Access Lists Template
Use this page to create, modify, delete, and rename Access Control Lists (ACLs).
An ACL is a reusable MATCH criteria for filtering flows. It is associated with an action, permit or deny. You can use the same ACL as the MATCH condition in more than one policy: Route, QoS, Optimization, or NAT.
-
An ACL consists of one or more ordered access control rules.
-
An ACL only becomes active when it is used in a policy.
-
Deny prevents further processing of the flow by that ACL, specifically. The appliance continues to the next entry in the policy.
-
Permit allows the matching traffic flow to proceed on to the policy entry’s associated SET actions. The default is permit.
-
When creating ACL rules, list deny statements first, and prioritize less restrictive rules ahead of more restrictive rules.
Priority
-
With this template, you can create rules with a priority from 1000 – 9999. When the template is applied to an appliance, Orchestrator will delete all rules having a priority in that range before applying its policies.
-
If you access an appliance directly, you can create rules with higher priority than Orchestrator rules (1 – 999) and rules with lower priority (10000 – 19999 and 25000 – 65534).
NOTE: The priority range from 20000 to 24999 is reserved for Orchestrator.
-
When adding a rule, the priority is incremented by ten from the previous rule. The priority can be changed, but this default behavior helps to ensure you can insert new rules without having to change subsequent priorities.
Match Criteria
- To specify different criteria for inbound versus outbound traffic, select the Source:Dest check box.
Source or Destination
-
An IP address can specify a subnet - for example: 10.10.10.0/24.
-
To allow any IP address, use 0.0.0.0/0.
-
Ports are available only for the protocols tcp, udp, and tcp/udp.
-
To allow any port, use 0.
Wildcard-based Prefix Matching
-
When using a range or a wildcard, the IPv4 address must be specified in the 4-octet format, separated by the dot notation. For example, A.B.C.D.
-
Range is specified using a dash. For example, 128-129.
-
Wildcard is specified as an asterisk (*).
-
Range and Wildcard can both be used in the same address, but an octet can only contain one or the other. For example, 10.136-137.*.64-95.
-
A wildcard can only be used to define an entire octet. For example, 10.13*.*.64-95 is not supported. The correct way to specify this range is 10.130-139.*.64-94.
-
The same rules apply to IPv6 addressing.
-
CIDR notation and (Range or Wildcard) are mutually exclusive in the same address. For example, use either 192.168.0.0/24 or 192.168.0.1-127.
-
These prefix-matching rules only apply to the following policies: Router, QoS, Optimization, NAT, Security, and ACLs.