deny (application-policy-config-mode)

application-policy

Creates a deny rule and configures the match criteria based on which packets are filtered and the deny access action applied

Supported in the following platforms:

Syntax

deny [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>] schedule <SCHEDULE-POLICY-NAME> (precedence <1-256>)

Parameters

deny [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>] schedule <SCHEDULE-POLICY-NAME> (precedence <1-256>)
deny Creates a deny rule and configures the match criteria. The options are app-category and application.
app-category [<APP-CATEGORY-NAME>|all] Uses application category as the match criteria
  • <APP-CATEGORY-NAME> – Specify the application category name. The options are: all, business, conference, custom, database, ecommerce, filetransfer, gaming, generic, im, industrial, mail, mobile, network\ management, other, p2p, remote_control, sharehosting, social\ networking, streaming, tunnel, voip, and web. Each packet‘s app-category is matched with the value specified here. In case of a match, the system drops the packet.
  • all – The system drops all packets irrespective of the application category.
application <APPLICATION-NAME> Uses application name as the match criteria
  • <APPLICATION-NAME> – Specify the application name. Each packet‘s application is matched with the application name specified here. In case of a match, the system drops the packet.

There are approximately 300 canned applications in the database. In addition to these, the database displays custom-made applications also. These are application definitions created using the application command.

schedule <SCHEDULE-POLICY-NAME> Schedules an enforcement time for this deny rule by associating a schedule policy with it. Use this parameter to apply rule-specific enforcement time.
  • schedule <SCHEDULE-POLICY-NAME> – Associates a schedule policy with the rule. When associated, the rule is enforced only on the days and time configured in the schedule policy. Without the association of a schedule policy, all rules within an application policy are enforced concurrently (defined by the application-policy > enforcement-time command). If scheduling a rule, ensure that the time configured in the schedule policy is a subset of the application policy‘s enforcement time. In other words the application policy should be active when the rule is being enforced. For example, if the application policy is enforced on Mondays from 10:00 to 22:00 hours and the schedule policy time-rule is set for Fridays, then this rule will never be hit. When enforcing rules at different times the best practice would be to keep the application policy active at all time (i.e., retain the default enforcement-time setting as ‘all‘).
  • <SCHEDULE-POLICY-NAME> – Specify the policy name (should be existing and configured). After applying a schedule policy, specify a precedence for the rule.

In case of no schedule policy being applied, the rule is enforced as per the enforcement-time configured in the application policy. For more information, see enforcement-time.

precedence <1-256> Assigns a precedence value for this deny rule. The precedence value differentiates between rules applicable to applications and the application categories to which they belong. The allow, deny, mark, rate-limit options are mutually exclusive. In other words, in an application policy, for a specific application or application category, you can create either an allow rule, or a deny rule, or a mark and rate-limit rule.

Let us consider application youtube belonging to app-category streaming.

The rules can be defined as:
#allow application youtube precedence 1
#deny app-category streaming precedence 2
The following configuration is incorrect:
#deny app-category streaming precedence 1
#allow application youtube precedence 2

Once the deny app-category streaming precedence 1 rule is hit, all streaming packets, including youtube, are dropped. Consequently, there are no packets left to apply the subsequent allow rule.

The mark and rate-limit rules are the only two actions that can be combined for a specific application or application category type.

Examples

The following example shows one deny rule, denying access to all packets belonging to the application category ‘social\ networking‘:

nx9500-6C8809(config-app-policy-Bing)#deny app-category social\ networking precedence 3
nx9500-6C8809(config-app-policy-Bing)#show context
application-policy Bing
 allow application Bing precedence 1
 allow app-category business precedence 2
 deny app-category "social networking" precedence 3
nx9500-6C8809(config-app-policy-Bing)#

The following example displays the schedule policy ‘DenyS-N‘ settings. The time-rule defined in the policy is all weekdays from 9:30 AM to 11:30 PM.

nx9500-6C8809(config-schedule-policy-DenyS-N)#show context
schedule-policy DenyS-N
 description "Denies all social Networking sites on weekdays."
 time-rule days weekdays start-time 09:30 end-time 23:30
nx9500-6C8809(config-schedule-policy-DenyS-N)#

The following example displays the schedule policy ‘FaceBook‘ settings. The time-rule defined in the policy is Friday from 1:00 PM to 6:00 PM.

nx9500-6C8809(config-schedule-policy-FaceBook)#show context
schedule-policy FaceBook
 description "Allows FaceBook traffic on Fridays."
 time-rule days friday start-time 13:00 end-time 18:00
nx9500-6C8809(config-schedule-policy-FaceBook)#
The following example shows an application policy ‘SocialNet‘ defining an allow and deny rule. Both rules have different enforcement time, defined by their respective schedule policies (DenyS-N and FaceBook). As per these two schedule policy settings, this application policy:
  • Denies all social\ networking sites on weekdays (barring Fridays between 1:00 PM to 6:00 PM) from 9:30 AM to 11:30 PM.
  • On Fridays, between 1:00 PM to 6:00 PM, it:
    • Denies all social\ networking sites except Facebook.
      nx9500-6C8809(config-app-policy-SocialNet)#show context
      application-policy SocialNet
       description "This application policy relates to Social Networking sites."
       allow application facebook schedule FaceBook precedence 1
       deny app-category "social networking" schedule DenyS-N precedence 2
      nx9500-6C8809(config-app-policy-SocialNet)#
      

Related Commands

no Removes this deny rule from the application policy