Chapter 19 Firewall

Your customized rules take precedence and override the NXC’s default settings. The NXC checks the schedule, user name (user’s login name on the NXC), source IP address, destination IP address and IP protocol type of network traffic against the firewall rules (in the order you list them). When the traffic matches a rule, the NXC takes the action specified in the rule.

For example, if you want to allow a specific user from any computer to access one zone by logging in to the NXC, you can set up a rule based on the user name only. If you also apply a schedule to the firewall rule, the user can only access the network at the scheduled time. A user-aware firewall rule is activated whenever the user logs in to the NXC and will be disabled after the user logs out of the NXC.

19.2 Firewall Commands

The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.

Table 56 Input Values for General Firewall Commands

LABEL

DESCRIPTION

address_object

The name of the IP address (group) object. You may use 1-31 alphanumeric

 

characters, underscores(_), or dashes (-), but the first character cannot be a

 

number. This value is case-sensitive.

user_name

The name of a user (group). You may use 1-31 alphanumeric characters,

 

underscores(_), or dashes (-), but the first character cannot be a number.

 

This value is case-sensitive.

zone_object

The name of the zone. Use up to 31 characters (a-zA-Z0-9_-). The name

 

cannot start with a number. This value is case-sensitive.

 

You can also use pre-defined zone names like LAN and WLAN.

 

 

rule_number

The priority number of a firewall rule. 1 - X where X is the highest number of

 

rules the NXC model supports. See the NXC’s User’s Guide for details.

 

 

schedule_object

The name of the schedule. You may use 1-31 alphanumeric characters,

 

underscores(_), or dashes (-), but the first character cannot be a number.

 

This value is case-sensitive.

service_name

The name of the service (group). You may use 1-31 alphanumeric characters,

 

underscores(_), or dashes (-), but the first character cannot be a number.

 

This value is case-sensitive.

The following table describes the commands available for the firewall. You must use the configure terminal command to enter the configuration mode before you can use these commands.

Table 57 Command Summary: Firewall

COMMAND

DESCRIPTION

[no] connlimit max-per-host <1..8192>

Sets the highest number of sessions that the

 

NXC will permit a host to have at one time.

 

The no command removes the settings.

firewall rule_number

Enters the firewall sub-command mode to set

 

a firewall rule.

firewall zone_object {zone_objectEnterpriseWLAN}

Enters the firewall sub-command mode to set

rule_number

a direction specific through-EnterpriseWLAN

 

rule or to-EnterpriseWLAN rule.

 

 

120

 

NXC CLI Reference Guide