Rule matching acceleration enhances connection establishment and packet forwarding performance, especially for a device using multiple rules to match packets from multiple users.

Rule matching acceleration does not take effect on newly added, modified, and moved rules unless the feature is activated for the rules. By default, the system automatically activates rule matching acceleration for such rules at specific intervals. The interval is 2 seconds if 100 or fewer rules exist and 20 seconds if over 100 rules exist.

To activate rule matching acceleration immediately after a rule change, you can execute this command.

If no rule change is detected, the system does not perform an activation operation.

Insufficient memory can cause rule matching acceleration failures. Unaccelerated rules do not take effect, and rules that have been accelerated are not affected.

Examples

# Activate rule matching acceleration.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] accelerate enhanced enable

action

Use action to set the action for a security policy rule.

Use undo action to restore the default.

Syntax

action { drop | pass }

undo action pass

Default

The action for a security policy rule is drop.

Views

Security policy rule view

Predefined user roles

network-admin

context-admin

Parameters

drop: Discards matched packets.

pass: Allows matched packets to pass.

Usage guidelines

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Set the action for security policy rule rule1 to drop.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] rule 0 name rule1

[Sysname-security-policy-ip-0-rule1] action drop

Related commands

display security-policy

app-group

Use app-group to specify an application group as a filtering criterion of a security policy rule.

Use undo app-group to remove the specified application group filtering criterion from a security policy rule.

Syntax

app-group app-group-name

undo app-group [ app-group-name ]

Default

No application group is specified as a filtering criterion for a security policy rule.

Views

Security policy rule view

Predefined user roles

network-admin

context-admin

Parameters

app-group-name: Specifies the name of an application policy, a case-insensitive string of 1 to 63 characters. The name cannot be invalid or other. If you do not specify this argument when executing the undo app-group command, the command removes all application groups from the rule. For more information about application groups, see APR in Security Configuration Guide.

Usage guidelines

You can execute the command multiple times to specify multiple application groups as the filtering criteria.

Examples

# Specify application groups app1 and app2 as the filtering criteria of security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] rule 0 name rule1

[Sysname-security-policy-ip-0-rule1] app-group app1

[Sysname-security-policy-ip-0-rule1] app-group app2

Related commands

app-group

display security-policy

application

Use application to specify an application as a filtering criterion of a security policy rule.

Use undo application to remove the specified application filtering criterion from a security policy rule.

Syntax

application application-name

undo application [ application-name ]

Default

No application is specified as a filtering criterion for a security policy rule.

Views

Security policy rule view

Predefined user roles

network-admin

context-admin

Parameters

application-name: Specifies the name of an application, a case-insensitive string of 1 to 63 characters. The name cannot be invalid or other. If you do not specify this argument when executing the undo application command, the command removes all applications from the rule. For more information about applications, see APR in Security Configuration Guide.

Usage guidelines

You can execute the command multiple times to specify multiple applications as the filtering criteria.

For the application filtering criteria to be identified, you must permit the packets of the protocols on which the applications depend to pass through. If port-based packet filtering is configured and a dependent protocol uses a non-default port, you must permit the packets from the port to pass.

Examples

# Specify applications 139Mail and 51job as the filtering criteria of security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] rule 0 name rule1

[Sysname-security-policy-ip-0-rule1] application 139Mail

[Sysname-security-policy-ip-0-rule1] application 51job

Related commands

display security-policy

nbar application

port-mapping

counting enable

Use counting enable to enable statistics collection for matched packets.

Use undo counting enable to disable statistics collection for matched packets.

Syntax

counting enable [ period value ]

undo counting enable

Default

Statistics collection for matched packets is disabled.

Views

Security policy rule view

Predefined user roles

network-admin

context-admin

Parameters

period value: Specifies the period during which the statistics collection feature is enabled, in the range of 1 to 4294967295 minutes. If you do not specify this option, the command enables statistics collection permanently.

Usage guidelines

This feature enables the device to collect statistics about matched packets. The collected statistics can be viewed by executing the display security-policy statistics command.

If an enabling period is specified, the system disables the statistics collection feature and removes the configuration at period expiration. If no enabling period is specified, you must execute the undo command to disable the statistics collection feature.

Examples

# Enable matched packet statistics collection for security policy rule rule1 and set the enabling period to 20 minutes.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] rule 0 name rule1

[Sysname-security-policy-ip-0-rule1] counting enable period 20

Related commands

display security-policy

display security-policy statistics

description (security policy rule view)

Use description to configure a description for a security policy rule.

Use undo description to restore the default.

Syntax

description text

undo description

Default

No description is configured for a security policy rule.

Views

Security policy rule view

Predefined user roles

network-admin

context-admin

Parameters

text: Specifies a description, a case-sensitive string of 1 to 127 characters.

Examples

# Configure the description as This rule is used for source-ip ip1 for security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] rule 0 name rule1

[Sysname-security-policy-ip-0-rule1] description This rule is used for source-ip ip1

Related commands

display object-policy ip

display object-policy ipv6

description (security policy view)

Use description to configure a description for the IPv4 or IPv6 security policy.

Use undo description to restore the default.

Syntax

description text

undo description

Default

No description is configured for the IPv4 or IPv6 security policy.

Views

IPv4 security policy view

IPv6 security policy view

Predefined user roles

network-admin

context-admin

Parameters

text: Specifies a description, a case-sensitive string of 1 to 127 characters.

Examples

# Configure the description as zone-pair security office to library for the IPv4 security policy.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] description zone-pair security office to library

Related commands

display security-policy

destination-ip

Use destination-ip to specify a destination IP address object group as a filtering criterion of a security policy rule.

Use undo destination-ip to remove the specified destination IP address object group from a security policy rule.

Syntax

destination-ip object-group-name

undo destination-ip [ object-group-name ]

Default

No destination IP address object group is specified as a filtering criterion for a security policy rule.

Views

Security policy rule view

Predefined user roles

network-admin

context-admin

Parameters

object-group-name: Specifies the name of a destination IP address object group, a case-insensitive string of 1 to 63 characters. The name cannot be any. If you do not specify this argument when executing the undo destination-ip command, the command removes all destination IP address object groups from the rule. For more information about object groups, see Security Configuration Guide.

Usage guidelines

You can execute the command multiple times to specify multiple destination IP address object groups as the filtering criteria.

If you specify a nonexistent object group, the device automatically creates the specified object group with empty configuration. A rule that contains an object group with empty configuration does not match any packets.

For a security policy rule, the number of configured destination IP addresses cannot exceed 1024. If the limit has been reached, any command execution to add such a filtering criterion fails and the system prompts an error.

Examples

# Specify destination IP address object groups client1 and client2 as the filtering criteria of security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] rule 0 name rule1

[Sysname-security-policy-ip-0-rule1] destination-ip client1

[Sysname-security-policy-ip-0-rule1] destination-ip client2

Related commands

display security-policy

object-group

destination-ip-host (IPv4 security policy view)

Use destination-ip-host to specify a destination IPv4 host address as a filtering criterion of a security policy rule.

Use undo destination-ip-host to remove the specified destination IPv4 host address from a security policy rule.

