service-exclude (security policy rule view)

When referencing services or service groups in a policy, you can run the service-exclude command to exclude a service or service group. Traffic with the excluded service will not match the policy.

Application Scenarios

When configuring a policy, you can reference services or service groups in the policy to control traffic access based on the services. For example, there are service groups Service_group1 (DNS and FTP services) and Service_group2 (BGP, DNS, FTP, and h225). The user wants to configure a policy to block traffic with services in Service_group1 but permit traffic with services in Service_group2. You can use configuration method 1 in the following table to assign different actions to different service groups. This method increases policies as well as policy maintenance workloads. Alternatively, you can use configuration method 2 to run the service-exclude command to configure the policy. This method has the same effect as method 1 and does not need additional policies.

<sysname> system-view
[sysname] security-policy
[sysname-policy-security] rule name policy_deny
[sysname-policy-security-rule-policy_deny] service Service_group1
[sysname-policy-security-rule-policy_deny] action deny
[sysname-policy-security-rule-policy_deny] quit
[sysname-policy-security] rule name policy_permit
[sysname-policy-security-rule-policy_permit] service Service_group2
[sysname-policy-security-rule-policy_permit] action permit

<sysname> system-view
[sysname] security-policy
[sysname-policy-security] rule name policy_sec
[sysname-policy-security-rule-policy_sec] service-exclude Service_group1
[sysname-policy-security-rule-policy_sec] service Service_group2
[sysname-policy-security-rule-policy_sec] action permit