service-exclude protocol (audit policy rule view)
Function
The service-exclude protocol command excludes a TCP/UDP/SCTP port or IP-layer protocol from a policy rule, so that traffic with the port or IP-layer protocol does not match the policy.
The undo service-exclude protocol command deletes the excluded TCP/UDP/SCTP port or IP-layer protocol from the policy.
Format
# Exclude a TCP/UDP/SCTP port from an audit policy. If the port is not specified, the default value is TCP/UDP/SCTP.
service-exclude protocol { { 17 | udp } | { 6 | tcp } | { 132 | sctp } } [ source-port { source-port | start-source-port to end-source-port } &<1-64> | destination-port { destination-port | start-destination-port to end-destination-port } &<1-64> ] *
# Delete the excluded TCP/UDP/SCTP port from an audit policy.
undo service-exclude protocol { { 17 | udp } | { 6 | tcp } | { 132 | sctp } } [ source-port { source-port | start-source-port to end-source-port } &<1-64> | destination-port { destination-port | start-destination-port to end-destination-port } &<1-64> ] *
# Exclude the ICMP packet type from an audit policy.
service-exclude protocol { 1 | icmp } [ icmp-type { icmp-name | icmp-type-number { icmp-code-number [ to icmp-code-number ] } &<1-64> } ]
# Delete the excluded ICMP packet type from an audit policy.
undo service-exclude protocol { 1 | icmp } [ icmp-type { icmp-name | icmp-type-number { icmp-code-number [ to icmp-code-number ] } &<1-64> } ]
# Exclude the ICMPv6 packet type from an audit policy.
service-exclude protocol { 58 | icmpv6 } [ icmpv6-type { icmpv6-name | icmpv6-type-number { icmpv6-code-number [ to icmpv6-code-number ] } &<1-64> } ]
# Delete the excluded ICMPv6 packet type from an audit policy.
undo service-exclude protocol { 58 | icmpv6 } [ icmpv6-type { icmpv6-name | icmpv6-type-number { icmpv6-code-number [ to icmpv6-code-number ] } &<1-64> } ]
# Exclude 1-ICMP, 6-TCP, 17-UDP, 58-ICMPv6, and 132-SCTP from an audit policy. For detailed mappings, refer to the standard IP-layer protocol number list.
service-exclude protocol protocol-number
# Delete the excluded 1-ICMP, 6-TCP, 17-UDP, 58-ICMPv6, and 132-SCTP from an audit policy.
undo service-exclude protocol protocol-number
Parameters
| Parameter | Description | Value |
|---|---|---|
| 17 | udp | Indicates UDP. | - |
| 6 | tcp | Indicates TCP. | - |
| 132 | sctp | Indicates SCTP. | - |
| source-port { source-port | start-source-port to end-source-port } &<1-64> | Specifies the source port or source port range. | The value is an integer ranging from 0 to 65535. A maximum number of 64 source ports or source port ranges can be added to or deleted from an audit policy rule at a time. |
| destination-port { destination-port | start-destination-port to end-destination-port } &<1-64> | Specifies the destination port or destination port range. | The value is an integer ranging from 0 to 65535. A maximum number of 64 source ports or source port ranges can be added to or deleted from an audit policy rule at a time. |
| 1 | icmp | Indicates ICMP. | - |
| icmp-type | Indicates the ICMP packet type and message code. | - |
| icmp-name | Specifies the ICMP packet type name. | - |
| icmp-type-number { icmp-code-number [ to icmp-code-number ] } &<1-64> | Specifies the ICMP packet type number and message code. | The value is an integer ranging from 0 to 255. A maximum of 64 groups of ICMP packet type numbers and message codes can be added to or deleted from an audit policy rule at a time. |
| 58 | icmpv6 | Indicates ICMPv6. | - |
| icmpv6-type | Indicates the ICMPv6 packet type and message code. | - |
| icmpv6-name | Specifies the ICMPv6 packet type name. | - |
| icmpv6-type-number { icmpv6-code-number [ to icmpv6-code-number ] } &<1-64> | Specifies the ICMPv6 packet type number and message code. | The value is an integer ranging from 0 to 255. A maximum of 64 groups of ICMP packet type numbers and message codes can be added to or deleted from an audit policy rule at a time. |
| protocol-number | Specifies the protocol number except 1-ICMP, 6-TCP, 17-UDP, 58-ICMPv6 and 132-SCTP. | The value is an integer ranging from 01 to 255. |
Usage Guidelines
If you reference TCP/UDP/SCTP ports or IP-layer protocols in a policy, you can run the service-exclude protocol command to exclude a port or IP-layer protocol. After the configuration, traffic with the port number or IP-layer protocol will not match the policy.
It is recommended that the configured command contain no more than 500 characters.
Application Scenarios
When configuring a policy, you can reference TCP/UDP/SCTP ports or IP-layer protocols for port-based access control. For example, there are services Service1 (TCP, source ports 0-65535, and destination ports 100-120) and Service2 (TCP, source ports 0-65535, and destination ports 100-200). The user wants to configure a policy not to audit traffic with Service1 but audit traffic with Service2. You can use configuration method 1 in the following table to assign different actions to different ports. This method increases policies as well as policy maintenance workloads. Alternatively, you can use configuration method 2 to run the service-exclude protocol command to configure the policy. This method has the same effect as method 1 and does not need additional policies.
| Configuration Method | Command |
|---|---|
| Method 1 | <sysname> system-view [sysname] audit-policy [sysname-policy-audit] rule name policy_no_audit [sysname-policy-audit-rule-policy_no_audit] service protocol Service1 [sysname-policy-audit-rule-policy_no_audit] action no-audit [sysname-policy-audit-rule-policy_no_audit] quit [sysname-policy-audit] rule name policy_audit [sysname-policy-audit-rule-policy_audit] service protocol Service2 [sysname-policy-audit-rule-policy_audit] action audit profile profile_audit |
| Method 2 | <sysname> system-view [sysname] audit-policy [sysname-policy-audit] rule name policy_audit [sysname-policy-audit-rule-policy_audit] service-exclude protocol Service1 [sysname-policy-audit-rule-policy_audit] service protocol Service2 [sysname-policy-audit-rule-policy_audit] action audit profile profile_audit |