Syntax

destination-ip-host ip-address

undo destination-ip-host [ ip-address ]

Default

No destination IPv4 host address is specified as a filtering criterion for a security policy rule.

Views

IPv4 security policy rule view

Predefined user roles

network-admin

context-admin

Parameters

ip-address: Specifies the IPv4 address of a host. If you do not specify this argument when executing the undo command, the command removes all destination IPv4 host addresses from the rule.

Usage guidelines

You can execute the command multiple times to specify multiple destination IPv4 host addresses as the filtering criteria.

If you specify an IP address that has been configured as a destination host filtering criterion, the command execution fails and the system prompts an error.

For a security policy rule, the sum of configured destination host addresses, destination subnets, and destination address ranges cannot exceed 1024. If the limit has been reached, any command execution to add such a filtering criterion fails and the system prompts an error.

Examples

# Specify destination IPv4 host address 192.167.0.1 as the filtering criteria of IPv4 security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] rule 0 name rule1

[Sysname-security-policy-ip-0-rule1] destination-ip-host 192.167.0.1

Related commands

display security-policy

destination-ip-host (IPv6 security policy view)

Use destination-ip-host to specify a destination IPv6 host address as a filtering criterion of a security policy rule.

Use undo destination-ip-host to remove the specified destination IPv6 host address from a security policy rule.

Syntax

destination-ip-host ipv6-address

undo destination-ip-host [ ipv6-address ]

Default

No destination IPv6 host address is specified as a filtering criterion for a security policy rule.

Views

IPv6 security policy rule view

Predefined user roles

network-admin

context-admin

Parameters

ipv6-address: Specifies the IPv6 address of a host. If you do not specify this argument when executing the undo command, the command removes all destination IPv6 host addresses from the rule.

Usage guidelines

You can execute the command multiple times to specify multiple destination IPv6 host addresses as the filtering criteria.

If you specify an IP address that has been configured as a destination host filtering criterion, the command execution fails and the system prompts an error.

Examples

# Specify destination IPv6 host address 192::167:1 as the filtering criteria of IPv6 security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy ipv6

[Sysname-security-policy-ipv6] rule 0 name rule1

[Sysname-security-policy-ipv6-0-rule1] destination-ip-host 192::167:1

Related commands

display security-policy

destination-ip-range (IPv4 security policy view)

Use destination-ip-range to specify a destination IPv4 address range as a filtering criterion of a security policy rule.

Use undo destination-ip-range to remove the specified destination IPv4 address range from a security policy rule.

Syntax

destination-ip-range ip-address1 ip-address2

undo destination-ip-range [ ip-address1 ip-address2 ]

Default

No destination IPv4 address range is specified as a filtering criterion for a security policy rule.

Views

IPv4 security policy rule view

Predefined user roles

network-admin

context-admin

Parameters

ip-address1 ip-address2: Specifies an IPv4 address range. The ip-address1 argument represents the start IP address and the ip-address2 argument represents the end IP address. If you do not specify the arguments when executing the undo command, the command removes all destination IPv4 address ranges from the rule.

Usage guidelines

You can execute the command multiple times to specify multiple destination IPv4 address ranges as the filtering criteria.

If you specify an IP address range that has been configured as a destination IP range filtering criterion, the command execution fails and the system prompts an error.

When you specify an IP address range, follow these restrictions and guidelines:

· If the start IP address is the same as the end IP address, the command creates a host address filtering criteria.

· If the start IP address and the end IP address define a subnet, the command creates a subnet filtering criteria.

· If ip-address1 is greater than ip-address2, the system automatically adjusts the range to [ ip-address2, ip-address1 ].

Examples

# Specify destination IPv4 address range 192.165.0.100 to 192.165.0.200 as the filtering criteria of IPv4 security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] rule 0 name rule1

[Sysname-security-policy-ip-0-rule1] destination-ip-range 192.165.0.100 192.165.0.200

Related commands

display security-policy

destination-ip-range (IPv6 security policy view)

Use destination-ip-range to specify a destination IPv6 address range as a filtering criterion of a security policy rule.

Use undo destination-ip-range to remove the specified destination IPv6 address range from a security policy rule.

Syntax

destination-ip-range ipv6-address1 ipv6-address2

undo destination-ip-range [ ipv6-address1 ipv6-address2 ]

Default

No destination IPv6 address range is specified as a filtering criterion for a security policy rule.

Views

IPv6 security policy rule view

Predefined user roles

network-admin

context-admin

Parameters

ipv6-address1 ipv6-address2: Specifies an IPv6 address range. The ipv6-address1 argument represents the start IP address and the ipv6-address2 argument represents the end IP address. If you do not specify the arguments when executing the undo command, the command removes all destination IPv6 address ranges from the rule.

Usage guidelines

You can execute the command multiple times to specify multiple destination IPv6 address ranges as the filtering criteria.

If you specify an IP address range that has been configured as a destination IP range filtering criterion, the command execution fails and the system prompts an error.

When you specify an IP address range, follow these restrictions and guidelines:

· If the start IP address is the same as the end IP address, the command creates a host address filtering criteria.

· If the start IP address and the end IP address define a subnet, the command creates a subnet filtering criteria.

· If ipv6-address1 is greater than ipv6-address2, the system automatically adjusts the range to [ ipv6-address2, ipv6-address1 ].

Examples

# Specify destination IPv6 address range 192:165::100 to 192:165::200 as the filtering criteria of IPv6 security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy ipv6

[Sysname-security-policy-ipv6] rule 0 name rule1

[Sysname-security-policy-ipv6-0-rule1] destination-ip-range 192:165::100 192:165::200

Related commands

display security-policy

destination-ip-subnet (IPv4 security policy view)

Use destination-ip-subnet to specify a destination IPv4 subnet as a filtering criterion of a security policy rule.

Use undo destination-ip-subnet to remove the specified destination IPv4 subnet from a security policy rule.

Syntax

destination-ip-subnet ip-address { mask-length | mask }

undo destination-ip-subnet [ ip-address { mask-length | mask } ]

Default

No destination IPv4 subnet is specified as a filtering criterion for a security policy rule.

Views

IPv4 security policy rule view

Predefined user roles

network-admin

context-admin

Parameters

ip-address { mask-length | mask }: Specifies an IPv4 subnet. You can specify the mask length or the mask in dotted decimal notation. The mask length is in the range of 0 to 32. If you set the mask length to 32 or the mask to 255.255.255.255, the command creates a host address filtering criterion. If you do not specify the arguments when executing the undo command, the command removes all destination IPv4 subnets from the rule.

Usage guidelines

You can execute the command multiple times to specify multiple destination IPv4 subnets as the filtering criteria.

If you specify a subnet that has been configured as a destination subnet filtering criterion, the command execution fails and the system prompts an error.

Examples

# Specify the destination subnet with IP address 192.167.0.0 and mask length 24 as a filtering criteria of IPv4 security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] rule 0 name rule1

[Sysname-security-policy-ip-0-rule1] destination-ip-subnet 192.167.0.0 24

# Specify the destination subnet with IP address 192.166.0.0 and mask 255.255.0.0 as a filtering criteria of IPv4 security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] rule 0 name rule1

[Sysname-security-policy-ip-0-rule1] destination-ip-subnet 192.166.0.0 255.255.0.0

Related commands

display security-policy

destination-ip-subnet (IPv6 security policy view)

Use destination-ip-subnet to specify a destination IPv6 subnet as a filtering criterion of a security policy rule.

