The Tme-based ACL Policy of the USG Fails Due to Improper Time Range Configuration
Publication Date: 2012-07-16Views: 81Downloads: 0
A user configures the time range, associates the time range with the ACL, and applies the ACL policy to interzones. The policy is ineffective during the time range. The configuration is as follows:
acl number 3001
rule 110 deny ip source 188.8.131.52 0.0.255.255 time-range downtime
rule 111 deny ip source 172.16.141.0 0.0.0.255 time-range downtime
time-range downtime 23:00 to tomorrow 05:00 Thu Wed Tue Mon Sun
firewall interzone trust untrust
packet-filter 3000 inbound
packet-filter 3001 outbound
Divide the time range policy as follows.
time-range downtime 23:00 to 23:59 Thu Wed Tue Mon Sun
time-range downtime 00:00 to 05:00 Thu Wed Tue Mon Sun
Perform a test, and observe the result. The fault is rectified.
The time range configuration is improper.
If the parameter tomorrow is added to the time-range command, only one week day parameter can be added to the command.
Suggestion: R&D engineers are advised to pose limitation on week day parameters added to the time-range command with the parameter tomorrow.