11-Security Command Reference

HomeSupportResource CenterNFVH3C VSRH3C VSRTechnical DocumentsReference GuidesCommand ReferencesH3C VSR Series Virtual Services Routers Command References(V7)-R0621-6W30011-Security Command Reference
19-Object policy commands
Title Size Download
19-Object policy commands 125.75 KB

Object policy commands

accelerate

Use accelerate to enable rule matching acceleration for an object policy.

Use undo accelerate to disable rule matching acceleration for an object policy.

Syntax

accelerate

undo accelerate

Default

Rule matching acceleration is disabled for an object policy.

Views

Object policy view

Predefined user roles

network-admin

Usage guidelines

Insufficient hardware resources cause acceleration failures. When the system has sufficient hardware resources, acceleration can take effect again under either of the following conditions:

·     You change or add rules for the policy.

·     You use this command to enable rule matching acceleration again.

After you enable rule matching acceleration, the following situations might occur:

·     Acceleration fails, and the matching process runs without acceleration.

·     Acceleration succeeds, and the matching process is accelerated. In this scenario, if you change or add a rule that causes resource insufficiency, the rule does not take effect.

Make sure the IP address object group specified for an object policy rule is not configured with excluded IP addresses or a wildcard mask. If an excluded IP address or wildcard mask is configured, rule matching acceleration fails for the object policy.

Examples

# Disable rule matching acceleration for IPv4 object policy op.

<Sysname> system-view

[Sysname] object-policy ip op

[Sysname-object-policy-ip-op] undo accelerate

Related commands

display object-policy accelerate

description

Use description to configure a description for an object policy.

Use undo description to restore the default.

Syntax

description text

undo description

Default

No description is configured for an object policy.

Views

Object policy view

Predefined user roles

network-admin

Parameters

text: Specifies a description, a case-sensitive string of 1 to 127 characters.

Usage guidelines

If the object policy does not have a description, this command configures the description. Otherwise, this command overwrites the existing description for the policy.

Examples

# Configure the description as zone-pair security office to library for an IPv4 address object policy.

<Sysname> system-view

[Sysname] object-policy ip permit

[Sysname-object-policy-ip-permit] description zone-pair security office to library

Related commands

display object-policy ip

display object-policy ipv6

display object-policy accelerate

Use display object-policy accelerate to display acceleration information for object policies.

Syntax

In standalone mode:

display object-policy accelerate { summary { ip | ipv6 } | verbose { ip object-policy-name | ipv6 object-policy-name } }

In IRF mode:

display object-policy accelerate { summary { ip | ipv6 } | verbose { ip object-policy-name | ipv6 object-policy-name } slot slot-number }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

summary: Displays brief acceleration information.

verbose: Displays detailed acceleration information.

ip: Displays acceleration information for IPv4 object policies.

ipv6: Displays acceleration information for IPv6 object policies.

object-policy-name: Specifies an object policy by its name, a case-insensitive string of 1 to 63 characters.

slot slot-number: Specifies an IRF member device. The slot-number argument represents its IRF member ID. (In IRF mode.)

Examples

# Display brief acceleration information for all IPv4 object policies.

<Sysname> display object-policy accelerate summary ip

Object-policy ip a

Object-policy ip c

# (In standalone mode.) Display detailed acceleration information for IPv4 object policy permit.

<Sysname> display object-policy accelerate verbose ip permit

Object-policy ip a

 rule 1 drop

 rule 0 pass (failed)

# (In IRF mode.) Display detailed acceleration information for IPv4 object policy permit.

<Sysname> display object-policy accelerate verbose ip permit slot 1

Object-policy ip a

 rule 1 drop

 rule 0 pass (failed)

Table 1 Command output

Field

Description

failed

Rule matching acceleration and rule matching failed.

 

display object-policy ip

Use display object-policy ip to display information about the specified IPv4 object policy.

