service-exclude (authentication policy rule view)

Function

The service-exclude command excludes a service from a policy rule. Traffic with the excluded service will not match the policy.

The undo service-exclude command deletes the excluded service from a policy rule.

Format

service-exclude service-name &<1-6>

undo service-exclude service-name &<1-6>

Parameters

Parameter	Description	Value
service-name &<1-6>	Specifies the name of a service or service group.	The value must be the name of an existing service or service group. Up to six services (service groups) can be set or deleted each time for an authentication policy rule.

Views

Authentication policy rule view

Default Level

2: Configuration level

Usage Guidelines

When referencing services or service groups in a policy, you can run the service-exclude command to exclude a service or service group. Traffic with the excluded service will not match the policy.

Usage Scenario

When configuring an authentication policy, you can reference services or service groups in the policy to control traffic access based on the services. For example, there are service groups Server_group1 (h225 and FTP services) and Server_group2 (imap, FTP, and h225 services). It is required to configure a policy to perform portal authentication on traffic with services in Server_group2 but not authenticate traffic with services in Service_group1. You can use configuration method 1 in the following table to assign different actions to different service groups. This method increases policies as well as policy maintenance workloads. Alternatively, you can use configuration method 2 to run the service-exclude command to configure the policy. This method has the same effect as method 1 and does not need additional policies.

Configuration Method	Configuration Command
Method 1	<sysname> system-view [sysname] auth-policy [sysname-policy-auth] rule name auth2 [sysname-policy-auth-rule-auth2] service Service_group1 [sysname-policy-auth-rule-auth2] action none [sysname-policy-auth-rule-auth2] quit [sysname-policy-auth] rule name auth3 [sysname-policy-auth-rule-auth3] service Service_group2 [sysname-policy-auth-rule-auth3] action auth
Method 2	<sysname> system-view [sysname] auth-policy [sysname-policy-auth] rule name auth3 [sysname-policy-auth-rule-auth3] service-exclude Service_group1 [sysname-policy-auth-rule-auth3] service Service_group2 [sysname-policy-auth-rule-auth3] action auth

Configuration Method

Configuration Command

Method 1

<sysname> system-view
[sysname] auth-policy
[sysname-policy-auth] rule name auth2
[sysname-policy-auth-rule-auth2] service Service_group1
[sysname-policy-auth-rule-auth2] action none
[sysname-policy-auth-rule-auth2] quit
[sysname-policy-auth] rule name auth3
[sysname-policy-auth-rule-auth3] service Service_group2
[sysname-policy-auth-rule-auth3] action auth

Method 2

<sysname> system-view
[sysname] auth-policy
[sysname-policy-auth] rule name auth3
[sysname-policy-auth-rule-auth3] service-exclude Service_group1
[sysname-policy-auth-rule-auth3] service Service_group2
[sysname-policy-auth-rule-auth3] action auth

Example

# Exclude the h323 service from the authentication policy rule.

<sysname> system-view
[sysname] auth-policy
[sysname-policy-auth] rule name auth3
[sysname-policy-auth-rule-auth3] service-exclude h323