The service-exclude command excludes a service from a policy rule. Traffic with the excluded service will not match the policy.
The undo service-exclude command deletes the excluded service from a policy rule.
| Parameter | Description | Value |
|---|---|---|
service-name &<1-6> |
Specifies the name of a service or service group. |
The service or service group must exist. A maximum of six services or service groups can be specified or deleted at a time. |
When referencing services or service groups in a policy, you can run the service-exclude command to exclude a service or service group. Traffic with the excluded service will not match the policy.
Application Scenarios
When configuring a policy, you can reference services or service groups in the policy to control traffic access based on the services. For example, there are service groups Server_group1 (DNS and FTP services) and Server_group2 (BGP, DNS, FTP, and h225). The user wants to configure a policy to block traffic with services in Server_group1 but permit traffic with services in Server_group2. You can use configuration method 1 in the following table to assign different actions to different service groups. This method increases policies as well as policy maintenance workloads. Alternatively, you can use configuration method 2 to run the service-exclude command to configure the policy. This method has the same effect as method 1 and does not need additional policies.