allow

purview-application-policy

Creates an allow rule and configures the match criteria based on which packets are filtered and the allow access action applied

Supported in the following platforms:

Syntax

allow [app-category [<PURVIEW-APP-CATEGORY-NAME>|all]|application <PURVIEW-APP-NAME>]
schedule <SCHEDULE-POLICY-NAME> (precedence <1-256>)

Parameters

allow [app-category [<PURVIEW-APP-CATEGORY-NAME>|all]|application <PURVIEW-APP-NAME>] 
schedule <SCHEDULE-POLICY-NAME> (precedence <1-256>)
allow Creates an allow rule and configures the match criteria. The match criteria options are: app-category and application.
app-category [<PURVIEW-APP-CATEGORY-NAME>|all] Uses application category as the match criteria
  • <PURVIEW-APP-CATEGORY-NAME> – Specify the application category.
  • all – Select this option to allow all packets irrespective of the application category.
application <PURVIEW-APP-NAME> Uses application name as the match criteria
  • application <PURVIEW-APP-NAME> – Specify the application name. Each packet‘s application is matched with the application specified here. In case of a match, the system forwards the packet.
    Note: The Purview™ engine recognizes 36 app-categories with 2406 canned applications. If the application you are looking for is not in this list, use the application command to add the application to the list.
schedule <SCHEDULE-POLICY-NAME> Schedules an enforcement time for this allow rule by associating a schedule policy with it. Use this parameter to apply rule-specific enforcement time.
  • schedule <SCHEDULE-POLICY-NAME> – Associates a schedule policy with the rule. When associated, the rule is enforced only on the days and time configured in the schedule policy. Without the association of a schedule policy, all rules within an application policy are enforced concurrently (defined by the purview-application-policy → enforcement-time command). If scheduling a rule, ensure that the time configured in the schedule policy is a subset of the application policy‘s enforcement time. In other words the application policy should be active when the rule is being enforced. For example, if the application policy is enforced on Mondays from 10:00 to 22:00 hours and the schedule policy time-rule is set for Fridays, then this rule will never be hit. When enforcing rules at different times the best practice would be to keep the application policy active at all time (i.e., retain the default enforcement-time setting as ‘all‘).
  • <SCHEDULE-POLICY-NAME> – Specify the policy name (should be existing and configured). After applying a schedule policy, specify a precedence for the rule.
    Note: In case of no schedule policy being applied, the rule is enforced as per the enforcement-time configured in the application policy. For more information, see enforcement-time.
precedence <1-256> Assigns a precedence value for this allow rule. The precedence value differentiates between rules applicable to applications and the application categories to which they belong. The allow, deny, mark, rate-limit options are mutually exclusive. In other words, in an application policy, for a specific application or application category, you can create either an allow rule, or a deny rule, or a mark and rate-limit rule.

Let us consider application Apple_Streaming belonging to app-category streaming.

The action required is: Allow Apple_Streaming packets and deny all other applications belonging to app-category streaming.

The rules can be defined as:
#allow application Apple_Streaming precedence 1
#deny app-category streaming precedence 2
The following configuration is incorrect:
#deny app-category streaming precedence 1
#allow application Apple_Streaming precedence 2

Application policy rules are applied in the increasing order of their precedence value. Once the deny app-category streaming precedence 1 rule is hit, all streaming packets, including Apple_Streaming, are dropped. Consequently, there are no packets left to apply the subsequent allow rule.

The mark and rate-limit rules are the only two actions that can be combined for a specific application or application category type.

Examples

The following example shows how to view all built-in, system provided Purview™ applications:

nx9500-6C8809(config-purview-app-policy-PurAppPolicy)#allow application[TAB]
Display all 365 possibilities? (y or n)
163_com                           1Fichier
24x7_Media                        2K_Games
360_Software                      360buy
4chan                             4shared
5Dimes                            8Track
9gag                              A_Feed
AB_Tutor                          Abacast
ABC_Ads                           ABC_News
ABC_Player                        About
--More--
nx9500-6C8809(config-purview-app-policy-PurAppPolicy)#

The following example shows an allow rule with precedence 1.

nx9500-6C8809(config-purview-app-policy-PurAppPolicy)#allow application Apple_Streaming precedence 1

The following example shows a Purview application policy 'SocialNet' having an allow rule with an associated schedule policy named 'Flickr':

nx9500-6C8809(config-purview-app-policy-SocialNet)#allow application flickr schedule Flickr precedence 1
nx9500-6C8809(config-purview-app-policy-SocialNet)#show context
purview-application-policy SocialNet
 description "This application policy relates to Social Networking sites."
 allow application flickr schedule Flickr precedence 1
nx9500-6C8809(config-purview-app-policy-SocialNet)#

The schedule policy ‘Flickr‘ configuration is as follows. As per this policy, the above allow rule will apply to all Flickr packets every Friday between 13:00 and 18:00 hours.

nx9500-6C8809(config-schedule-policy-Flickr)#show context
schedule-policy Flickr
 description "Allows Flickr traffic on Fridays."
 time-rule days friday start-time 13:00 end-time 18:00
nx9500-6C8809(config-schedule-policy-Flickr)#

Related Commands

no Removes this allow rule from the Purview application policy