which port action to use. (Default: None)
- SourceNewSinglePort
- Translate to this port. (Optional)
- SourceBasePort
- Transpose using this port as base. (Optional)
- LogEnabled
- Enable logging. (Default: Yes)
- LogSeverity
- Specifies with what severity log events will be sent to the specified log receivers. (Default: Default)
- Comments
- Text describing the current object. (Optional)
|
Note |
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
3.68.4. ReverseProxyPolicy
Description
Reverse Proxy Policy. The Reverse Proxy receives HTTP and HTTPS requests from outside networks and forwards them to
the designated servers.
Properties
- Index
- The index of the object, starting at 1. (Identifier)
- Name
- Specifies a symbolic name for the policy.
- EnableACME
- Enables interception of ACME Challenges matching currently active challenges from the ACME Certificate Management. (Default: No)
- SourceInterface
- Specifies the name of the receiving interface to be compared to the received packet.
- DestinationInterface
- Specifies the destination interface to be compared to the received packet.
- SourceNetwork
- Specifies the sender span of IP addresses to be compared to the received packet.
- DestinationNetwork
- Specifies the span of IP addresses to be compared to the destination IP of the received packet.
- SourceUserGroup
- Specifies the User Group object, with username or group, that the source must be a part of. (Optional)
- DestinationUserGroup
- Specifies the User Group object, with username or group, that the destination must be a part of. (Optional)
- Service
- Specifies a service that will be used as a filter parameter when matching traffic with this rule. Changing the service to
a service a protocol set will reveal additional configuration options, e.g. FTP, PPTP, TLS.
- Schedule
- By adding a schedule to a rule, the firewall will only allow that rule to trigger at those designated times. (Optional)
- Attribute
- Special Attribute of the current object. (Optional)
- LogEnabled
- Enable logging. (Default: Yes)
- LogSeverity
- Specifies with what severity log events will be sent to the specified log receivers. (Default: Default)
- Comments
- Text describing the current object. (Optional)
|
Note |
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
3.68.4.1. ReverseProxyProfileMap
Description
Maps URL to destination server IP or server name
Properties
- HostName
- Host name or IP, example: www.example.com or 123.45.67.89.
- Protocol
- Allows system to convert traffic from HTTPS to HTTP. (Default: Keep)
- ServerCertificate
- Specifies the certificate the firewall uses to authenticate itself when protocol conversion HTTPS_to_HTTP is used.
- ServerRootCertificates
- Specifies the root certificates that along with the server certificate build the chain of trust. (Optional)
- DestServer
- Specifies the address of the internal server (ip/address object).
- ServerPortRedirect
- Enables the possibility to redirect the destination port. (Default: None)
- PortRedirect
- Defines the new destination port. (Default: 80)
- Attribute
- Special Attribute of the current object. (Optional)
- Comments
- Text describing the current object. (Optional)
|
Note |
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
The URI filter is used deny access to certain areas of sites using the blacklist action.
Properties
- Action
- Blacklist the matching URI filter. (Default: Blacklist)
- URIFilter
- Specifies the URI to blacklist. Wildcard '*' accepted in string.
- Behavior
- Behavior when matching.
- RedirectTo
- Specifies the URL to redirect requests to. Must be begin with 'http://' or 'https://'. (Default: http://)
- Attribute
- Special Attribute of the current object. (Optional)
- Comments
- Text describing the current object. (Optional)
|
Note |
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
Server Load Balancing using Static Address Translation. Allows distribution of client requests over a number of servers.
Properties
- Index
- The index of the object, starting at 1. (Identifier)
- Name
- Specifies a symbolic name for the policy.
- SLBAddresses
- The IP addresses of the servers in the server farm.