Use undo destination-ip-subnet to remove the specified destination IPv6 subnet from a security policy rule.

Syntax

destination-ip-subnet ipv6-address prefix-length

undo destination-ip-subnet [ ipv6-address prefix-length ]

Default

No destination IPv6 subnet is specified as a filtering criterion for a security policy rule.

Views

IPv6 security policy rule view

Predefined user roles

network-admin

context-admin

Parameters

ipv6-address prefix-length: Specifies an IPv6 subnet. The prefix length is in the range of 1 to 128. If you set the prefix length to 128, the command creates a host address filtering criterion. If you do not specify the arguments when executing the undo command, the command removes all destination IPv4 subnets from the rule.

Usage guidelines

You can execute the command multiple times to specify multiple destination IPv6 subnets as the filtering criteria.

If you specify a subnet that has been configured as a destination subnet filtering criterion, the command execution fails and the system prompts an error.

Examples

# Specify the destination subnet with IP address 192::167:0 and prefix length 64 as a filtering criteria of IPv6 security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy ipv6

[Sysname-security-policy-ipv6] rule 0 name rule1

[Sysname-security-policy-ipv6-0-rule1] destination-ip-subnet 192::167:0 64

Related commands

display security-policy

destination-zone

Use destination-zone to specify a destination security zone as a filtering criterion of a security policy rule.

Use undo destination-zone to remove the specified destination security zone from a security policy rule.

Syntax

destination-zone destination-zone-name

undo destination-zone [ destination-zone-name ]

Default

No destination security zone is specified as a filtering criterion for a security policy rule.

Views

Security policy rule view

Predefined user roles

network-admin

context-admin

Parameters

object-group-name: Specifies the name of a destination security zone, a case-insensitive string of 1 to 31 characters. If you do not specify this argument when executing the undo destination-zone command, the command removes all destination security zones from the rule. For more information about security zones, see Security Configuration Guide.

Usage guidelines

You can execute the command multiple times to specify multiple destination security zones as the filtering criteria.

Examples

# Specify destination security zones trust and server as the filtering criteria of security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] rule 0 name rule1

[Sysname-security-policy-ip-0-rule1] destination-zone trust

[Sysname-security-policy-ip-0-rule1] destination-zone server

Related commands

display security-policy

security-zone

disable

Use disable to disable a security policy rule.

Use undo disable to enable a security policy rule.

Syntax

disable

undo disable

Default

A security policy rule is enabled.

Views

Security policy rule view

Predefined user roles

network-admin

context-admin

Examples

# Disable security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] rule 0 name rule1

[Sysname-security-policy-ip-0-rule1] disable

Related commands

display security-policy

Use display security-policy to display information about the specified security policy.

Syntax

display security-policy { ip | ipv6 }

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

ip: Specifies the IPv4 security policy.

ipv6: Specifies the IPv6 security policy.

Examples

# Display information about the IPv4 security policy.

<Sysname> display security-policy ip

Security-policy ip

rule 0 name der (Inactive)

action pass

profile er

vrf re

logging enable

counting enable period 20

counting enable TTL 1200

time-range dere

track positive 23

session aging-time 5000

session persistent aging-time 2400

source-zone trust

destination-zone trust

source-ip erer

source-ip-host 1.1.1.4

source-ip-subnet 1.1.1.0 255.255.255.0

source-ip-range 2.2.1.1 3.3.3.3

destination-ip client1

destination-ip-host 5.5.1.2

destination-ip-subnet 5.5.1.0 255.255.255.0

destination-ip-range 2.2.1.1 3.3.3.3

service ftp

service-port tcp

service-port tcp source lt 100 destination eq 104

service-port tcp source eq 100 destination range 104 2000

service-port udp

service-port udp source gt 100 destination eq 104

service-port udp destination eq 100

service-port icmp 100 122

service-port icmp

app-group ere

application 110Wang

user der

user-group ere

Table 1 Command output

Field	Description
rule id name rule-name	Rule ID and rule name.
action pass	Rule action: · pass—Allows matched packets to pass. · drop—Drops matched packets.
profile app-profile-name	DPI application profile applied to the rule.
vrf vrf-name	MPLS L3VPN instance whose packets can be filtered by the rule.
logging enable	Indicates that logging for matched packets is enabled.
counting enable period value	Indicates that statistics collection for matched packets is enabled. The value argument represents the enabling period in minutes.
counting enable TTL time-value	Indicates that statistics collection for matched packets is enabled. The time-value argument represents the remaining enabling period in seconds.
time-range time-range-name	Time range during which the rule is in effect.
track negative 1 (Active)	Track entry and track entry state associated with the security policy rule.
session aging-time time-value	Session aging time.
session persistent aging-time time-value	Persistent session aging time.
source-zone zone-name	Source security zone that acts as a filtering criterion.
destination-zone zone-name	Destination security zone that acts as a filtering criterion.
source-ip object-group-name	Source IP address object group that acts as a filtering criterion.
source-ip-host ip-address	Source IP host address that acts as a filtering criterion.
source-ip-subnet ip-address	Source IP subnet that acts as a filtering criterion.
source-ip-range ip-address1 ip-address2	Source IP address range that acts as a filtering criterion.
destination-ip object-group-name	Destination IP address object group that acts as a filtering criterion.
destination-ip-host ip-address	Destination IP host address that acts as a filtering criterion.
destination-ip-subnet ip-address	Destination IP subnet that acts as a filtering criterion.
destination-ip-range ip-address1 ip-address2	Destination IP address range that acts as a filtering criterion.
service object-group-name	Service object group that acts as a filtering criterion.
service-port protocol	Service port that acts as a filtering criterion.
app-group app-group-name	Application group that acts as a filtering criterion.
application application-name	Application that acts as a filtering criterion.
user user-name	User that acts as a filtering criterion.
user-group user-group-name	User group that acts as a filtering criterion.

Related commands

security-policy ip

security-policy ipv6

display security-policy statistics

Use display security-policy statistics to display security policy statistics.

Syntax

display security-policy statistics { ip | ipv6 } [ rule rule-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

ip: Specifies the IPv4 security policy.

ipv6: Specifies the IPv6 security policy.

rule rule-name: Specifies a security policy rule by its name, a case-insensitive string of 1 to 127 characters. If you do not specify this option, the command displays statistics about all security policy rules of the specified IP version.

Examples

# Display statistics about IPv4 security policy rule abc.

<Sysname> display security-policy statistics ip rule abc

rule 0 name abc

action: pass (5 packets, 1000 bytes)

Table 2 Command output

Field	Description
rule id name rule-name	Rule ID and rule name.
action	Rule action: · pass—Allows matched packets to pass. · drop—Drops matched packets.
x packets, y bytes	The rule has matched x packets, a total of y bytes. This field is displayed only if the counting enable or the logging enable command has been executed for the rule.

Related commands

reset security-policy statistics

group move

Use group move to move a security policy rule group to change the match order of security policy rules.

