ACL Editor

Use the ACL Editor to create a new ACL or modify an existing ACL. The ACL Editor is divided into a left panel and a right panel. The left panel displays a hierarchical representation of your ACLs and their rules. The tabbed pages in the right panel display detailed information about the item selected in the left-panel tree.

To access the ACL Editor, click the button in the ACL Manager tab.

Information on:

Left-Panel Tree
ACL Details Tab
Editor Tab
Description Tab
Targets Tab
CLI Preview Tab

Left-Panel Tree

The left-panel tree in the ACL Editor displays all your Cataloged and Imported ACLs and their rules.

Click the items in the left-panel for more information.

ACL Editor Left Panel

Cataloged ACLs Folder: The Cataloged ACLs folder contains all ACL folders, ACLs, and rules that have been either created using the ACL Editor or moved from the Imported ACLs folder.

Imported ACLs Folder: The Imported ACLs Folder contains ACLs that have been imported from a file or from network devices and have not yet been documented and moved to the Cataloged ACLs Folder.

ACLs: ACL Manager supports five types of ACLs: S/K/N 7.x+, N-Series 6.x, X-Series, XSR, and Common. The type of ACL is indicated on the ACL icon. The S/K/N 7.x+ ACL displays a icon and the N-Series 6.x displays a icon.

Rules

Rules provide specific access definitions within an ACL. The following icons let you differentiate between rules with permit and deny actions. Rule icons that have been commented (disabled) appear grayed-out.

Rule Permit Rule Commented Permit Rule

Rule Deny Rule Commented Deny Rule

ACL Details Tab

The ACL Details tab presents a list of all the ACLs contained within the folder selected in the left-panel tree.

Click column headings in the window for more information.

ACL Editor Details Tab

Full Name: The full path to the ACL's location in the ACL Editor tree.

Name: The ACL name.

ACL Type: The ACL type: S/K/N 7.x+, N-Series 6.x, X-Series, XSR, and Common. This identifies the command line syntax of the ACL.

Last Change By: Identifies the user that made the most recent change to this ACL data. This field is updated when the device data is imported or refreshed and there have been changes to the data, or when a change is made to the ACL data through ACL Manager and saved to the database. Keep in mind that the "Last Change By" field is updated when the database data is updated, not when the device is modified, such as during an enforce.

Last Change Date: Gives the date and time of the most recent change to this ACL. This field is updated when the device data is imported or refreshed and there have been changes to the data, or when a change is made to the ACL data through ACL Manager and saved to the database. Keep in mind that the "Last Change Date" field is updated when the database data is updated, not when the device is modified, such as during an enforce.

Description: A description of the selected ACL. This is the description entered in the right-panel Description tab when an ACL is selected.

Editor Tab

The Editor tab presents a table that lists the rules contained within the selected ACL and lets you create, edit, and modify the rules. You can use the radio buttons at the top of the tab to select whether to display all rule contained within the ACL, or only those rules that are involved in redundancies. Rules are considered redundant if, with the exception of their Action and Logging settings:

they are the same rule type (when searching for redundant rules, UDP and TCP rules are treated as IP rule types when they follow an IP rule, because UDP and TCP are subsets of IP) and
both rules are defined by parameters that would match the same packet traffic. A more specific rule is considered redundant when it follows a more generally defined rule in the ACL. For example, a rule that defines a specific IP address as the Source Address will be considered redundant if it follows a rule that defines the Source Address as Any.

The green Reference Index arrow determines the rule that is being compared. ACL Manager compares this rule with all the remaining rules in the ACL. When a redundant rule is detected, it is marked with a red exclamation mark (). Use the radio buttons to determine whether the list will display all of the rules in the selected ACL or only rules involved in redundancies. Select the Show Commented Rules checkbox if you would like to display rules that are commented out. The Advance Reference Index button lets you advance the Reference Index arrow to the next rule to compare. Buttons on the right side of the tab let you auto rename, edit, and rearrange rules in the list.

Click column headings in the window for more information.

ACL Editor Tab

Item: Reference number for the rules in the selected ACL.

Name: The names of the rules in the selected ACL.

Action

The rule's action: Permit, Deny, or Remark. The rule action determines how packets that match the rule's parameters will be handled.

	Permit allows access when the packet matches the protocol and parameters defined for this rule.
	Deny discards the packet if it matches the protocol and parameters defined for this rule.
	Remark is used as a way to add a remark to the ACL (K-Series, S-Series, and N-Series with 7.x firmware only)
Commented rules appear as a gray icon, either permit () or deny () or remark ().

Protocol: The type of protocol to which this rule is applied.

Source IP Mask: This column contains a source address to be compared against the source address of an incoming packet. This can be Any source address, a specific IP address, or subnet address. Any is a wildcard statement that automatically matches the source address in a packet's header.

Destination IP Mask: This column contains a destination address to be compared against the destination address of an incoming packet. This can be Any destination address or a specific IP address. Any is a wildcard statement that automatically matches the destination address in a packet's header.