Syntax

display object-policy ip [ object-policy-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

object-policy-name: Specifies an object policy by its name, a case-insensitive string of 1 to 63 characters. If you do not specify an object policy, this command displays information about all IPv4 object policies.

Usage guidelines

This command displays IPv4 object policy rules in the order they were configured.

Examples

# Display information about all IPv4 object policies.

<Sysname> display object-policy ip

Object-policy ip pass

This is an IPv4 object policy for the zone-pair security source office destination library

Object-policy accelerated

 rule 5 pass source-ip sourceip

 rule 5 comment This rule is used for source-ip sourceip

Table 2 Command output

Field

Description

Object-policy ip pass

Name of the IPv4 object policy.

This is an IPv4 object policy for the zone-pair security source office destination library

Description of the IPv4 object policy.

Object-policy accelerated

Rule matching acceleration is enabled for the IPv4 object policy.

rule 5 pass source-ip sourceip

Statement of rule 5. The value of sourceip is the name of the source IPv4 address object group.

rule 5 comment This rule is used for source-ip sourceip

Description of rule 5.

 

display object-policy ipv6

Use display object-policy ipv6 to display information about the specified IPv6 object policy.

Syntax

display object-policy ipv6 [ object-policy-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

object-policy-name: Specifies an object policy by its name, a case-insensitive string of 1 to 63 characters. If you do not specify an object policy, this command displays information about all IPv6 object policies.

Usage guidelines

This command displays IPv6 object policy rules in the order they were configured.

Examples

# Display information about all IPv6 object policies.

<Sysname> display object-policy ipv6

Object-policy ipv6 pass

This is an IPv6 object policy for the zone-pair security source office destination library

Object-policy accelerated

 rule 5 pass source-ip sourceipv6

 rule 5 comment This rule is used for source-ip sourceipv6

Table 3 Command output

Field

Description

Object-policy ipv6 pass

Name of the IPv6 object policy.

This is an IPv6 object policy for the zone-pair security source office destination library

Description of the IPv6 object policy.

Object-policy accelerated

Rule matching acceleration is enabled for the IPv6 object policy.

rule 5 pass source-ip sourceipv6

Statement of rule 5. The value of sourceipv6 is the name of the source IPv6 address object group.

rule 5 comment This rule is used for source-ip sourceipv6

Description of rule 5.

 

display object-policy statistics zone-pair security

Use display object-policy statistics zone-pair security to display statistics for the object policies applied to the specified zone pair.

Syntax

display object-policy statistics zone-pair security source source-zone-name destination destination-zone-name [ ip | ipv6 ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

source source-zone-name: Specifies a source security zone name, a case-insensitive string of 1 to 31 characters.

destination destination-zone-name: Specifies a destination security zone name, a case-insensitive string of 1 to 31 characters.

ip: Displays statistics for IPv4 object policies.

ipv6: Displays statistics for IPv6 object policies.

Usage guidelines

If you specify neither the ip keyword nor the ipv6 keyword, the system displays statistics for all object policies applied to the specified zone pair.

Examples

# Display statistics for all object policies applied to the zone pair with source security zone office and destination security zone library.

<Sysname> display object-policy statistics zone-pair security source office destination library

Object-policy apply ip OfficeToLibrary

 rule 0 pass source-ip sourceip1 (5 packets,10 bytes)

Object-policy apply ipv6 OfficeToLibraryIPv6

 rule 0 pass source-ip sourceip3 (6 packets,13 bytes)

Table 4 Command output

Field

Description

Object-policy apply ip OfficeToLibrary

Name of the IPv4 object policy applied to the zone pair.

rule 0 pass source-ip sourceip1

Statement of rule 0. The value of sourceip1 is the name of the source IPv4 address object group.

Object-policy apply ipv6 OfficeToLibraryIPv6

Name of the IPv6 object policy applied to the zone pair.

rule 0 pass source-ip sourceip3

Statement of rule 0. The value of sourceip3 is the name of the source IPv6 address object group.

x packets,y bytes

The rule has matched x packets, a total of y bytes. This field is displayed only when the following conditions exist:

·     The counting or logging keyword is specified in the rule command.