Syntax

group move group-name1 { after | before } { group group-name2 | rule rule-name }

Views

Security policy view

Predefined user roles

network-admin

context-admin

Parameters

group-name1: Specifies the name of the security policy rule group to be moved, a case-insensitive string of 1 to 63 characters.

after: Moves the security policy rule group to the place after the target security policy rule group or the target security policy rule.

before: Moves the security policy rule group to the place before the target security policy rule group or the target security policy rule.

group group-name2: Specifies the name of the target security policy rule group, a case-insensitive string of 1 to 63 characters.

rule rule-name: Specifies the name of the target security policy rule, a case-insensitive string of 1 to 127 characters.

Usage guidelines

If you specify a target security policy rule that belongs to a security policy rule group, follow these restrictions and guidelines:

· If the target rule is neither the start nor end rule of the group, you cannot move a security policy rule group to the place before or after the rule.

· If the target rule is the start rule of the group, you can only move a security policy rule group to the place before the rule.

· If the target rule is the end rule of the group, you can only move a security policy rule group to the place after the rule.

Examples

# Move security policy rule group group1 to the place before security policy rule group group2.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] group move group1 before group group2

group name

Use group name to create a security policy rule group and add security policy rules to the group, or add security policy rules to an existing security policy rule group.

Use undo group name to delete a security policy rule group.

Syntax

group name group-name [ from rule-name1 to rule-name2 ] [ description description-text ] [ disable | enable ]

undo group name group-name [ description | include-member ]

Default

No security policy rule group exists.

Views

Security policy view

Predefined user roles

network-admin

context-admin

Parameters

group-name: Specifies a security policy rule group name, a case-insensitive string of 1 to 63 characters.

from rule-name1: Specifies the start rule of a rule list. The rule-name1 argument represents the security policy rule name, a case-insensitive string of 1 to 127 characters.

to rule-name2: Specifies the end rule of the rule list. The rule-name2 argument represents the security policy rule name, a case-insensitive string of 1 to 127 characters.

description description-text: Specifies the security policy description, a case-sensitive string of 1 to 127 characters. By default, no description is specified for a security policy rule group.

disable: Disables the security policy rule group.

enable: Enables the security policy rule group. By default, a security policy rule group is enabled.

include-member: Specifies security policy rules in the security policy rule group.

Usage guidelines

Security policy rule grouping allows users to enable, disable, delete, and move security policy rules in batches.

A security policy rule in a security policy rule group takes effect only when both the rule and the group are enabled.

To add a list of security policy rules, make sure the end rule is listed behind the start rule and the specified rules do not belong to any other security policy rule group.

When you execute the undo command, follow these restrictions and guidelines:

· The undo group name group-name command deletes only the specified security policy rule group.

· The undo group name group-name description command deletes only the description for the specified security policy rule group.

· The undo group name group-name include-member command deletes both the specified security policy rule group and all the security policy rules in the group.

Examples

# Create security policy rule group group1, add security policy rules rule-name1 through rule-name10 to the group, and specify the group description as marketing.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] group name group1 from rule-name1 to rule-name10 enable description marketing

group rename

Use group rename to rename a security policy rule group.

Syntax

group rename old-name new-name

Views

Security policy view

Predefined user roles

network-admin

context-admin

Parameters

old-name: Specifies the name of a security policy rule group, a case-insensitive string of 1 to 63 characters.

new-name: Specifies a new name for the security policy rule group, a case-insensitive string of 1 to 63 characters.

Examples

# Rename security policy rule group group1 to group2.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] group rename group1 group2

logging enable

Use logging enable to enable logging for matched packets.

Use undo logging enable to disable logging for matched packets.

Syntax

logging enable

undo logging enable

Default

Logging for matched packets is disabled.

Views

Security policy rule view

Predefined user roles

network-admin

context-admin

Usage guidelines

This feature enables the security policy module to send log messages to the information center or to fast output log messages when packets match a security policy.

With the information center or fast log output, you can set log message filtering and output rules, including output destinations.

The information center can output packet matching logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.

To view packet matching logs stored on the device, use the display logbuffer command or open the security policy log page from the Web interface of the device. Make sure you do not disable log output to the log buffer, which is enabled by default.

For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.

Examples

# Enable matched packet logging for security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] rule 0 name rule1

[Sysname-security-policy-ip-0-rule1] logging enable

Related commands

display security-policy

move rule

Use move rule to move a security policy rule by rule ID.

Syntax

move rule rule-id1 { { after | before } rule-id2 | bottom | down | top | up }

Views

IPv4 security policy view

IPv6 security policy view

Predefined user roles

network-admin

context-admin

Parameters

rule-id1: Specifies the ID of a rule to be moved, in the range of 0 to 4294967290.

after: Moves the rule to the position after the target rule.

before: Moves the rule to the position before the target rule.

rule-id2: Specifies the ID of the target rule. The target rule ID is in the range of 0 to 4294967295. If you specify 4294967295 as the target rule ID, the rule is moved to the end of the list.

bottom: Moves the rule to the end of the list.

down: Moves the rule one position down.

top: Moves the rule to the beginning of the list.

up: Moves the rule one position up.

Usage guidelines

The system does not execute the command in the following situations:

· You specify the same value for the rule-id1 and rule-id2 arguments.

· You specify a nonexistent rule.

Examples

# Insert rule 5 before rule 2 for the IPv4 security policy.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] move rule 5 before 2

Related commands

rule

security-policy ip

security-policy ipv6

move rule name

Use move rule name to move a security policy rule by rule name.

Syntax

move rule name rule-name1 { { after | before } name rule-name2 | bottom | down | top | up }

Views

Security policy view

Predefined user roles

network-admin

context-admin

Parameters

rule-name1: Specifies the name of the rule to move, a case-insensitive string of 1 to 127 characters.

after: Move the rule to the place after the destination rule.

before: Move the rule to the place before the destination rule.

name rule-name2: Specify the name of the destination rule, a case-insensitive string of 1 to 127 characters.

bottom: Move the rule to the end of the security policy.

down: Move the rule down one place.

top: Move the rule to the beginning of the security policy.

up: Move the rule up one place.

Usage guidelines

You can move a rule to change its packet matching priority.

Examples

# Move rule rule1 to the place before rule rule2.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] move rule name rule1 before name rule2

Related commands

rule

security-policy ip

security-policy ipv6

parent-group

Use parent-group to specify a security policy rule group for a security policy rule.

Use undo parent-group to restore the default.

Syntax

parent-group group-name

undo parent-group

Default

A security policy rule does not belong to any security policy rule group.

Views

Security policy rule view

Predefined user roles

network-admin

context-admin

Parameters

group-name: Specifies the name of a security policy rule group, a case-insensitive string of 1 to 63 characters.

Examples

# Assign security policy rule rule1 to security policy rule group group1.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] rule 1 name rule1

[Sysname-security-policy-ip-1-rule1] parent-group group1

profile

Use profile to apply a DPI application profile to a security policy rule.

Use undo profile to remove the DPI application profile applied to a security policy rule.

Syntax

profile app-profile-name

undo profile

Default

No DPI application profile is applied to a security policy rule.

Views

Security policy rule view

Predefined user roles

network-admin

context-admin

Parameters

app-profile-name: Specifies the name of a DPI application profile, a case-insensitive string of 1 to 63 characters. For more information about DPI application profiles, see DPI engine in DPI Configuration Guide.