- SLBServerFallback
- Server to use when all other servers are unreachable. (Optional)
- SLBStickiness
- Specifies stickiness mode. (Default: None)
- SLBIdleTimeOut
- New connections that arrive within the idle timeout are assigned to the same real server as previous connections from that
address. The timeout is refreshed after each new connection. (Default: 30)
- SLBMaxSlots
- Specifies maximum number of slots for IP and network stickiness. (Default: 2048)
- SLBNetSize
- Specifies network size for network stickiness. (Default: 24)
- SLBNewPort
- Rewrite destination port to this port. (Optional)
- SLBMonitorRoutingTable
- Routing table used for server monitoring. (Default: main)
- SLBMonitorPing
- Enable monitoring using ICMP Ping packets. (Default: No)
- SLBPingPollingInterval
- Delay in milliseconds between each ping interval. (Default: 5000)
- SLBPingSamples
- Specifies the number of attempts to use for statistical calculations. (Default: 10)
- SLBPingMaxPollFails
- Specifies the maximum number of failed ping attempts until host is considered to be unreachable. (Default: 2)
- SLBPingMaxAverageLatency
- Specifies the max average latency for the sample attempts. (Default: 800)
- SLBMonitorTCP
- Enable monitoring using TCP handshakes. (Default: No)
- SLBTCPPorts
- Specifies the ports that will be monitored.
- SLBTCPPollingInterval
- Delay in milliseconds between each TCP handshake. (Default: 10000)
- SLBTCPSamples
- Specifies the number of attempts to use for statistical calculations. (Default: 10)
- SLBTCPMaxPollFails
- Specifies the maximum number of failed TCP attempts until host is considered to be unreachable. (Default: 2)
- SLBTCPMaxAverageLatency
- Specifies the max average latency for the sample attempts. (Default: 800)
- SLBMonitorHTTP
- Enable monitoring using HTTP requests. (Default: No)
- SLBHTTPPorts
- Specifies the ports that will be monitored. (Default: 80)
- SLBHTTPPollingInterval
- Delay in milliseconds between each monitor interval. (Default: 10000)
- SLBHTTPSamples
- Specifies the number of attempts to use for statistical calculations. (Default: 10)
- SLBHTTPMaxPollFails
- Specifies the maximum number of failed HTTP attempts until host is considered to be unreachable. (Default: 2)
- SLBHTTPMaxAverageLatency
- Specifies the max average latency for the sample attempts. (Default: 800)
- SLBHTTPURLType
- Defines how the request URL should be interpreted. (Default: FQDN)
- SLBHTTPRequestURL
- Specifies the HTTP URL to monitor.
- SLBHTTPExpectedResponse
- Expected HTTP response. (Optional)
- SLBMonitorReset
- Reset active connections when monitor fail. Uses additional resources to track all connections. (Default: No)
- SLBDistribution
- Specifies the algorithm used for the load distribution tasks. (Default: RoundRobin)
- SLBWindowTime
- Specifies the window time used for counting the number of seconds back in time to summarize the number of new connections
for connection-rate algorithm. (Default: 10)
- SLBServerId
- Server identifier (max 32 chars) used when uploading server state to firewall. Required with distribution method 'Resource-usage'
or when using REST API to set servers in maintenance mode. (Optional)
- SyslogControl
- Syslog Protection. (Default: No)
- Syslog_Policy
- Selects preconfigured Syslog Profile.
- SourceInterface
- Specifies the name of the receiving interface to be compared to the received packet.
- DestinationInterface
- Specifies the destination interface to be compared to the received packet.
- SourceNetwork
- Specifies the sender span of IP addresses to be compared to the received packet.
- DestinationNetwork
- Specifies the span of IP addresses to be compared to the destination IP of the received packet.
- SourceUserGroup
- Specifies the User Group object, with username or group, that the source must be a part of. (Optional)
- DestinationUserGroup
- Specifies the User Group object, with username or group, that the destination must be a part of. (Optional)
- Service
- Specifies a service that will be used as a filter parameter when matching traffic with this rule. Changing the service to
a service a protocol set will reveal additional configuration options, e.g. FTP, PPTP, TLS.
- Schedule
- By adding a schedule to a rule, the firewall will only allow that rule to trigger at those designated times. (Optional)
- Attribute
- Special Attribute of the current object. (Optional)
- SourceAddressTranslation
- Action to take on source address. (Default: None)
- NATSourceAddressAction
- Specify method to determine which sender address to use. (Default: OutgoingInterfaceIP)
- SATSourceAddressAction
- Specify method to determine which sender address to use.
- SourceNewIP
- Specifies which sender address will be used.
- SourceBaseIP
- Specifies base address for sender address.
- SourceNATPool
- Specifies NAT Pool to fetch sender address to be used.
