Access Lists Tab
Configuration > Templates & Policies > Policies > ACLs > Access Lists
This tab lists the configured Access Control List (ACL) rules. An ACL is a reusable MATCH criteria for filtering flows. It is associated with an action: permit or deny. An ACL can be a MATCH condition in more than one policy—Route, QoS, or Optimization.
Field | Description |
---|---|
Appliance Name | Name the appliance selected. |
ACLs | Access Control Lists. A list of one or more ordered access control rules. NOTE: An ACL only becomes active when it is used in a policy. |
Priority |
|
Match Criteria | Configured ACL match criteria associated to the appliance. See below for more information about Match Criteria. |
Permit | Whether the ACL is set to Permit or Deny.
|
Comment | Any additional information about the ACL. |
Click the edit icon to make add, delete, or modify rules to your ACLs.
Match Criteria
These are universal across all policy maps—Route, QoS, Optimization, NAT (Network Address Translation), and Security.
If you expect to use the same match criteria in different maps, you can create an ACL (Access Control List), which is a named, reusable set of rules. For efficiency, create them in Configuration > Templates & Policies > ACLs > Access Lists, and apply them across appliances.
The available parameters are Application, Address Map (for sorting by country, IP address owner, or SaaS application), Domain, Geo Location, Interface, Protocol, DSCP, IP/Subnet, Port, and Traffic Behavior.
To specify different criteria for inbound versus outbound traffic, select the Source:Dest check box.
Wildcard-based Prefix Matching
When using a range or a wildcard, the IPv4 address must be specified in the 4-octet format, separated by the dot notation. For example, A.B.C.D.
Range is specified using a dash. For example, 128-129.
Wildcard is specified as an asterisk (*).
Range and Wildcard can both be used in the same address, but an octet can only contain one or the other. For example, 10.136-137.*.64-95.
A wildcard can only be used to define an entire octet. For example, 10.13*.*.64-95 is not supported. The correct way to specify this range is 10.130-139.*.64-94.
The same rules apply to IPv6 addressing.
CIDR notation and (Range or Wildcard) are mutually exclusive in the same address. For example, use either 192.168.0.0/24 or 192.168.0.1-127.
These prefix-matching rules only apply to the following policies: Router, QoS, Optimization, NAT, Security, and ACLs.
Access Lists Edit Row
The Access Lists dialog box lists the configured Access Control List (ACL) rules.
You can add, delete, or rename an ACL by clicking the buttons at the top of this dialog box. You can also add rules to an ACL.
Click Add Rule.
Enter a priority value.
Click the edit icon to configure the match criteria. The Match Criteria dialog box opens and you can specify the match criteria. Click More Options to apply more rules.
Select if you want to Permit or Deny traffic in the ACL.
Enter any comments if you decide to do so.