Usage guidelines

This feature enables the device to perform DPI on packets matching the specified rule. For more information about DPI, see DPI Configuration Guide.

This feature takes effect only when the rule action is pass.

Examples

# Apply DPI application profile p1 to IPv4 security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] rule 0 name rule1

[Sysname-security-policy-ip-0-rule1] action pass

[Sysname-security-policy-ip-0-rule1] profile p1

Related commands

action pass

app-profile (DPI Command Reference)

display security-policy ip

reset security-policy statistics

Use reset security-policy statistics to clear security policy statistics.

Syntax

reset security-policy statistics [ ip | ipv6 ] [ rule rule-name ]

Views

Any view

Predefined user roles

network-admin

context-admin

Parameters

ip: Specifies the IPv4 security policy.

ipv6: Specifies the IPv6 security policy.

rule rule-name: Specifies a security policy rule by its name, a case-insensitive string of 1 to 127 characters.

Usage guidelines

If you do not specify any keyword or option, the command clears all security policy statistics.

Examples

# Clear the security policy statistics about IPv4 security policy rule abc.

<Sysname> reset security-policy statistics ip rule abc

Related commands

display security-policy statistics

rule

Use rule to create a security policy rule and enter its view, or enter the view of an existing security policy rule.

Use undo rule to delete the specified security policy rule.

Syntax

rule { rule-id | [ rule-id ] name rule-name }

undo rule { rule-id | name rule-name } *

Default

No security policy rules exist.

Views

IPv4 security policy view

IPv6 security policy view

Predefined user roles

network-admin

context-admin

Parameters

rule-id: Specifies a rule ID in the range of 0 to 4294967290. If you do not specify an ID for the rule, the system automatically assigns the rule the integer next to the greatest ID being used. If the greatest ID is 4294967290, the system assigns the rule the smallest unused number in the range.

rule-name: Specifies a globally unique rule name, a case-insensitive string of 1 to 127 characters. The name cannot be default. You must specify a rule name when creating a rule.

Examples

# Create an IPv4 security policy rule with rule ID 0 and rule name rule1.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] rule 0 name rule1

[Sysname-security-policy-ip-0-rule1]

Related commands

display security-policy ip

display security-policy ipv6

rule rename

Use rule rename to rename a security policy rule.

Syntax

rule rename old-name new-name

Views

Security policy view

Predefined user roles

network-admin

context-admin

Parameters

old-name: Specifies the current name, a case-insensitive string of 1 to 127 characters.

new-name: Specifies the new name, a case-insensitive string of 1 to 127 characters. The name must be globally unique and cannot be default.

Examples

# Change the name of security policy rule rule1 to rule2.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] rule rename rule1 rule2

Related commands

rule

security-policy ip

security-policy ipv6

security-policy

Use security-policy to enter security policy view.

Use undo security-policy to delete all configurations in security policy view.

Syntax

security-policy { ip | ipv6 }

undo security-policy { ip | ipv6 }

Default

No configurations exist in security policy view.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

ip: Specifies the IPv4 security policy.

ipv6: Specifies the IPv6 security policy.

Usage guidelines

CAUTION:

· The undo security-policy { ip | ipv6 } command directly deletes all security policy configurations and might cause network interruptions.

· If the security policy feature is enabled, object policy settings lose effect the first time you enter the security policy view. Make sure policy settings have been switched to security policy settings before you enter the security policy view.

Examples

# Enter IPv4 security policy view.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip]

# Delete all IPv4 security policy configurations.

<Sysname> system-view

[Sysname] undo security-policy ip

This command willdelete all rules from the current policy. Continue anyway? [Y/N]:

Related commands

display security-policy

security-policy config-logging send-time

Use security-policy config-logging send-time to set the time at which the device fast outputs security policy settings as logs every day.

Use undo security-policy config-logging send-time to restore the default.

Syntax

security-policy config-logging send-time time

undo security-policy config-logging send-time

Default

The device fast outputs security policy settings as logs every day at 0 o'clock.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

time: Specify the time at which the device fast outputs security policy settings as logs, in the format of hh:mm. The value range for the hh argument is 00 to 23 and the value range for the mm argument is 00 to 59.

Usage guidelines

After the customlog format security-policy sgcc command is executed, the device fast outputs settings of enabled security policies as logs in SGCC format every day at the specified time. For more information about fast log output, see Network Management and Monitoring Configuration Guide.

Examples

# Configure the device to fast output security policy settings as logs every day at 13:15.

<Sysname>system-view

[Sysname] security-policy config-loggging send-time 13:15

Related commands

customlog format security-policy sgcc (Network Management and Monitoring Command Reference)

customlog host export security-policy (Network Management and Monitoring Command Reference)

security-policy disable

Use security-policy disable to disable the security policy feature.

Use undo security-policy disable to enable the security policy feature.

Syntax

security-policy disable

undo security-policy disable

Default

The security policy feature is enabled.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

CAUTION:

The security-policy disable command disables the security policy feature and might cause traffic interruption.

Security policy settings take effect only when the security policy feature is enabled.

Examples

# Disable the security policy feature.

<Sysname> system-view

[Sysname] security-policy disable

service

Use service to specify a service object group as a filtering criterion of a security policy rule.

Use undo service to remove the specified service object group from a security policy rule.

Syntax

service { object-group-name | any }

undo service [ object-group-name | any ]

Default

No service object group is specified as a filtering criterion for a security policy rule.

Views

Security policy rule view

Predefined user roles

network-admin

context-admin

Parameters

object-group-name: Specifies the name of a service object group, a case-insensitive string of 1 to 63 characters.

any: Specifies all service object groups.

Usage guidelines

You can execute the command multiple times to specify multiple service object groups as the filtering criteria.

If you specify neither an object group nor the any keyword when executing the undo service command, the command removes all service object groups from the security policy rule.

For a security policy rule, the number of configured service object groups cannot exceed 1024. If the limit has been reached, any command execution to add such a filtering criterion fails and the system prompts an error.

Examples

# Specify service object groups http and ftp as the filtering criteria of security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] rule 0 name rule1

[Sysname-security-policy-ip-0-rule1] service http

[Sysname-security-policy-ip-0-rule1] service ftp

Related commands

display security-policy

object-group

service-port

Use service-port to specify a service port as a filtering criterion of a security policy rule.

Use undo service-port to remove the specified service port range from a security policy rule.

Syntax

service-port protocol [ { destination { { eq | lt | gt } port | range port1 port2 } | source { { eq | lt | gt } port | range port1 port2 } } * | icmp-type icmp-code | icmpv6-type icmpv6-code ]

undo service-port [ protocol [ { destination { { eq | lt | gt } port | range port1 port2 } | source { { eq | lt | gt } port | range port1 port2 } } * | icmp-type icmp-code | icmpv6-type icmpv6-code ] ]

Default

No service port is specified as a filtering criterion for a security policy rule.

Views

IPv4 security policy rule view

IPv6 security policy rule view

Predefined user roles

network-admin

context-admin

Parameters

protocol: Specify the number or name of a protocol. The protocol number value ranges and available protocol names vary by command execution view.

