Firewall Feature Set Commands
16-124 Configuring Security
Syntax
ip firewall policy policy_name src_net_name dst_net_name serv_name {allow | allow-
log | allow-auth group_name | reject | log | url-b | url-w | cls name ...
name}[before policy_name | after policy_name | first] [bidirectional]
Syntax of the “no” Form
Thenoformofthiscommanddisablesanearlierconfiguredpolicy:
no ip firewall policy policy_name
Defaults
Denyall
Mode
Globalconfiguration:XSR(config)#
src_net_name Nameofsourcenetworkobject,nottoexceed16characters.Thisvaluemust
matchnetworknameexactly.
dst_net_name Nameofdestinationnetworkobject,nottoexceed16characters.Thisvalue
mustmatchnetworknameexactly.
serv_name Nameofserviceobject,nottoexceed16characters.
allow Letpacketspassthroughthefirewall.
allow-log Letpacketsthroughthefirewallandlogtheactivity.
allow-auth
group_name
LetpacketspassifthesourceIPaddresshasbeenauthenticatedagainstthe
group_name(lengthnottoexceed16characters).Thisvaluemustmatch
network-groupnameexactly.
reject Dropallpacketsmatchingthepolicy.
log Dropallmatchingpacketsandlogtheactivity.
url-b | url-w FiltersHTTPtraffic(TCPconnectionwithadestinationportof80or8080)
usingtheblack(urlb)URLlist.
Filtershttptrafficusingthewhite(urlw)URLlist.HTTPaccesstoURLs
matchinganentryinthewhiteURLlistareallowed,nonmatchingURLs
areblocked.
cls name Letpacketspassthroughthefirewalliftheapplicationmessagetype
matchesoneofthe10typenames.Namesmustnotexceed16characters.
before or after
policy_name
Placepolicybeforeorafterthepolicycitedbypolicy_name(whichmust
alreadyhavebeenset).Ifnotspecified,theobjectwillbethelastlisted.
first Placepolicyfirst.
bidirectional Policyappliesinbothdirections.Thatis,forasessioninitiatedatthesource
aswellasthedestination.
Note: If the action is allow-auth the group_name must be specified. All users who are members of
this group are allowed authenticated access. Also, be sure to match the group_name and AAA
group name.