·     The rule has been matched.

 

Related commands

reset object-policy statistics

display object-policy zone-pair security

Use display object-policy zone-pair security to display information about the object policies applied to the specified zone pair.

Syntax

display object-policy zone-pair security [ source source-zone-name destination destination-zone-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

source source-zone-name: Specifies a source security zone name, a case-insensitive string of 1 to 31 characters.

destination destination-zone-name: Specifies a destination security zone name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

If you do not specify a zone pair, the system displays information about the object policies applied to all zone pairs.

Examples

# Display information about the object policies applied to all zone pairs.

<Sysname> display object-policy zone-pair security

Zone-pair source office destination library

object-policy apply ip permit

object-policy apply ipv6 drop

Table 5 Command output

Field

Description

Zone-pair source office destination library

Zone pair.

object-policy apply ip permit

IPv4 object policy applied to the zone pair.

object-policy apply ipv6 drop

IPv6 object policy applied to the zone pair.

 

move rule

Use move rule to change the rule match order of a rule in an object policy.

Syntax

move rule rule-id before insert-rule-id

Views

Object policy view

Predefined user roles

network-admin

Parameters

rule-id: Specifies a rule by its ID in the range of 0 to 65534.

insert-rule-id: Specifies the ID of the target rule before which a rule is inserted. The target rule ID is in the range of 0 to 65535. If you specify 65535 as the target rule ID, the rule is moved to the end of the list.

Usage guidelines

The system does not execute the command in the following situations:

·     You specify the same value for the rule-id and insert-rule-id arguments.

·     You specify a nonexistent rule.

Examples

# Insert rule 5 before rule 2 for IPv4 object policy permit.

<Sysname> system-view

[Sysname] object-policy ip permit

[Sysname-object-policy-ip-permit] move rule 5 before 2

Related commands

object-policy apply ipv6

object-policy ip

rule (IPv4 object policy view)

rule (IPv6 object policy view)

object-policy apply ip

Use object-policy apply ip to apply an IPv4 object policy to a zone pair.

Use undo object-policy apply ip to restore the default.

Syntax

object-policy apply ip object-policy-name

undo object-policy apply ip object-policy-name

Default

IPv4 object policies are not applied to a zone pair.

Views

Zone pair view

Predefined user roles

network-admin

Parameters

object-policy-name: Specifies an IPv4 object policy by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

If the specified object policy does not exist, this command fails.

You can apply only one IPv4 object policy to each zone pair. To apply a new IPv4 object policy to an instance, remove the application of the existing IPv4 object policy.

Examples

# Configure an IPv4 object policy and apply it to a zone pair.

<Sysname> system-view

[Sysname] object-policy ip permit

[Sysname-object-policy-ip-permit]quit

[Sysname] zone-pair security source office destination library

[Sysname-zone-pair-security-office-library] object-policy apply ip permit

Related commands

display object-policy zone-pair security

object-policy apply ipv6

object-policy ip

object-policy apply ipv6

Use object-policy apply ipv6 to apply an IPv6 object policy to a zone pair.

Use undo object-policy apply ipv6 to restore the default.

Syntax

object-policy apply ipv6 object-policy-name

undo object-policy apply ipv6 object-policy-name

Default

IPv6 object policies are not applied to a zone pair.

Views

Zone pair view

Predefined user roles

network-admin

Parameters

object-policy-name: Specifies an IPv6 object policy by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

If the specified object policy does not exist, this command fails.

You can apply only one IPv6 object policy to each zone pair. To apply a new IPv6 object policy to an instance, remove the application of the existing IPv6 object policy.