· In IPv4 security policy view, the value range for protocol numbers is 0 to 57 and 59 to 255. Available protocol names include tcp, udp, and icmp, whose protocol numbers are 6, 17, and 1, respectively.

· In IPv6 security policy view, the value range for protocol numbers is 0 and 2 to 255. Available protocol names include tcp, udp, and icmp, whose protocol numbers are 6, 17, and 58, respectively.

destination: Specifies the destination port. This configuration takes effect only when the protocol is TCP or UDP.

source: Specifies the source port. This configuration takes effect only when the protocol is TCP or UDP.

eq: Specifies the specified port.

lt: Specifies all ports whose port numbers are smaller than the specified port. If you specify this keyword, the specified port number cannot be 0.

gt: Specifies all ports whose port numbers are larger than the specified port. If you specify this keyword, the specified port number cannot be 65535.

port: Specifies a port number in the range of 0 to 65535.

range port1 port2: Specifies a range of port numbers. The port1 argument represents the start port and the port2 argument represents the end port. Each port number is in the range of 0 to 65535.

icmp-type: Specifies an ICMP message type in the range of 0 to 255. This configuration takes effect only when the protocol is ICMP.

icmp-code: Specifies the ICMP message code in the range of 0 to 255.

icmpv6-type: Specifies an ICMPv6 message type in the range of 0 to 255. This configuration takes effect only when the protocol is ICMPv6.

icmpv6-code: Specifies the ICMPv6 message code in the range of 0 to 255.

Usage guidelines

You can execute this command multiple times to specify multiple service ports as the filtering criteria.

If you specify a service port that has been configured as a service port filtering criterion, the command execution fails.

For a security policy rule, the number of configured service ports cannot exceed 1024. If the limit has been reached, any command execution to add such a filtering criterion fails and the system prompts an error.

When you specify the range keyword, following these restrictions and guidelines:

· If port1 is the same as port2, the command takes effect as if you specified the eq keyword.

· If port1 is 0, the command takes effect as if you specified the lt keyword with port2 as the specified port.

· If port2 is 65535, the command takes effect as if you specified the gt keyword with port1 as the specified port.

· If port1 is larger than port2, the system automatically changes the port range to [port2, port1].

If you do not specify any keyword or argument when executing the undo command, the command removes all service ports from the security policy rule.

Examples

# Specify TCP destination and source ports as the filtering criteria of security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] rule 0 name rule1

[Sysname-security-policy-ip-0-rule1] service-port tcp destination range 100 200 source eq 100

# Specify ICMP destination and source ports as the filtering criteria of security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] rule 0 name rule1

[Sysname-security-policy-ip-0-rule1] service-port icmp 100 150

Related commands

display security-policy

session aging-time

Use session aging-time to set the session aging time for a security policy rule.

Use undo session aging-time to restore the default.

Syntax

session aging-time time-value

undo session aging-time

Default

The session aging time is not configured for a security policy rule.

Views

Security policy rule view

Predefined user roles

network-admin

context-admin

Parameters

time-value: Specifies the aging time in the range of 1 to 2000000 seconds.

Usage guidelines

CAUTION:

Setting too long an aging time might cause persistent sessions to increase rapidly and therefore cause the CPU usage to be high.

This command sets the aging time for stable sessions created for packets matching the specified security policy rule, and takes effect only on newly created sessions.

If the aging time is not configured for a rule, the stable sessions use the aging time set by using the session aging-time application or the session aging-time state command. For more information about session management, see Security Configuration Guide.

Unstable sessions age based on the default session aging time configured.

Examples

# Set the session aging time to 5000 seconds for security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] rule 0 name rule1

[Sysname-security-policy-ip-0-rule1] action pass

[Sysname-security-policy-ip-0-rule1] session aging-time 5000

Related commands

display security-policy

session aging-time application

session aging-time state

session persistent acl

session persistent aging-time

Use session persistent aging-time to set the aging time for persistent sessions.

Use undo session persistent aging-time to restore the default.

Syntax

session persistent aging-time time-value

undo session persistent aging-time

Default

The persistent session aging time is not configured for a security policy rule.

Views

Security policy rule view

Predefined user roles

network-admin

context-admin

Parameters

time-value: Specifies the aging time in the range of 0 to 24000 hours. If you set the aging time to 0, persistent sessions do not age out.

Usage guidelines

This command is effective only on TCP sessions in ESTABLISHED state.

It sets the aging time for persistent sessions created for packets matching the specified security policy rule, and takes effect only on newly created sessions.

The aging time configured by using this command takes precedence over the aging times configured by using the session aging-time and session persistent acl commands.

Examples

# Set the persistent session aging time to one hour for security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] rule 0 name rule1

[Sysname-security-policy-ip-0-rule1] action pass

[Sysname-security-policy-ip-0-rule1] session persistent aging-time 1

Related commands

display security-policy

session persistent acl

source-ip

Use source-ip to specify a source IP address object group as a filtering criterion of a security policy rule.

Use undo source-ip to remove the specified source IP address object group from a security policy rule.

Syntax

source-ip object-group-name

undo source-ip [ object-group-name ]

Default

No source IP address object group is specified as a filtering criterion for a security policy rule.

Views

Security policy rule view

Predefined user roles

network-admin

context-admin

Parameters

object-group-name: Specifies the name of a source IP address object group, a case-insensitive string of 1 to 63 characters. The name cannot be any. If you do not specify this argument when executing the undo source-ip command, the command removes all source IP address object groups from the rule. For more information about object groups, see Security Configuration Guide.

Usage guidelines

You can execute the command multiple times to specify multiple source IP address object groups as the filtering criteria.

For a security policy, the number of configured source IP addresses cannot exceed 1024. If the limit has been reached, any command execution to add such a filtering criterion fails and the system prompts an error.

Examples

# Specify source IP address object groups server1 and server2 as the filtering criteria of security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] rule 0 name rule1

[Sysname-security-policy-ip-0-rule1] source-ip server1

[Sysname-security-policy-ip-0-rule1] source-ip server2

Related commands

display security-policy

object-group

source-ip-host (IPv4 security policy view)

Use source-ip-host to specify a source IPv4 host address as a filtering criterion of a security policy rule.

Use undo source-ip-host to remove the specified source IPv4 host address from a security policy rule.

Syntax

source-ip-host ip-address

undo source-ip-host [ ip-address ]

Default

No source IPv4 host address is specified as a filtering criterion for a security policy rule.

Views

IPv4 security policy rule view

Predefined user roles

network-admin

context-admin

Parameters

ip-address: Specifies the IPv4 address of a host. If you do not specify this argument when executing the undo command, the command removes all source IPv4 host addresses from the security policy rule.

Usage guidelines

You can execute the command multiple times to specify multiple source IPv4 host addresses as the filtering criteria.

If you specify an IP address that has been configured as a source host filtering criterion, the command execution fails and the system prompts an error.

For a security policy rule, the sum of configured source host addresses, source subnets, and source address ranges cannot exceed 1024. If the limit has been reached, any command execution to add such a filtering criterion fails and the system prompts an error.

