Endpoint Admission Defense Help >> Operation Guide >> Endpoint Access Control >> Client ACL >> Add/Modify Client ACL

Add/Modify Client ACL

This function helps add or modify client ACLs.

Operation Procedure

1. Enter the client ACL management page.
   Approach: Select the User tab, and then in the navigation tree select User Security Policy > Endpoint Access Control > Client ACL.
2. Click Add, or click of a client ACL.
3. Add or modify the basic information of a client ACL.
4. Click the Add button or click the Add icon for a client ACL rule to bring up a page and specify the rules to be contained in the client ACL.
5. Click OK.

Parameters

• Default Action of ACL Rule: The processing method for the packets that do not match the ACL rules, which can be permit or deny.
• Service Group: Specifies a service group to which the ACL belongs.Administrators and maintainers can associate the ACL with the service groups they belong to.
• ACL Rule List: Rules contained in the ACL.
• Matching Action: Action to be taken when a rule is matched. Two actions are available, permit and deny.
• Protocol: Specifies the packet protocol.
• Dest IP: Destination IP address of the packets.
• Mask: Mask of the destination IP address.
• Start Dest Port: Start destination port of the packets.
• End Dest Port: End destination port of the packets.
• Start Source Port: Start source port of the packets.
• End Source Port: End source port of the packets.
• Insert at: Enter a value to indicate the place where the rule is inserted in the ACL rule list. If you enter 1, the rule is inserted at the top of the ACL list, with rule number 1. If you leave this field empty or enter a value larger than any existing rule number, this rule is inserted at the end of the ACL list.

Configuration Example

There are TCP packets on the network with the source port being 8080. Their destination IP address is 10.153.128.32, mask is 255.255.255.0, and the destination port is 80.Configure a client ACL rule as follows to filter such packets.

Precautions

• The client ACL name cannot be modified and must be unique.
• Each ACL must contain at least one ACL rule.
• When adding an ACL rule, the destination port and source port fields are available if the protocol is TCP or UDP.
• The option of All IP Protocols can be selected for the protocol setting and this means protocols carried by IP are not limited.
• By default, an ACL rule is applied in the outbound direction.
• You cannot change the service group to which the client ACL belongs when you modify the client ACL.
• On the ACL rule configuration page, the destination port and source port are configurable only after you select TCP or UDP as the protocol type. By default, both the destination port and source port are 0, which means any port.
• The destination IP address column of the ACL rule list shows the result of a bitwise AND operation between the destination IP address and the dotted decimal mask of each ACL rule.
• A client ACL rule added by clicking Add will be added to the end of the list. A client ACL rule added by clicking the Add icon for a client ACL rule will be inserted after the client ACL rule.
• As a best practice to ensure performance, make sure the number of ACL rules in a client ACL does not exceed 64.