Skip to main content

system services firewall policy create

Contributors
Suggest changes

(DEPRECATED)-Create a firewall policy entry for a network service

Availability: This command is available to cluster administrators at the admin privilege level.

Description

Note This command is deprecated and may be removed in a future ONTAP release. Use network interface service-policy create or network interface service-policy add-service instead.

The system services firewall policy create command creates a firewall policy entry with the specified name and network service. This command is used both to create the first network service associated with a new firewall policy, and to add to an existing firewall policy by associating another network service with an existing policy. You can optionally specify one or more IP addresses with corresponding netmasks that are allowed to use the firewall policy entry.

You can use the network interface modify command with the -firewall-policy parameter to put a firewall policy into effect for a given logical interface by modifying that logical interface to use the specified firewall policy.

Note You can use this command to create an empty firewall policy by creating a single policy entry for the "none" firewall service. When used by a logical network interface (LIF), an empty firewall policy will block all services managed using firewall policies.

Parameters

-vserver <vserver> - Vserver Name

Use this parameter to specify the name of the Vserver on which the policy is to be created.

-policy <textpolicy_name> - Policy

Use this parameter to specify the name of the policy that is to be created.

-service <service> - Service

Use this parameter to specify the network service that is associated with the policy. Possible values include:

  • dns - The DNS protocol server

  • http - The HTTP protocol

  • ndmp - The NDMP tape backup protocol

  • ndmps - The NDMPS tape backup protocol

  • none - No protocol (for creating an empty policy)

  • ntp - The NTP protocol

  • rsh - The RSH protocol

  • snmp - The SNMP protocol

  • telnet - The Telnet protocol

-allow-list <IP Address/Mask>,…​ - Allowed IPs

Use this parameter to specify one or more IP addresses with corresponding netmasks that are to be allowed by this firewall policy. The correct format for this parameter is address/netmask, similar to "192.0.2.128/25". Multiple address/netmask pairs should be separated with commas. Use the value 0.0.0.0/0 for "any".

Examples

The following example creates a firewall policy named data that uses the NDMP protocol and enables access from all IP addresses on the 192.0.2.128/25 subnet:

cluster1::> system services firewall policy create -policy data -service ndmp -allow-list 192.0.2.128/25

The following example adds an entry to the firewall policy named data, associating the DNS protocol with that policy and enabling access from all IP addresses on the 192.0.2.128/25 subnet:

cluster1::> system services firewall policy create -policy data -service dns -allow-list 192.0.2.128/25