Examples

# Specify source IPv4 host address 192.167.0.1 as the filtering criteria of IPv4 security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] rule 0 name rule1

[Sysname-security-policy-ip-0-rule1] source-ip-host 192.167.0.1

Related commands

display security-policy

source-ip-host (IPv6 security policy view)

Use source-ip-host to specify a source IPv6 host address as a filtering criterion of a security policy rule.

Use undo source-ip-host to remove the specified source IPv6 host address from a security policy rule.

Syntax

source-ip-host ipv6-address

undo source-ip-host [ ipv6-address ]

Default

No source IPv6 host address is specified as a filtering criterion for a security policy rule.

Views

IPv6 security policy rule view

Predefined user roles

network-admin

context-admin

Parameters

ipv6-address: Specifies the IPv6 address of a host. If you do not specify this argument when executing the undo command, the command removes all source IPv6 host addresses from the security policy rule.

Usage guidelines

You can execute the command multiple times to specify multiple source IPv6 host addresses as the filtering criteria.

If you specify an IP address that has been configured as a source host filtering criterion, the command execution fails and the system prompts an error.

Examples

# Specify source IPv6 host address 192::167:1 as the filtering criteria of IPv6 security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy ipv6

[Sysname-security-policy-ipv6] rule 0 name rule1

[Sysname-security-policy-ipv6-0-rule1] source-ip-host 192::167:1

Related commands

display security-policy

source-ip-range (IPv4 security policy view)

Use source-ip-range to specify a source IPv4 address range as a filtering criterion of a security policy rule.

Use undo source-ip-range to remove the specified source IPv4 address range from a security policy rule.

Syntax

source-ip-range ip-address1 ip-address2

undo source-ip-range [ ip-address1 ip-address2 ]

Default

No source IPv4 address range is specified as a filtering criterion for a security policy rule.

Views

IPv4 security policy rule view

Predefined user roles

network-admin

context-admin

Parameters

Usage guidelines

You can execute the command multiple times to specify multiple source IPv4 address ranges as the filtering criteria.

If you specify an IP address range that has been configured as a source IP range filtering criterion, the command execution fails and the system prompts an error.

When you specify an IP address range, follow these restrictions and guidelines:

· If the start IP address is the same as the end IP address, the command creates a host address filtering criteria.

· If the start IP address and the end IP address define a subnet, the command creates a subnet filtering criteria.

· If ip-address1 is greater than ip-address2, the system automatically adjusts the range to [ ip-address2, ip-address1 ].

Examples

# Specify source IPv4 address range 192.165.0.100 to 192.165.0.200 as the filtering criteria of IPv4 security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] rule 0 name rule1

[Sysname-security-policy-ip-0-rule1] source-ip-range 192.165.0.100 192.165.0.200

Related commands

display security-policy

source-ip-range (IPv6 security policy view)

Use source-ip-range to specify a source IPv6 address range as a filtering criterion of a security policy rule.

Use undo source-ip-range to remove the specified source IPv6 address range from a security policy rule.

Syntax

source-ip-range ipv6-address1 ipv6-address2

undo source-ip-range [ ipv6-address1 ipv6-address2 ]

Default

No source IPv6 address range is specified as a filtering criterion for a security policy rule.

Views

IPv6 security policy rule view

Predefined user roles

network-admin

context-admin

Parameters

Usage guidelines

You can execute the command multiple times to specify multiple source IPv6 address ranges as the filtering criteria.

If you specify an IP address range that has been configured as a source IP range filtering criterion, the command execution fails and the system prompts an error.

When you specify an IP address range, follow these restrictions and guidelines:

· If the start IP address is the same as the end IP address, the command creates a host address filtering criteria.

· If the start IP address and the end IP address define a subnet, the command creates a subnet filtering criteria.

· If ipv6-address1 is greater than ipv6-address2, the system automatically adjusts the range to [ ipv6-address2, ipv6-address1 ].

Examples

# Specify source IPv6 address range 192::165:100 to 192::165:200 as the filtering criteria of IPv6 security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy ipv6

[Sysname-security-policy-ipv6] rule 0 name rule1

[Sysname-security-policy-ipv6-0-rule1] source-ip-range 192::165:100 192::165:200

Related commands

display security-policy

source-ip-subnet (IPv4 security policy view)

Use source-ip-subnet to specify a source IPv4 subnet as a filtering criterion of a security policy rule.

Use undo source-ip-subnet to remove the specified source IPv4 subnet from a security policy rule.

Syntax

source-ip-subnet ip-address { mask-length | mask }

undo source-ip-subnet [ ip-address { mask-length | mask } ]

Default

No source IPv4 subnet is specified as a filtering criterion for a security policy rule.

Views

IPv4 security policy rule view

Predefined user roles

network-admin

context-admin

Parameters

Usage guidelines

You can execute the command multiple times to specify multiple source IPv4 subnets as the filtering criteria.

If you specify a subnet that has been configured as a source subnet filtering criterion, the command execution fails and the system prompts an error.

Examples

# Specify the source subnet with IP address 192.167.0.0 and mask length 24 as a filtering criteria of IPv4 security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] rule 0 name rule1

[Sysname-security-policy-ip-0-rule1] source-ip-subnet 192.167.0.0 24

# Specify the source subnet with IP address 192.166.0.0 and mask 255.255.0.0 as a filtering criteria of IPv4 security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] rule 0 name rule1

[Sysname-security-policy-ip-0-rule1] source-ip-subnet 192.166.0.0 255.255.0.0

Related commands

display security-policy

source-ip-subnet (IPv6 security policy view)

Use source-ip-subnet to specify a source IPv6 subnet as a filtering criterion of a security policy rule.

Use undo source-ip-subnet to remove the specified source IPv6 subnet from a security policy rule.

Syntax

source-ip-subnet ipv6-address prefix-length

undo source-ip-subnet [ ipv6-address prefix-length ]

Default

No source IPv6 subnet is specified as a filtering criterion for a security policy rule.

Views

IPv6 security policy rule view

Predefined user roles

network-admin

context-admin

Parameters

Usage guidelines

You can execute the command multiple times to specify multiple source IPv6 subnets as the filtering criteria.

If you specify a subnet that has been configured as a source subnet filtering criterion, the command execution fails and the system prompts an error.

Examples

# Specify the source subnet with IPv6 address 192: 167::0 and prefix length 64 as a filtering criteria of IPv6 security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy ipv6

[Sysname-security-policy-ipv6] rule 0 name rule1

[Sysname-security-policy-ipv6-0-rule1] source-ip-subnet 192:167::0 64

Related commands

display security-policy

source-mac

Use source-mac to specify a source MAC address object group as a filtering criterion of a security policy rule.

Use undo source-mac to remove the specified source MAC address object group from a security policy rule.

Syntax

source-mac object-group-name

undo source-mac [ object-group-name ]

Default

No source MAC address object group is specified as a filtering criterion for a security policy rule.

Views

IPv4 security policy rule view

Predefined user roles

network-admin

context-admin

Parameters

object-group-name: Specifies the name of a source MAC address object group, a case-insensitive string of 1 to 63 characters. The name cannot be any. If you do not specify this argument when executing the undo source-mac command, the command removes all source MAC address object groups from the rule. For more information about MAC address object groups, see Security Configuration Guide.

Usage guidelines

You can execute the command multiple times to specify multiple source MAC address object groups as the filtering criteria.

