service-exclude (audit policy rule view)

When referencing services or service groups in a policy, you can run the service-exclude command to exclude a service or service group. Traffic with the excluded service will not match the policy.

Application Scenarios

When configuring a policy, you can reference services or service groups in the policy to control traffic access based on the services. For example, there are service groups Service_group1 (DNS and FTP services) and Service_group2 (BGP, DNS, FTP, and h225). The user wants to configure a policy not to audit traffic with services in Service_group1 but audit traffic with services in Service_group2. You can use configuration method 1 in the following table to assign different actions to different service groups. This method increases policies as well as policy maintenance workloads. Alternatively, you can use configuration method 2 to run the service-exclude command to configure the policy. This method has the same effect as method 1 and does not need additional policies.

<sysname> system-view
[sysname] audit-policy
[sysname-policy-audit] rule name policy_no_audit
[sysname-policy-audit-rule-policy_no_audit] service Service_group1
[sysname-policy-audit-rule-policy_no_audit] action no-audit
[sysname-policy-audit-rule-policy_no_audit] quit
[sysname-policy-audit] rule name policy_audit
[sysname-policy-audit-rule-policy_audit] service Service_group2
[sysname-policy-audit-rule-policy_audit] action audit profile profile_audit

<sysname> system-view
[sysname] audit-policy
[sysname-policy-audit] rule name policy_audit
[sysname-policy-audit-rule-policy_audit] service-exclude Service_group1
[sysname-policy-audit-rule-policy_audit] service Service_group2
[sysname-policy-audit-rule-policy_audit] action audit profile profile_audit