Filter
Top Products
Field Description
Source (required) Source of the traffic, which can be one of the following:
l any: Acts as a wildcard and applies to any source address.
l user: This refers to traffic from the wireless client.
l host: This refers to traffic from a specific host. When this option is chosen, you must configure the
IPv6 address of the host. For example, 2002:d81f:f9f0:1000:c7e:5d61:585c:3ab.
l network: This refers to a traffic that has a source IP from a subnet of IP addresses. When this option
is chosen, you must configure the IPv6 address and network mask of the subnet. For example,
2002:ac10:fe:: ffff:ffff:ffff::.
l alias: This refers to using an alias for a host or network.
NOTE: This release does not support IPv6 aliases. You cannot configure an alias for an IPv6 host or
network.
Destination
(required)
Destination of the traffic, which can be configured in the same manner as Source.
Service
(required)
NOTE: Voice over IP services are not available for IPv6 policies.
Type of traffic, which can be one of the following:
l any: This option specifies that this rule applies to any type of traffic.
l tcp: Using this option, you configure a range of TCP port(s) to match for the rule to be applied.
l udp: Using this option, you configure a range of UDP port(s) to match for the rule to be applied.
l service: Using this option, you use one of the pre-defined services (common protocols such as
HTTPS, HTTP, and others) as the protocol to match for the rule to be applied. You can also specify a
network service that you configure by navigating to the Configuration > Advanced Services >
Stateful Firewall > Network Services page.
l protocol: Using this option, you specify a different layer 4 protocol (other than TCP/UDP) by
configuring the IP protocol value.
Action (required) The action that you want the controller to perform on a packet that matches the specified criteria. This
can be one of the following:
NOTE: The only actions for IPv6 policy rules are permit or deny; in this release, the controller cannot
perform network address translation (NAT) or redirection on IPv6 packets. You can specify options such
as logging, mirroring, or blacklisting (described below).
l permit: Permits traffic matching this rule.
l drop: Drops packets matching this rule without any notification.
Log (optional) Logs a match to this rule. This is recommended when a rule indicates a security breach, such as a data
packet on a policy that is meant only to be used for voice calls.
Mirror (optional) Mirrors session packets to datapath or remote destination specified in the IPv6 firewall function (see
“Session Mirror Destination” in Table 39). If the destination is an IP address, it must be an IPv4 IP
address.
Queue (optional) The queue in which a packet matching this rule should be placed. Select High for higher priority data,
such as voice, and Low for lower priority traffic.
Time Range
(optional)
Time range for which this rule is applicable. You configure time ranges in the Configuration > Security >
Access Control > Time Ranges page.
Black List
(optional)
Automatically blacklists a client that is the source or destination of traffic matching this rule. This option
is recommended for rules that indicate a security breach where the blacklisting option can be used to
prevent access to clients that are attempting to breach the security.
TOS (optional) Value of type of service (TOS) bits to be marked in the IP header of a packet matching this rule when it
leaves the controller.
802.1p Priority
(optional)
Value of 802.1p priority bits to be marked in the frame of a packet matching this rule when it leaves the
controller.
Table 40:
IPv6 Firewall Policy Rule Parameters
DellPowerConnectW-SeriesArubaOS6.2 | User Guide IPv6Support | 144