Src Port: This column contains a source port to be compared against the source port of an incoming packet. This can be Any source port or a specific port address. Any is a wildcard statement that automatically matches the source port in a packet's header.

Dest Port: This column contains a destination port to be compared against the destination port of an incoming packet. This can be Any destination port or a specific port address. Any is a wildcard statement that automatically matches the destination port in a packet's header.

TOS: The ToS (Type of Service) value configured for the rule. The rule will allow or reject traffic based on the TOS value specified here.

Precedence: The Precedence value configured for the rule. The rule will allow or reject traffic based on the Precedence value specified here.

DSCP: The DSCP (Diffserv Codepoint) value configured for the rule. The rule will allow or reject traffic based on the DSCP value specified here.

IP Protocol Num: The IP Protocol Number configured for the rule. The rule will allow or reject traffic based on the IP Protocol Number value specified here.

Message Type: Message type for the rule. ICMP rules can be defined to allow or reject traffic based on ICMP Message Type (0 to 255).

Message Code: Message code for the rule. ICMP Rules can be defined to allow or reject traffic based on ICMP Message type. When a Message Type is specified, an optional ICMP Message Code (1 to 255) can be used to create a more specific rule.

Established: Indicates whether this rule will allow TCP/UDP responses through the router, provided the connection between two hosts is already established: true or false.

Logging: Indicates whether logging is enabled for this ACL: true or false. When enabled, a Log message is sent to the console and if you have a Syslog server configured, the same message is sent to the Syslog server.

Last Change: Indicates the date and time that the device's ACL data in the database was last changed, and the user that initiated the action. This field is updated when the device data is imported or refreshed and there have been changes to the data, or when a change is made to the ACL data through ACL Manager and saved to the database. Keep in mind that the "Last Changed By" field is updated when the database data is updated, not when the device is modified, such as during an enforce.

Notes: A description of the rule. Notes can be added when you create or edit a rule.

New Button: Opens the Add to ACL window where you can create a new rule to add to the selected ACL.

Delete Button: Deletes the selected rule or rules.

Edit Button: Opens the Edit ACL window where you can edit the selected rule.

Move Up/Move Down Buttons: Re-positions the selected rule up or down in the ACL. Each click moves the rule one row.

Move To Button: Moves the selected rule to the line number entered into the associated field.

Auto Rename Button: Renames (re-numbers) rules that were created using the default name (Rule1, Rule2, etc.) to correspond to the index numbering.

Close Redundant Rules Button: Closes the top section of the tab and removes any redundant rule indicators.

Description Tab

The Description tab provides a text box where you can enter a description for the selected ACL and keep a record of changes made to the ACL.

Sample Description Tab

ACL Editor Description Tab

Name: The ACL name.

ACL Type: The ACL type: S/K/N 7.x+, N-Series 6.x, X-Series, XSR, and Common. This identifies the command line syntax of the ACL.

Last Changed By: Identifies the user that made the most recent change to this ACL data. This field is updated when the device data is imported or refreshed and there have been changes to the data, or when a change is made to the ACL data through ACL Manager and saved to the database. Keep in mind that the "Last Changed By" field is updated when the database data is updated, not when the device is modified, such as during an enforce.

Last Changed Date: Gives the date and time of the most recent change to this ACL. This field is updated when the device data is imported or refreshed and there have been changes to the data, or when a change is made to the ACL data through ACL Manager and saved to the database. Keep in mind that the "Last Changed Date" field is updated when the database data is updated, not when the device is modified, such as during an enforce.

Description: An area where you can enter text to describe the purpose for the selected ACL.

Targets Tab

The Targets tab lists specific details about where the selected ACL is applied.

Click column headings in the right panel for more information.

ACL Editor Targets Tab

Device: Identifies the device where the selected ACL is currently applied.

Target Type: Target Type can be an agent service (SNMP, Telnet HTTP, or SSH) or logical interface to which this ACL is applied.

Target: The name of the agent service or interface where this ACL is currently applied.

Direction: Identifies the traffic direction (Inbound or Outbound) for which this ACL is applied.

Logging: Indicates whether logging is enabled or disabled for this ACL.

Applied By: Identifies the user that applied this ACL.

Applied Date/Time: Indicates the date and time when the ACL was applied.

CLI Preview Tab

This tab shows the rules that you've defined in K-Series, S-Series, N-Series, X-Series, or XSR CLI syntax, according to the ACL type. When a Common ACL is selected from the left panel, the rule is displayed as a generic Common-type rule. Rules that are commented do not appear in the CLI Preview. You can enable/disable line numbering using the Show Indices in ACL CLI Preview checkbox.

Sample CLI Preview Tab

ACL Editor CLI Preview Tab

Packet Eval Tool Button: Opens the Packet Evaluation Tool that lets you verify the intended action of the ACLs selected in the left-panel tree.

Save Button: Saves any changes you have made in the ACL Editor to the ACL Manager database.

Related Information

For information on related windows:

Add to ACL Window