- SourcePortAction
- Specify method to determine which port action to use. (Default: None)
- SourceNewSinglePort
- Translate to this port. (Optional)
- SourceBasePort
- Transpose using this port as base. (Optional)
- LogEnabled
- Enable logging. (Default: Yes)
- LogSeverity
- Specifies with what severity log events will be sent to the specified log receivers. (Default: Default)
- Comments
- Text describing the current object. (Optional)
|
Note |
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
No state is kept between packets which means it is less secure and slower than stateful forwarding.
Properties
- Index
- The index of the object, starting at 1. (Identifier)
- Name
- Specifies a symbolic name for the policy.
- Action
- Allow or Deny. (Default: Allow)
- Reject
- Drop the packet and respond with an ICMP error or TCP reset. (Default: No)
- SourceAddressTranslation
- Action to take on source address. (Default: None)
- SATSourceAddressAction
- Specify method to determine which sender address to use.
- SourceNewIP
- Specifies which sender address will be used.
- SourceBaseIP
- Specifies base address for sender address.
- SourcePortAction
- Specify method to determine which port action to use. (Default: None)
- SourceNewSinglePort
- Translate to this port. (Optional)
- SourceBasePort
- Transpose using this port as base. (Optional)
- DestAddressTranslation
- Action to take on destination address. (Default: None)
- DestAddressAction
- Specify method to determine which destination address to use.
- DestNewIP
- Specifies which destination address will be used.
- DestBaseIP
- Specifies base address for destination address.
- DestPortAction
- Specify method to determine which port action to use. (Default: None)
- DestNewSinglePort
- Translate to this port. (Optional)
- DestBasePort
- Transpose using this port as base. (Optional)
- SourceInterface
- Specifies the name of the receiving interface to be compared to the received packet.
- DestinationInterface
- Specifies the destination interface to be compared to the received packet.
- SourceNetwork
- Specifies the sender span of IP addresses to be compared to the received packet.
- DestinationNetwork
- Specifies the span of IP addresses to be compared to the destination IP of the received packet.
- SourceUserGroup
- Specifies the User Group object, with username or group, that the source must be a part of. (Optional)
- DestinationUserGroup
- Specifies the User Group object, with username or group, that the destination must be a part of. (Optional)
- Service
- Specifies a service that will be used as a filter parameter when matching traffic with this rule. Changing the service to
a service a protocol set will reveal additional configuration options, e.g. FTP, PPTP, TLS.
- Schedule
- By adding a schedule to a rule, the firewall will only allow that rule to trigger at those designated times. (Optional)
- Attribute
- Special Attribute of the current object. (Optional)
- LogEnabled
- Enable logging. (Default: Yes)
- LogSeverity
- Specifies with what severity log events will be sent to the specified log receivers. (Default: Default)
- Comments
- Text describing the current object. (Optional)
|
Note |
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
Description
A return rule makes the IP rule scan resume from the goto rule that led to the current IP rule set. If there was no
goto rule leading to the current IP rule set the connection is dropped and rule scanning stops.
Properties
- Name
- Specifies a symbolic name for the rule. (Optional)
- Action
- Return Action. (Default: Return)
- SourceInterface
- Specifies the name of the receiving interface to be compared to the received packet.
- DestinationInterface
- Specifies the destination interface to be compared to the received packet.
- SourceNetwork
- Specifies the sender span of IP addresses to be compared to the received packet.
- DestinationNetwork
- Specifies the span of IP addresses to be compared to the destination IP of the received packet.
- SourceUserGroup
- Specifies the User Group object, with username or group, that the source must be a part of. (Optional)
- DestinationUserGroup
- Specifies the User Group object, with username or group, that the destination must be a part of. (Optional)
- Service
- Specifies a service that will be used as a filter parameter when matching traffic with this rule.
- Schedule
- By adding a schedule to a rule, the firewall will only allow that rule to trigger at those designated times. (Optional)
- Attribute
- Special Attribute of the current object. (Optional)
- LogEnabled
- Enable logging. (Default: Yes)
- LogSeverity
- Specifies with what severity log events will be sent to the specified log receivers. (Default: Default)
- Comments
- Text describing the current object. (Optional)
|
Note |
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
|
cOS Core 15.00.01 CLI Reference Guide
