Configuring an SPP ACL policy

Protection Profiles : Configuring an SPP ACL policy

An SPP ACL policy establishes allow and deny rules for traffic that matches the following data:

• IP Address

• Fragment

• Protocol

• TCP Port

• UDP Port

• ICMP Type/Code

• URL

• HTTP header field: Host, Referer, Cookie, User Agent

ACL rules match a single data point, not multiple conditions. Rules are evaluated from the top of the table to the bottom. If a rule matches, it is applied and subsequent rules are not consulted. In most cases, you should order deny rules before allow rules.

Information about packets denied by an SPP ACL policy is reported in the following graphs and reports:

• Graphs (Monitor > ACL Drops)

• Executive Summary dashboard (Log & Report > Report Browse > Executive Summary)

• Reports (Log & Report > Report Configuration > Report Configuration)

Before you begin:

• You must have configured address objects and service objects that you want to match in policy rules. See “Configuring SPP ACL address objects” and “Configuring SPP ACL service objects”.

• You must have Read-Write permission for Protection Profile settings.

To configure an ACL policy:

1. Go to Protection Profiles > Access Control List > Access Control List.

2. Select the SPP you want to configure from the drop-down list.

3. Click Add to display the configuration editor.

4. Complete the configuration as described in Table 35.

5. Save the configuration.

Table 35: Access control list configuration
Settings	Guidelines
Name	Configuration name. Must not contain spaces.
Type	• Address • Address IPv6 • Service
Address / Address IPv6
Source Address	Select an address configuration object.
Address Action	• Deny—Drop traffic that matches the address object. • Track and Allow—Allow the traffic and include it in the statistics for continuous learning and threshold estimation.
Service
Direction	• inbound • outbound
Service	Select a service configuration object.
Service Action	• Deny—Drop traffic that matches the service object. • Accept—Allow the traffic and include it in the statistics for continuous learning and threshold estimation.


	To configure with the CLI, use a command sequence similar to the following: config spp edit <spp_name> config ddos spp acl type {v4address \| service \| v6address} set direction {outbound \| inbound} set source-address <address_name> set service <service_name> set v6address <address_name> set service-action {accept \| deny} end