The source-address command configures the source addresses to which an audit policy rule applies.
The undo source-address command deletes the source addresses to which an audit policy rule applies.
source-address { address-set address-set-name &<1-6> | ipv4-address { ipv4-mask-length | mask mask-address | wildcard } [ description description ] | ipv6-address ipv6-prefix-length [ description description ] | range { ipv4-start-address ipv4-end-address | ipv6-start-address ipv6-end-address } [ description description ] | geo-location geo-location-name &<1-6> | geo-location-set geo-location-set-name &<1-6> | mac-address &<1-6> | domain-set domain-set-name &<1-6> | any }
undo source-address { address-set address-set-name &<1-6> | ipv4-address { ipv4-mask-length | mask mask-address | wildcard } [ description ] | ipv6-address ipv6-prefix-length [ description ] | range { ipv4-start-address ipv4-end-address | ipv6-start-address ipv6-end-address } [ description ] | geo-location geo-location-name &<1-6> | geo-location-set geo-location-set-name &<1-6> | mac-address &<1-6> | domain-set domain-set-name &<1-6> | all }
| Parameter | Description | Value |
|---|---|---|
address-set address-set-name &<1-6> |
Specifies the name of an address or address group. |
The specified address or address group must exist. You can add or delete a maximum of six addresses or address groups at a time. |
ipv4-address |
Specifies the IPv4 address. |
The value is in dotted decimal notation. |
ipv4-mask-length |
Specifies the mask of an IPv4 address. |
The value is an integer ranging from 1 to 32. |
mask mask-address |
Specifies the mask of an IPv4 address. |
The value is in dotted decimal notation whose binary form cannot be inconsecutive. For example, 255.0.255.0 is not a legitimate wildcard because its binary form is 11111111.00000000.11111111.00000000. In the binary form, digits 1 are to be matched, whereas digits 0 are not. For example, 192.168.1.1/255.0.255.0 indicates that only IP addresses of the 192.*.1.* form are to be matched. |
wildcard |
Specifies the wildcard of an IPv4 address. |
The value is in dotted decimal notation whose binary form cannot be inconsecutive. For example, 0.255.0.255 is not a legitimate wildcard because its binary form is 00000000.11111111.00000000.11111111. In the binary form, digits 0 are to be matched, whereas digits 1 are not. For example, 192.168.1.1/0.255.0.255 indicates that only IP addresses of the 192.*.1.* form are to be matched. |
description description |
Specifies the description of an individual IPv4/IPv6 address or address segment. |
The value is a string of 1 to 128 characters. |
ipv6-address |
Specifies the IPv6 address. |
The value is in hexadecimal notation. |
ipv6-prefix-length |
Specifies the prefix length of an IPv6 address. |
The value is an integer ranging from 1 to 128. |
range |
Indicates the address range. |
- |
ipv4-start-address |
Specifies the start address of an IPv4 address range. |
The value is in dotted decimal notation. |
ipv4-end-address |
Specifies the end address of an IPv4 address range. |
The value is in dotted decimal notation. |
ipv6-start-address |
Specifies the start address of an IPv6 address range. |
The value is in hexadecimal notation. |
ipv6-end-address |
Specifies the end address of an IPv6 address range. |
The value is in hexadecimal notation. |
geo-location geo-location-name &<1-6> |
Specifies the name of a region. |
The value must be the name of a predefined region or an existing user-defined region. You can add or delete a maximum of six regions at a time. |
geo-location-set geo-location-set-name &<1-6> |
Specifies the name of a region group. |
The value must be the name of an existing region group. You can add or delete a maximum of six region groups at a time. |
mac-address &<1-6> |
Specifies the MAC address.
All models except USG6680E and USG6712E/6716E support this parameter. |
The MAC address can be in one of the following formats:
The MAC address cannot be all 0s or all Fs (such as FFFF-FFFF-FFFF, 00:00:00:00:00:00, or 00-00-00-00-00-00) in any format. You can add or delete a maximum of six MAC addresses at a time. |
domain-set-name &<1-6> |
Specifies the name of a domain group. |
The specified domain group must exist. You can add or delete a maximum of six domain groups at a time. NOTE:
When an IP address corresponds to multiple domain names, an IP address can be used to search for a maximum of 16 domain names. If the domain name to be searched is not in the policy rule, the policy cannot be matched. You are advised to configure multiple domain names with the same IP address in the same policy rule. |
any |
Indicates any source address. |
- |
all |
Deletes all source addresses to which an audit policy rule applies. |
- |
Regions and region groups are IP address groups. They function like IP addresses or IP address groups. Packets matching any IP address in the specified region or region group match the specified region or region group.
# Set the source address in the audit policy rule view.
<sysname> system-view [sysname] audit-policy [sysname-policy-audit] rule name policy_audit [sysname-policy-audit-rule-policy_audit] source-address 10.1.1.1 24 [sysname-policy-audit-rule-policy_audit] source-address 3000::1 32 [sysname-policy-audit-rule-policy_audit] source-address geo-location BeiJing