allow

application-policy

Creates an allow rule and configures the match criteria based on which packets are filtered and the allow access action applied

Supported in the following platforms:

Syntax

allow [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>] schedule <SCHEDULE-POLICY-NAME> (precedence <1-256>)

Parameters

allow [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>] schedule <SCHEDULE-POLICY-NAME> (precedence <1-256>)
allow Creates an allow rule and configures the match criteria. The options are app-category and application.
app-category [<APP-CATEGORY-NAME>|all] Uses application category as the match criteria
  • <APP-CATEGORY-NAME> – Specify the application category. The options are: antivirus\ update, audio, business, conference, custom, database, file transfer, gaming, generic, im, mail, mobile, network\ management, other, p2p, remote_control, social\ networking, standard, streaming, tunnel, video, voip, and web. Each packet‘s app-category is matched with the value specified here. In case of a match, the system forwards the packet or else drops it.
  • all – The system forwards all packets irrespective of the application category.
application <APPLICATION-NAME> Uses application name as the match criteria
  • <APPLICATION-NAME> – Specify the application name. Each packet‘s application is matched with the application name specified here. In case of a match, the system forwards the packet.
    Note: The WiNG system provides approximately 309 canned applications. In addition to these, the database also includes custom-made applications. These are application definitions created using the application command.
schedule <SCHEDULE-POLICY-NAME> Schedules an enforcement time for this allow rule by associating a schedule policy with it. Use this parameter to apply rule-specific enforcement time.
  • schedule <SCHEDULE-POLICY-NAME> – Associates a schedule policy with the rule. When associated, the rule is enforced only on the days and time configured in the schedule policy. Without the association of a schedule policy, all rules within an application policy are enforced concurrently (defined by the application-policy > enforcement-time command). If scheduling a rule, ensure that the time configured in the schedule policy is a subset of the application policy‘s enforcement time. In other words the application policy should be active when the rule is being enforced. For example, if the application policy is enforced on Mondays from 10:00 to 22:00 hours and the schedule policy time-rule is set for Fridays, then this rule will never be hit. When enforcing rules at different times the best practice would be to keep the application policy active at all time (i.e., retain the default enforcement-time setting as ‘all‘).
  • <SCHEDULE-POLICY-NAME> – Specify the policy name (should be existing and configured). After applying a schedule policy, specify a precedence for the rule.
    Note: In case of no schedule policy being applied, the rule is enforced as per the enforcement-time configured in the application policy. For more information, see enforcement-time.
precedence <1-256> Assigns a precedence value for this allow rule. The precedence value differentiates between rules applicable to applications and the application categories to which they belong. The allow, deny, mark, rate-limit options are mutually exclusive. In other words, in an application policy, for a specific application or application category, you can create either an allow rule, or a deny rule, or a mark and rate-limit rule.

Let us consider application youtube belonging to app-category streaming.

The action required is: Allow youtube packets, and deny all other applications belonging to app-category streaming.

The rules can be defined as:
#allow application youtube precedence 1
#deny app-category streaming precedence 2
The following configuration is incorrect:
#deny app-category streaming precedence 1
#allow application youtube precedence 2

Once the deny app-category streaming precedence 1 rule is hit, all streaming packets, including youtube, are dropped. Consequently, there are no packets left to apply the subsequent allow rule.

The mark and rate-limit rules are the only two actions that can be combined for a specific application or application category type.

Examples

The following example shows how to view all built-in, system provided applications:

nx9500-6C8809(config-app-policy-test)#allow application [TAB]
Display all 300 possibilities? (y or n)
1-clickshare-com                   1-upload-com
1-upload-to                        10upload-com
123upload-pl                       139pan-com
163pan-com                         1clickshare-net
1fichier-com                       1kxun
2channel                           2gis
2shared-com                        360mobile
4fastfile-com                      4share-ws
Dota\ 2                            EA\ Origin
--More--
nx9500-6C8809(config-app-policy-test)#

The following examples show two allow rules, allowing access to all packets belonging to the application category ‘business‘ and the application ‘Bing‘:

nx9500-6C8809(config-app-policy-Bing)#allow application Bi [TAB]
Bing                      BitTorrent                BitTorrent_encrypted
BitTorrent_plain          BitTorrent_uTP            BitTorrent_uTP_encrypted
nx9500-6C8809(config-app-policy-Bing)#

Note: Bing is not one of the WiNG built-in database applications. It is a customized application created using the application command.

nx9500-6C8809(config-app-policy-Bing)#allow application Bing precedence 1
nx9500-6C8809(config-app-policy-Bing)#allow app-category [TAB]
all                  antivirus\ update    audio
business             conference           custom
database             filetransfer         gaming
generic              im                   mail
mobile               network\ management  other
p2p                  remote_control       social\ networking
standard             streaming            tunnel
video                voip                 web
nx9500-6C8809(config-app-policy-Bing)#
nx9500-6C8809(config-app-policy-Bing)#allow app-category business precedence 2
nx9500-6C8809(config-app-policy-Bing)#show context
application-policy Bing
 allow application Bing precedence 1
 allow app-category business precedence 2
nx9500-6C8809(config-app-policy-Bing)#

The following example shows an application policy 'SocialNet' having an allow rule with an associated schedule policy named 'FaceBook':

nx9500-6C8809(config-app-policy-SocialNet)#allow application facebook schedule Facebook precedence 1
nx9500-6C8809(config-app-policy-SocialNet)#show context
application-policy SocialNet
 description "This application policy relates to Social Networking sites."
 allow application facebook schedule FaceBook precedence 1
nx9500-6C8809(config-app-policy-SocialNet)#

The schedule policy ‘FaceBook‘ configuration is as follows. As per this policy, the above allow rule will apply to all FaceBook packets every Friday between 13:00 and 18:00 hours.

nx9500-6C8809(config-schedule-policy-FaceBook)#show context
schedule-policy FaceBook
 description "Allows FaceBook traffic on Fridays."
 time-rule days friday start-time 13:00 end-time 18:00
nx9500-6C8809(config-schedule-policy-FaceBook)#

Related Commands

no Removes this allow rule from the application policy