Solving the invalidation of ACL rule based on time

发布时间:  2012-09-17 浏览次数:  181 下载次数:  0
问题描述
Consumers want to control access to Internet available in designated time range with ACL rule using USG2110 V100R001C03SPC200 devices. It turns out that access is still available out of the designated time range. The time policy is invalid.
告警信息
None
处理过程
1. Customer ACL rule item configuration is ACL for packet-filter 2002 outbound instead of ACL for NAT Internet access. Change ACL into ACL for NAT which is ACL 2001.
2. Customer time range configuration is OK, which is based on from 08:00 to 18:00.
3. Clock and time zone in firewall are default and not correct, while the ACL rule is based on the firewall time, making the time range invalid. After modification of time on firewall, the ACL rule can control Internet access at designated time range.
ACL configuration rule:
test unavailable at a20 time range and accessible at a30 range time.
time-range a20 08:00 to 18:00 daily
time-range a30 19:00 to 23:00 daily
Acl's step is 5
rule 0 deny source address-set azz1 time-range a20(20 times matched) (Active)
rule 1 permit source address-set azz1 time-range a30(13 times matched) (Inactive)
rule 2 permit source address-set a11 (0 times matched)

When based on time range, ACL rule at active time range display active, for inactive time range it shows inactive.
根因
1. ACL rule configuration issue
2. Time range configuration issue
3. Firewall time configuration issue
建议与总结
Time on firewall should be considered and ACL for NAT ACL should be referred when configure time range.  

END