To configure a Policy-based routing rule, specify the following parameters:
|
Parameter |
Description |
|---|---|
|
PASS OK |
Action to create a rule using UPL. |
|
enabled |
Enable/disable a rule:
|
|
name |
Policy-based routing rule name. Example: name("Policy-based routing rule example"). |
|
desc |
A description of the rule. Example: desc("Policy-based routing rule example set via CLI"). |
|
route |
Rule type (specified in the rule properties). |
|
gateway |
Select one of the existing gateways: gateway("1.1.1.1"). For more details about adding a gateway using CLI, see Gateway Configuration. |
|
scenario |
Scenario that needs to be active for the rule to trigger. To specify a scenario: scenario = "Example of a scenario". For more details on configuring scenarios, see Configuring scenarios. |
|
rule_log |
Log traffic information if the rule is triggered. The available options are:
|
|
src.zone |
Traffic source zone. Example source zone: src.zone = Trusted. For more details about how to configure zones using CLI, see the Zones section. |
|
src.ip |
Add lists of source IP addresses, MAC addresses, and domains. To specify a list of IP addresses: src.ip = lib.network(). Provide the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see the Configuring IP addresses section. To specify a source domain list: src.ip = lib.url(). Provide the URL to which the desired domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see the Configuring URL Lists section. To specify source MAC addresses, such as 02:00:00:00:00:00, use src.ip= 02:00:00:00:00:00. |
|
src.geoip |
Source GeoIP. Specify a country code (for example, src.geoip = AE). Click here for the list of ISO 3166-1 country codes. Important! The maximum number of GeoIPs that can be specified is limited to 15. |
|
dst.ip |
Add lists of destination IP addresses, MAC addresses, and domains. To specify a list of IP addresses: dst.ip = lib.network(). Provide the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see the Configuring IP addresses section. To specify a destination domain list: dst.ip = lib.url(). Provide the URL to which the desired domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see the Configuring URL Lists section. To specify destination MAC addresses, such as 02:00:00:00:00:00, use dst.ip= 02:00:00:00:00:00. |
|
dst.geoip |
To specify a destination GeoIP, it is necessary to specify a country code (for example, dst.geoip = AE). Click here for the list of ISO 3166-1 country codes. Important! The maximum number of GeoIPs that can be specified is limited to 15. |
|
service |
Service type. You can specify a service or a services group (for more details, see Configuring services and Configuring services groups). To specify a single service: service = "service name". To specify multiple services: service = (service-name1, service-name2, ...). To specify a service group: service = lib.service(). Provide the services group name in parentheses. |
|
user |
Users and user groups for which the rule applies (local or LDAP). To add LDAP groups and users, you need to have a correctly configured LDAP connector (for more information about configuring LDAP connectors via the CLI, see Configuring LDAP connectors). Examples of adding users to a rule: user = known user = "user" user = "testd.local\\user1" user = ("user", "testd.local\\user1") |
Example of creating and adding a policy-based routing rule using UPL:
Admin@nodename# create network-policy nat-routing 7 upl-rule OK \ ... route \ ... gateway("def") \ ... name("testpbr1") \ ... enabled(true) \ ... rule_log(session) \ ... Admin@nodename# set network-policy nat-routing 7 upl-rule OK \ ... service = (HTTPS, HTTP) \ ... Admin@nodename# set network-policy nat-routing 7 upl-rule OK \ ... user = "CN=Users1,DC=LOCAL" Admin@nodename# show network-policy nat-routing 7 % ----------------- 7 ----------------- OK \ user = "CN=Users1,DC=LOCAL" \ service = (HTTPS, HTTP) \ gateway(def) \ direction(input) \ rule_log(session) \ enabled(true) \ id("0585a95f-4707-4c11-840d-44643bc2c799") \ name(testpbr1)\ route