Examples

# Configure an IPv6 object policy and apply it to a zone pair.

<Sysname> system-view

[Sysname] object-policy ipv6 permit

[Sysname-object-policy-ipv6-permit] quit

[Sysname] zone-pair security source office destination library

[Sysname-zone-pair-security-office-library] object-policy apply ipv6 permit

Related commands

display object-policy zone-pair security

object-policy apply ip

object-policy ipv6

object-policy ip

Use object-policy ip to configure an IPv4 object policy and enter its view, or enter the view of an existing IPv4 object policy.

Use undo object-policy ip to delete an IPv4 object policy.

Syntax

object-policy ip object-policy-name

undo object-policy ip object-policy-name

Default

No IPv4 object policies exist.

Views

System view

Predefined user roles

network-admin

Parameters

object-policy-name: Specifies an IPv4 object policy name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

The IPv4 object policy name is unchangeable once configured.

You cannot delete an IPv4 object policy that has been applied to a zone pair.

Examples

# Configure an IPv4 object policy and enter its view.

<Sysname> system-view

[Sysname] object-policy ip permit

[Sysname-object-policy-ip-permit] rule pass

Related commands

display object-policy ip

object-policy ipv6

object-policy ipv6

Use object-policy ipv6 to configure an IPv6 object policy and enter its view, or enter the view of an existing IPv6 object policy.

Use undo object-policy ipv6 to delete an IPv6 object policy.

Syntax

object-policy ipv6 object-policy-name

undo object-policy ipv6 object-policy-name

Default

No IPv6 object policies exist.

Views

System view

Predefined user roles

network-admin

Parameters

object-policy-name: Configures the IPv6 object policy name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

The IPv6 object policy name is unchangeable once configured.

You cannot delete an IPv6 object policy that has been applied to a zone pair.

Examples

# Configure an IPv6 object policy and enter its view.

<Sysname> system-view

[Sysname] object-policy ipv6 permit

[Sysname-object-policy-ipv6-permit] rule pass

Related commands

display object-policy ipv6

object-policy ip

reset object-policy statistics

Use reset object-policy statistics to clear statistics for the object policies applied to zone pairs.

Syntax

reset object-policy statistics [ zone-pair security source source-zone-name destination destination-zone-name ] [ ip | ipv6 ]

Views

User view

Predefined user roles

network-admin

Parameters

source source-zone-name: Specifies the source security zone name, a case-insensitive string of 1 to 31 characters.

destination destination-zone-name: Specifies the destination security zone name, a case-insensitive string of 1 to 31 characters.

ip: Clears statistics for IPv4 object policies.

ipv6: Clears statistics for IPv6 object policies.

Usage guidelines

If you do not specify a zone pair, the system clears statistics for the object policies applied to all zone pairs.

If you specify neither the ip keyword nor the ipv6 keyword, the system clears statistics for all object policies applied to the specified zone pairs.

Examples

# Clear statistics for all IPv4 object policies applied to the zone pair with source security zone office and destination security zone library.

<Sysname> reset object-policy statistics zone-pair security source office destination library ip

Related commands

display object-policy statistics zone-pair security

rule append

Use rule append to append a criterion to a rule for packet matching.

Use undo rule append to delete a criterion appended to a rule.

Syntax

rule rule-id append { application application-name | app-group app-group-name | destination-ip object-group-name | service object-group-name | source-ip object-group-name }

undo rule rule-id append { application [ application-name ] | app-group [ app-group-name ] | destination-ip [ object-group-name ] | service [ object-group-name ] | source-ip [ object-group-name ] }

Default

No criterion is appended to a rule for packet matching.

