18.2. Creating Access Rules

Home Prev	cOS Stream 4.00.03 Administration Guide	Next

cOS Stream has a predefined object called AccessRules which is initially empty since the default access rule is not visible. One or more child AccessRule objects can then be added to this AccessRules parent object. Each AccessRule consists of interface and network values used to filter new flows, as well as an action to take when a flow match is triggered.

Access Rule Filtering Properties

The access rule filtering properties used to trigger a rule are:

Interface - The firewall interface that the packet arrives on.
Network - The IP range that the source address belongs to.

Access Rule Action Property

The access rule Action property can take either of the following values:

Drop - Discard the packets that trigger the access rule.
Accept - Accept the packets that trigger the access rule so they can be processed by other rule sets.

	Note: By default, access rule logging is enabled
	Logging can be enabled or disabled for when an access rule triggers. By default, it is enabled.

Turning Off Disabled by Access Rule Messages

If, for some reason, the Disabled by Access Rule log message is continuously being generated by some source and needs to be turned off, then the way to do this is to create a new AccessRule object for that source with an action of Drop.

Troubleshooting Access Rule Related Problems

It should be noted that access rules are a first filter of traffic before any other subsystems can see it. Sometimes problems can appear, such as setting up VPN tunnels, precisely because of this. It is always advisable to check access rules when troubleshooting puzzling problems in case a rule is preventing some other function, such as VPN tunnel establishment, from working properly.

Example 18.1. Setting up an Access Rule

A rule is to be defined that ensures no traffic with a source address within the network bad_net is accepted on the if1 interface.

Command-Line Interface

First, change the context to the access rule set:

System:/> cc AccessRules

The prompt will change to indicate the new context. Now, add the access rule:

System:/AccessRules> add AccessRule Name=rule1
			Interface=if1
			Network=bad_net
			Action=Drop

The contents of the rule set can now be checked:

System:/AccessRules> show

AccessRule

   #  Name  Action  Interface  Network
   -  ----  ------  ---------  -------
+  1  rule1 Drop    if1   bad_net

Finally, return to the default CLI context:

System:/AccessRules> cc