6-60
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 6 Managing Policy Objects
Creating Access Control List Objects
Add and Edit Web Access Control Entry Dialog Boxes
Use the Add or Edit Web Access Control Entry dialog box to add an access control entry (ACE) or an
ACL object to a Web Type ACL object.
Navigation Path
From the Add or Edit Access List Dialog Boxes, page 6-55 for Web Type ACL objects, click the Add
button in the ACE table, or select a row and click the Edit button.
Related Topics
Creating Web Access Control List Objects, page6-52
Understanding Access Rule Address Requirements and How Rules Are Deployed, page 16-5
Action The action to take on traffic defined in the entry:
Permit—The service associated with this ACL is applied to this
traffic. That is, the traffic is permitted to use the service.
Deny—The service associated with this ACL is not applied to this
traffic. If there are multiple ACLs configured for a service, denied
traffic is typically compared to the next ACL in the list; if it
matches no permit entry in any ACL for the service, the service is
not applied to the traffic. Whether the traffic is dropped from the
network depends on the service.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-12.
Source The source of the traffic. You can enter more than one value by
separating the items with commas.
You can enter any combination of the following address types. For more
information, see Specifying IP Addresses During Policy Definition,
page 6-81.
Network/host object. Enter the name of the object or click Select
to select it from a list. You can also create new network/host objects
from the selection list.
Host IP address, for example, 10.10.10.100.
Network address, including subnet mask, in either the format
10.10.10.0/24 or 10.10.10.0/255.255.255.0.
A range of IP addresses, for example, 10.10.10.100-10.10.10.200.
An IP address pattern in the format 10.10.0.10/255.255.0.255,
where the mask is a discontiguous bit mask (see Contiguous and
Discontiguous Network Masks for IPv4 Addresses, page 6-75).
Description An optional description of the object.
Log Option Whether to create log entries when traffic meets the entry criteria. ACL
logging generates syslog message 106023 for denied packets. Deny
packets must be present to log denied packets.
Table6-22 Add and Edit Standard Access Control Entry Dialog Boxes (Continued)
Element Description