Views

Object policy view

Predefined user roles

network-admin

Parameters

rule-id: Specifies a rule by its ID in the range of 0 to 65534.

application application-name: Specifies an application by its name, a case-insensitive string of 1 to 63 characters. The names invalid and other are not allowed.

app-group app-group-name: Specifies an application group by its name, a case-insensitive string of 1 to 63 characters. The names invalid and other are not allowed.

destination-ip object-group-name: Specifies a destination IPv4 or IPv6 address object group by its name, a case-insensitive string of 1 to 31 characters. The name any is not allowed.

service object-group-name: Specifies a service object group by its name, a case-insensitive string of 1 to 31 characters. The name any is not allowed.

source-ip object-group-name: Specifies a source IPv4 or IPv6 address object group by its name, a case-insensitive string of 1 to 31 characters. The name any is not allowed.

Usage guidelines

Make sure the rule already exists before you execute this command.

You can execute this command multiple times to append multiple criteria to a rule. These criteria can be of the same type.

Actions taken on packets matching a rule is specified by the rule command.

If you do not specify a criterion when executing the undo command, the command deletes all appended criteria of the specified type.

Examples

# Configure rule 1 to allow packets that match source IP address object groups sourceip1, sourceip2, and sourceip3 to pass.

<Sysname> system-view

[Sysname] object-policy ip permit

[Sysname-object-policy-ip-permit] rule 1 pass source-ip sourceip1 logging

[Sysname-object-policy-ip-permit] rule 1 append source-ip sourceip2

[Sysname-object-policy-ip-permit] rule 1 append source-ip sourceip3

Related commands

app-group

display object-policy ip

display object-policy ipv6

nbar application

object-group

object-policy ip

object-policy ipv6

rule (IPv4 object policy view)

rule (IPv6 object policy view)

rule comment

Use rule comment to configure a description for the specified rule.

Use undo rule comment to delete the description for the specified rule.

Syntax

rule rule-id comment text

undo rule rule-id comment

Default

No description is configured for a rule.

Views

Object policy view

Predefined user roles

network-admin

Parameters

rule-id: Specifies a rule by its ID in the range of 0 to 65534.

text: Specifies a description, a case-sensitive string of 1 to 127 characters.

Usage guidelines

If the specified rule does not exist, this command fails.

If the rule does not have a description, this command configures the description. Otherwise, this command overwrites the existing description for the rule.

Examples

# Create rule 0 for IPv4 object policy permit and configure a description for rule 0.

<Sysname> system-view

[Sysname] object-policy ip permit

[Sysname-object-policy-ip-permit] rule 0 pass source-ip ip1

[Sysname-object-policy-ip-permit] rule 0 comment This rule is used for source-ip ip1

Related commands

display object-policy ip

display object-policy ipv6

rule (IPv4 object policy view)

Use rule to configure a rule for an IPv4 object policy.

Use undo rule to partially or completely delete a rule for an IPv4 object policy.

Syntax

rule [ rule-id ] { drop | pass | inspect app-profile-name } [ [ source-ip { object-group-name | any } ] [ destination-ip { object-group-name | any } ] [ service { object-group-name | any } ] [ vrf vrf-name ] [ application application-name ] [ app-group app-group-name ] [ counting ] [ disable ] [ logging ] [ time-range time-range-name ] ] *

undo rule rule-id [ source-ip | destination-ip | service | vrf | application | app-group | counting | disable | logging time-range ] *

Default

No rules are configured for an IPv4 object policy.

Views

IPv4 object policy view

Predefined user roles

network-admin

Parameters

rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify an ID for the rule, the system automatically assigns the rule the integer next to the greatest ID being used. For example, if the greatest ID is 60000, the system automatically assigns 60001. If the greatest ID is 65534, the system assigns the rule the smallest unused number in the range.

drop: Discards the packets that match the rule.

pass: Allows the packets that match the rule to pass.

inspect app-profile-name: Applies a DPI application profile to the packets that match the rule. The app-profile-name argument represents the DPI profile name, a case-insensitive string of 1 to 100 characters. The string can contain only letters, digits, and underscores (_).

source-ip object-group-name: Specifies a source IPv4 address object group by its name, a case-insensitive string of 1 to 31 characters.

source-ip any: Specifies all source IPv4 address object groups.

