To Next Page

To Previous Page

966

If you specify a nonexistent object group in a rule, the command creates the specified object group

with empty configuration. A rule that contains an object group with empty configuration does not

match any packets.

If you do not specify any options in the undo rule command, the command deletes the entire rule.

Otherwise, the command deletes only the specified part of the rule statement.

You cannot delete a nonexistent rule. You can use the display object-policy ip command to display

rules in an IPv4 object policy.

To use applications or application groups in an object policy, use only PBAR-classified applications.

NBAR-classified applications cannot match any packets. For more information about PBAR and

NBAR, see Security Configuration Guide.

Examples

# Configure a rule to allow packets that match source IPv4 address object group sourceip1 to pass

through during time range time1.

<Sysname> system-view

[Sysname] object-policy ip permit

[Sysname-object-policy-ip-permit] rule pass source-ip sourceip1 logging time-range time1

# Configure a rule to apply DPI application profile profile1 to packets that match source IPv4

address object group sourceip1.

<Sysname> system-view

[Sysname] object-policy ip dpiproc

[Sysname-object-policy-ip-dpiproc] rule inspect profile1 source-ip sourceip1 logging

# Configure a rule to permit packets that match application aaa.

<Sysname> system-view

[Sysname] object-policy ip dpiproc

[Sysname-object-policy-ip-dpiproc] rule pass application aaa

Related commands

app-profile (DPI Command Reference)

display object-policy ip

move rule

object-policy ip

time-range (ACL and QoS Command Reference)

track (High Availability Command Reference)

rule (IPv6 object policy view)

Use rule to configure a rule for an IPv6 object policy.

Use undo rule to partially or completely delete a rule for an IPv6 object policy.

Syntax

rule [ rule-id ] { drop | pass | inspect app-profile-name } [ [ source-ip { object-group-name | any } ]

[ destination-ip { object-group-name | any } ] [ service { object-group-name | any } ] [ vrf vrf-name ]

[ application application-name ] [ app-group app-group-name ] [ counting ] [ disable ] [ logging ]

[ time-range time-range-name ] ] *

disable | logging | time-range ] *

Other manuals for H3C MSR Series

Manual33 pages

Probe Command Reference28 pages

Configuration Guide80 pages

Troubleshooting Guide28 pages

User Guide26 pages

Questions and Answers:

Need help?

Do you have a question about the H3C MSR Series and is the answer not in the manual?

H3C MSR Series Specifications

General

Category	Network Router
IPv6 Support	Yes
Dimensions	Varies by model
Weight	Varies by model
Product Type	Modular Router
Ports	Varies by model
WAN Interfaces	Varies by model
Firewall	Yes
QoS	Yes
Wireless Support	Varies by model
USB Ports	Varies by model
Console Port	Yes
Power Supply	Varies by model
Redundancy	Varies by model
Operating Temperature	0°C to 45°C
Storage Temperature	-40°C to 70°C
Humidity	5% to 95% non-condensing
Series	MSR
Certifications	CE, FCC, RoHS