Examples

# Specify source MAC address object groups mac1 and mac2 as the filtering criteria of security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] rule 0 name rule1

[Sysname-security-policy-ip-0-rule1] source-mac mac1

[Sysname-security-policy-ip-0-rule1] source-mac mac2

Related commands

display security-policy

object-group

source-zone

Use source-zone to specify a source security zone as a filtering criterion of a security policy rule.

Use undo source-zone to remove the specified source security zone from a security policy rule.

Syntax

source-zone source-zone-name

undo source-zone [ source-zone-name ]

Default

No source security zone is specified as a filtering criterion for a security policy rule.

Views

Security policy rule view

Predefined user roles

network-admin

context-admin

Parameters

source-zone-name: Specifies the name of a source security zone, a case-insensitive string of 1 to 63 characters. If you do not specify this argument when executing the undo source-zone command, the command removes all source security zones from the rule. For more information about security zones, see Security Configuration Guide.

Usage guidelines

You can execute the command multiple times to specify multiple source security zones as the filtering criteria.

Examples

# Specify source security zones trust and dmz as the filtering criteria of security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] rule 0 name rule1

[Sysname-security-policy-ip-0-rule1] source-zone trust

[Sysname-security-policy-ip-0-rule1] source-zone dmz

Related commands

display security-policy

security-zone

time-range

Use time-range to specify the time range during which a security policy rule is in effect.

Use undo time-range to restore the default.

Syntax

time-range time-range-name

undo time-range [ time-range-name ]

Default

A security policy rule is in effect at any time.

Views

Security policy rule view

Predefined user roles

network-admin

context-admin

Parameters

time-range-name: Specifies the name of a time range, a case-insensitive string of 1 to 32 characters. If you do not specify this parameter for an undo operation, the command deletes the time range during which the rule takes effect. For more information about time ranges, see ACL and QoS Configuration Guide.

Usage guidelines

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Enable security policy rule rule1 to be in effect during time range work.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] rule 0 name rule1

[Sysname-security-policy-ip-0-rule1] time-range work

Related commands

display security-policy

time-range (ACL and QoS Command Reference)

track

Use track to associate a security policy rule with a track entry.

Use undo track to disassociate a security policy rule from the track entry.

Syntax

track { negative | positive } track-entry-number

undo track

Default

No track entry is associated with a security policy rule.

Views

Security policy rule view

Predefined user roles

network-admin

context-admin

Parameters

negative: Specifies the Negative state of a track entry.

positive: Specifies the Positive state of a track entry.

track-entry-number: Specifies the number of a track entry, in the range of 1 to 1024. For more information about Track, see Network Management and Monitoring Configuration Guide.

Usage guidelines

Use this command to enable the collaboration between the track module and a security policy rule. The collaboration operates as follows:

· If a rule is associated with the Negative state of a track entry, the device:

¡ Sets the rule state to Active if the track entry is in Negative state.

¡ Sets the rule state to Inactive if the track entry is in Positive state.

· If a rule is associated with the Positive state of a track entry, the device:

¡ Sets the rule state to Active if the track entry is in Positive state.

¡ Sets the rule state to Inactive if the track entry is in Negative state.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Associate security policy rule rule1 with the Positive state of track entry 10.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] rule 0 name rule1

[Sysname-security-policy-ip-0-rule1] track positive 10

Related commands

display security-policy

track bfd (Network Management and Monitoring Command Reference)

track interface (Network Management and Monitoring Command Reference)

track ip route reachability (Network Management and Monitoring Command Reference)

track nqa (Network Management and Monitoring Command Reference)

user

Use user to specify a user as a filtering criterion of a security policy rule.

Use undo user to remove the specified user filtering criterion from a security policy rule.

Syntax

user username [ domain domain-name ]

undo user [ username [ domain domain-name ] ]

Default

No user is specified as a filtering criterion for a security policy rule.

Views

Security policy rule view

Predefined user roles

network-admin

context-admin

Parameters

username: Specifies a username, a case-sensitive string of 1 to 55 characters. The name cannot be a, al, or all and cannot contain at signs (@). If you do not specify this argument when executing the undo user command, the command removes all users from the rule. For more information about users and identity domains, see user identification in Security Configuration Guide.

domain domain-name: Matches the user in an identity domain. The domain-name argument represents the identity domain name, a case-insensitive string of 1 to 255 characters. The string cannot contain forward slashes (/), backslashes (\), vertical bars (|), colons (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), or at signs (@). If you do not specify this option, the command matches the user among users that do not belong to any identity domain.

Usage guidelines

You can execute the command multiple times to specify multiple users as the filtering criteria.

Examples

# Specify users usera and userb in identity domain test as the filtering criteria of security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] rule 0 name rule1

[Sysname-security-policy-ip-0-rule1] user usera domain test

[Sysname-security-policy-ip-0-rule1] user userb domain test

Related commands

display security-policy

user-identity enable

user-identity static-user

user-group

Use user-group to specify a user group as a filtering criterion of a security policy rule.

Use undo user-group to remove the specified user group filtering criterion from a security policy rule.

Syntax

user-group user-group-name [ domain domain-name ]

undo user-group [ user-group-name [ domain domain-name ] ]

Default

No user group is specified as a filtering criterion for a security policy rule.

Views

Security policy rule view

Predefined user roles

network-admin

context-admin

Parameters

user-group-name: Specifies the name of a user group, a case-insensitive string of 1 to 200 characters. If you do not specify this argument when executing the undo user-group command, the command removes all user groups from the rule. For more information about user groups and identity domains, see user identification in Security Configuration Guide.

domain domain-name: Matches the user group in an identity domain. The domain-name argument represents the identity domain name, a case-insensitive string of 1 to 255 characters. The string cannot contain forward slashes (/), backslashes (\), vertical bars (|), colons (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), or at signs (@). If you do not specify this option, the command matches the user group among user groups that do not belong to any identity domain.

Usage guidelines

You can execute the command multiple times to specify multiple user groups as the filtering criteria.

Examples

# Specify user groups groupa and groupb in identity domain test as the filtering criteria of security policy rule rule1.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] rule 0 name rule1

[Sysname-security-policy-ip-0-rule1] user-group groupa domain test

[Sysname-security-policy-ip-0-rule1] user-group groupb domain test

Related commands

display security-policy

user-group

vrf

Use vrf to configure a security policy rule to take effect on received packets of the specified MPLS L3VPN instance.

Use undo vrf to restore the default.

Syntax

vrf vrf-name

undo vrf

Default

A security policy rule takes effect on received packets of the public network.

Views

Security policy rule view

Predefined user roles

network-admin

context-admin

Parameters

vrf-name: Specifies the name of an MPLS L3VPN instance, a case-sensitive string of 1 to 31 characters.

Usage guidelines

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure security policy rule rule1 to take effect on received packets of MPLS L3VPN instance vpn1.

<Sysname> system-view

[Sysname] security-policy ip

[Sysname-security-policy-ip] rule 0 name rule1

[Sysname-security-policy-ip-0-rule1] user-group groupa

[Sysname-security-policy-ip-0-rule1] user-group groupb

Related commands

display security-policy

03-Security Command Reference

move rule

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us