destination-ip object-group-name: Specifies a destination IPv4 address object group by its name, a case-insensitive string of 1 to 31 characters.

destination-ip any: Specifies all destination IPv4 address object groups.

service object-group-name: Specifies a service object group by its name, a case-insensitive string of 1 to 31 characters.

service any: Specifies all service object groups.

vrf vrf-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command applies to received packets of the public network.

application application-name: Specifies an application by its name, a case-insensitive string of 1 to 63 characters. The invalid and other applications are not supported.

app-group app-group-name: Specifies an application group by its name, a case-insensitive string of 1 to 63 characters. The invalid and other application groups are not supported.

counting: Enables match counting for the rule in an IPv4 object policy. By default, rule match counting is disabled.

disable: Disables the IPv4 object policy rule.

logging: Logs the packets that match the rule.

time-range time-range-name: Specifies a time range by its name, a case-insensitive string of 1 to 32 characters. If the specified time range does not exist, the system creates the rule and prompts you to configure the time range. The rule takes effect after you set the time range. For more information about time range configuration, see ACL and QoS Configuration Guide.

Usage guidelines

If the specified rule ID does not exist, this command creates a rule. Otherwise, this command changes the configuration of the specified rule.

If you do not configure any object groups in a rule, the rule applies to all packets.

If you specify a nonexistent object group in a rule, the device automatically creates the specified object group with empty configuration. A rule that contains an object group with empty configuration does not match any packets.

If you do not specify any options in the undo rule command, the command deletes the entire rule. Otherwise, the command deletes only the specified part of the rule statement.

You cannot delete a nonexistent rule. You can use the display object-policy ip command to display rules in an IPv4 object policy.

To use applications or application groups in an object policy, use only PBAR-classified applications. NBAR-classified applications cannot match any packets. For more information about PBAR and NBAR, see Security Configuration Guide.

The logging keyword enables the object policy module to send log messages to the information center when packets match an object policy.

With the information center, you can set log message filtering and output rules, including output destinations.

The information center can output packet matching logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.

To view packet matching logs stored on the device, use the display logbuffer command or open the object policy log page from the Web interface of the device. Make sure you do not disable log output to the log buffer, which is enabled by default.

For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.

Examples

# Configure a rule to allow packets that match source IPv4 address object group sourceip1 to pass through during time range time1.

<Sysname> system-view

[Sysname] object-policy ip permit

[Sysname-object-policy-ip-permit] rule pass source-ip sourceip1 logging time-range time1

# Configure a rule to apply DPI application profile profile1 to packets that match source IPv4 address object group sourceip1.

<Sysname> system-view

[Sysname] object-policy ip dpiproc

[Sysname-object-policy-ip-dpiproc] rule inspect profile1 source-ip sourceip1 logging

# Configure a rule to permit packets that match application aaa.

<Sysname> system-view

[Sysname] object-policy ip dpiproc

[Sysname-object-policy-ip-dpiproc] rule pass application aaa

Related commands

app-profile (DPI Command Reference)

display object-policy ip

move rule

object-policy ip

time-range (ACL and QoS Command Reference)

rule (IPv6 object policy view)

Use rule to configure a rule for an IPv6 object policy.

Use undo rule to partially or completely delete a rule for an IPv6 object policy.

Syntax

rule [ rule-id ] { drop | pass | inspect app-profile-name } [ [ source-ip { object-group-name | any } ] [ destination-ip { object-group-name | any } ] [ service { object-group-name | any } ] [ vrf vrf-name ] [ application application-name ] [ app-group app-group-name ] [ counting ] [ disable ] [ logging ] [ time-range time-range-name ] ] *

undo rule rule-id [ source-ip | destination-ip | service | vrf | application | app-group | counting | disable | logging time-range ] *

Default

No rules are configured for an IPv6 object policy.

