The Tme-based ACL Policy of the USG Fails Due to Improper Time Range Configuration

Publication Date:  2012-07-16 Views:  81 Downloads:  0
Issue Description
A user configures the time range, associates the time range with the ACL, and applies the ACL policy to interzones. The policy is ineffective during the time range. The configuration is as follows:
acl number 3001
 rule 110 deny ip source 58.194.0.0 0.0.255.255 time-range downtime
 rule 111 deny ip source 172.16.141.0 0.0.0.255 time-range downtime
……
 time-range downtime 23:00 to tomorrow 05:00 Thu Wed Tue Mon Sun
……
firewall interzone trust untrust
 packet-filter 3000 inbound
 packet-filter 3001 outbound
Alarm Information
None.
Handling Process
Divide the time range policy as follows.
 time-range downtime 23:00 to 23:59 Thu Wed Tue Mon Sun
 time-range downtime 00:00 to 05:00 Thu Wed Tue Mon Sun
Perform a test, and observe the result. The fault is rectified.
Root Cause
The time range configuration is improper.
Suggestions
If the parameter tomorrow is added to the time-range command, only one week day parameter can be added to the command.
Suggestion: R&D engineers are advised to pose limitation on week day parameters added to the time-range command with the parameter tomorrow.

END