deny

purview-application-policy

Creates a deny rule and configures the match criteria based on which packets are filtered and the deny access action applied

Supported in the following platforms:

Syntax

deny [app-category [<PURVIEW-APP-CATEGORY-NAME>|all]|application <PURVIEW-APP-NAME>] 
schedule <SCHEDULE-POLICY-NAME> (precedence <1-256>)

Parameters

deny [app-category [<PURVIEW-APP-CATEGORY-NAME>|all]|application <PURVIEW-APP-NAME>] 
schedule <SCHEDULE-POLICY-NAME> (precedence <1-256>)
deny Creates a deny rule and configures the match criteria. The match criteria options are: app-category and application.
app-category [<PURVIEW-APP-CATEGORY-NAME>|all] Uses application category as the match criteria
  • <PURVIEW-APP-CATEGORY-NAME> – Specify the application category name.
  • all – Select this option to deny all packets irrespective of the application category.
application <PURVIEW-APP-NAME> Uses application name as the match criteria
  • <PURVIEW-APP-NAME> – Specify the application name. Each packet‘s application is matched with the application name specified here. In case of a match, the system drops the packet.
Note: The Purview™ engine recognizes 36 app-categories with 2406 canned applications. If the application you are looking for is not in this list, use the application command to add the application to the list.
schedule <SCHEDULE-POLICY-NAME> Schedules an enforcement time for this deny rule by associating a schedule policy with it. Use this parameter to apply rule-specific enforcement time.
  • schedule <SCHEDULE-POLICY-NAME> – Associates a schedule policy with the rule. When associated, the rule is enforced only on the days and time configured in the schedule policy. Without the association of a schedule policy, all rules within an application policy are enforced concurrently (defined by the purview-application-policy → enforcement-time command). If scheduling a rule, ensure that the time configured in the schedule policy is a subset of the application policy‘s enforcement time. In other words the application policy should be active when the rule is being enforced. For example, if the application policy is enforced on Mondays from 10:00 to 22:00 hours and the schedule policy time-rule is set for Fridays, then this rule will never be hit. When enforcing rules at different times the best practice would be to keep the application policy active at all time (i.e., retain the default enforcement-time setting as ‘all‘).
  • <SCHEDULE-POLICY-NAME> – Specify the policy name (should be existing and configured). After applying a schedule policy, specify a precedence for the rule.

In case of no schedule policy being applied, the rule is enforced as per the enforcement-time configured in the application policy. For more information, see enforcement-time.

precedence <1-256> Assigns a precedence value for this allow rule. The precedence value differentiates between rules applicable to applications and the application categories to which they belong. The allow, deny, mark, rate-limit options are mutually exclusive. In other words, in an application policy, for a specific application or application category, you can create either an allow rule, or a deny rule, or a mark and rate-limit rule.

Let us consider application Apple_Streaming belonging to app-category streaming.

The action required is: Allow Apple_Streaming packets and deny all other applications belonging to app-category streaming.

The rules can be defined as:
#allow application Apple_Streaming precedence 1
#deny app-category streaming precedence 2
The following configuration is incorrect:
#deny app-category streaming precedence 1
#allow application Apple_Streaming precedence 2

Application policy rules are applied in the increasing order of their precedence value. Once the deny app-category streaming precedence 1 rule is hit, all streaming packets, including Apple_Streaming, are dropped. Consequently, there are no packets left to apply the subsequent allow rule.

The mark and rate-limit rules are the only two actions that can be combined for a specific application or application category type.

Examples

The following example shows how to view all built-in, system provided Purview™ app-categories:

nx9500-6C8809(config-purview-app-policy-PurAppPolicy)#allow app-category[TAB]
ads              all              biz              certs
cloud            cloudcpu         corp             custom
db               education        finance          games
health           location         mail             news
other            p2p              proto            realtimecomms
restrictcontent  search           shopping         social
sports           storage          streaming        travel
unknown          updates          vpn              webapp
webcontent       webfile          webmeet
nx9500-6C8809(config-purview-app-policy-PurAppPolicy)#

The following example shows a deny rule with precedence 2.

nx9500-6C8809(config-purview-app-policy-PurAppPolicy)#deny app-category streaming precedence 2

The following example displays an application policy denying app-category 'social'. The policy is enforceable on weekdays from 9:30 AM to 10 PM.

nx9500-6C8809(config-purview-app-policy-DenyS-N)#show context
purview-application-policy DenyS-N
 description "This application policy denies Social Networking sites on weedays."
 enforcement-time days weekdays start-time 09:30 end-time 22:00
 deny app-category social precedence 1
nx9500-6C8809(config-purview-app-policy-DenyS-N)#

Related Commands

no Removes this deny rule from the Purview application policy