Views

IPv6 object policy view

Predefined user roles

network-admin

Parameters

rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify an ID for the rule, the system automatically assigns the rule the integer next to the greatest ID being used. For example, if the greatest ID is 60000, the system automatically assigns 60001. If the greatest ID is 65534, the system assigns the rule the smallest unused number in the range.

drop: Discards the packets that match the rule.

pass: Allows the packets that match the rule to pass.

inspect app-profile-name: Applies a DPI application profile to the packets that match the rule. The app-profile-name argument represents the DPI profile name, a case-insensitive string of 1 to 100 characters. The string can contain only letters, digits, and underscores (_).

source-ip object-group-name: Specifies a source IPv6 address object group by its name, a case-insensitive string of 1 to 31 characters.

source-ip any: Specifies all source IPv6 address object groups.

destination-ip object-group-name: Specifies a destination IPv6 address object group by its name, a case-insensitive string of 1 to 31 characters.

destination-ip any: Specifies all destination IPv6 address object groups.

service object-group-name: Specifies a service object group by its name, a case-insensitive string of 1 to 31 characters.

service any: Specifies all service object groups.

vrf vrf-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command applies to received packets of the public network.

application application-name: Specifies an application by its name, a case-insensitive string of 1 to 63 characters. The invalid and other applications are not supported.

app-group app-group-name: Specifies an application group by its name, a case-insensitive string of 1 to 63 characters. The invalid and other application groups are not supported.

counting: Enables match counting for the rule in an IPv6 object policy. By default, rule match counting is disabled.

disable: Disables the IPv6 object policy rule.

logging: Logs the packets that match the rule.

time-range time-range-name: Specifies the rule effective time range by its name, a case-insensitive string of 1 to 32 characters. If you configure a rule without setting the effective time period, the system creates the rule and prompts you to configure the time period. The rule takes effect after you set the time period. For more information about time range configuration, see ACL and QoS Configuration Guide.

Usage guidelines

If the specified rule ID does not exist, this command creates a rule. Otherwise, this command changes the configuration of the specified rule.

If you do not configure any object groups in a rule, the rule applies to all packets.

If you specify a nonexistent object group in a rule, the device automatically creates the specified object group with empty configuration. A rule that contains an object group with empty configuration does not match any packets.

If you do not specify any options in the undo rule command, the command deletes the entire rule. Otherwise, the command deletes only the specified part of the rule statement.

You cannot delete a nonexistent rule. You can use the display object-policy ipv6 command to display rules in an IPv6 object policy.

To use applications or application groups in an object policy, use only PBAR-classified applications. NBAR-classified applications cannot match any packets. For more information about PBAR and NBAR, see Security Configuration Guide.

The logging keyword enables the object policy module to send log messages to the information center when packets match an object policy.

With the information center, you can set log message filtering and output rules, including output destinations.

The information center can output packet matching logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.

To view packet matching logs stored on the device, use the display logbuffer command or open the object policy log page from the Web interface of the device. Make sure you do not disable log output to the log buffer, which is enabled by default.

For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.

Examples

# Configure a rule to allow packets that match source IPv6 address object group sourceip1 to pass through during time range time1.

<Sysname> system-view

[Sysname] object-policy ipv6 permit

[Sysname-object-policy-ipv6-permit] rule pass source-ip sourceip1 logging time-range time1

# Configure a rule to apply DPI application profile profile1 to packets that match source IPv4 address object group sourceip1.

<Sysname> system-view

[Sysname] object-policy ipv6 dpiproc

[Sysname-object-policy-ipv6-dpiproc] rule inspect profile1 source-ip sourceip1 logging

# Configure a rule to permit packets that match application aaa.

<Sysname> system-view

[Sysname] object-policy ipv6 dpiproc

[Sysname-object-policy-ipv6-dpiproc] rule pass application aaa

Related commands

app-profile (DPI Command Reference)

display object-policy ipv6

move rule

object-policy ipv6

time-range (ACL and QoS Command Reference)