All Products
Search
Document Center

Smart Access Gateway:Create an ACL for an SAG CPE instance

Last Updated:Nov 09, 2023

This topic describes how to create an access control list (ACL) for a Smart Access Gateway (SAG) CPE instance.

Background information

SAG CPE instances support ACLs that match requests against application types. If you set the Application Group or Application parameter when you create an ACL, the ACL filters requests based on applications. Application-aware ACL rules can be applied only to SAG instances that have deep packet inspection (DPI) enabled. For more information about how to enable the DPI feature, see Enable DPI.

Step 1: Create an ACL

  1. Log on to the SAG console.
  2. In the top navigation bar, select the region.
  3. In the left-side navigation pane, click ACL.
  4. On the ACL page, click Create access control.
  5. In the Create access control dialog box, set the following parameters and click OK.

    Parameter

    Description

    Resource Group

    Select a resource group for the ACL.

    Instance Name

    Enter a name for the ACL.

    Instance Type

    Select the type of SAG instance to be associated with the ACL. Valid values:

    • SAG Device

    • SAG App

    In this example, SAG Device is selected.

Step 2: Add a rule to the ACL

  1. On the ACL page, find the ACL that you want to manage and click Configure Rules in the Actions column.
  2. On the details page of the ACL, click the Rules tab and click Add Rule.

  3. In the Add Rule dialog box, set the following parameters and click OK.

    Parameter

    Description

    Instance Name

    Enter a name for the rule.

    Network Type

    Select a network type for the rule.

    • Private Network: The ACL rule controls network traffic originated from and destined for private IP addresses.

    • Public Network: The ACL rule controls network traffic originated from and destined for public IP addresses.

    Rule Direction

    Select a direction for the rule.

    • Outbound: The ACL rule controls outbound network traffic from the on-premises network that is associated with the SAG instance.

    • Inbound: The ACL rule controls inbound network traffic to the on-premises network that is associated with the SAG instance.

    Policy

    Select Allow or Block to allow or reject requests.

    Protocol

    Select a protocol for the rule.

    The supported protocols provided in this topic are for reference only. The actual protocols in the SAG console shall prevail.

    Source CIDR Block

    The source CIDR block is determined by the direction of the rule.

    • If the direction is Outbound, the source CIDR block is the CIDR block of the on-premises network from which requests are initiated.

    • If the direction is Inbound, the source CIDR block is the CIDR block of the external service from which requests are initiated.

    Source Port Range

    Enter a source port range.

    The port range is determined by the selected protocol. Examples:

    • If Protocol is set to All (All Protocols Supported, the source port range is -1/-1 by default and cannot be modified.

    • If Protocol is set to HTTP, the source port range is 1/65535 and can be modified.

    The ports supported by each protocol vary. The information in the console shall prevail. Valid formats:

    • 1/200: specifies ports that range from 1 to 200.

    • 80/80: specifies port 80.

    • -1/-1: specifies all ports.

    Destination CIDR Block

    The destination CIDR block is determined by the direction of the rule.

    • If the direction is Outbound, the destination CIDR block is the CIDR block of the external service for which requests are destined.

    • If the direction is Inbound, the destination CIDR block is the CIDR block of the on-premises network for which requests are destined.

    Destination Port Range

    Enter a destination port range.

    The destination port range is determined by the selected protocol. Examples:

    • If Protocol is set to All (All Protocols Supported), the destination port range is -1/-1 by default and cannot be modified.

    • If Protocol is set to TELNET, the destination port range is 23/23 and can be modified.

    The ports supported by each protocol vary. The information in the console shall prevail. Valid formats:

    • 1/200: specifies ports that range from 1 to 200.

    • 80/80: specifies port 80.

    • -1/-1: specifies all ports.

    Priority

    Select a priority for the rule.

    Valid values: 1 to 100. A smaller value indicates a higher priority.

    Application Group

    Select an application group to which you want to apply the rule.

    An application group contains one or more applications. After you select an application group, the rule applies to all applications in the group.

    The supported application groups provided in this topic are for reference only. The information in the SAG console shall prevail.

    Application

    Select applications to which you want to apply the rule.

    You can select an application from the specified application group.

    The supported applications provided in this topic are for reference only. The information in the SAG console shall prevail.

    If you select both an Application Group and an Application, the rule is applied to all applications in the specified application group and the specified Application.

Step 3: Associate the rule with the SAG CPE instance

  1. On the ACL details page, click the Associated Instances tab.
  2. On the Associated Instances tab, click Associate with Instance.

  3. In the Associate with Instance dialog box, select one or more SAG CPE instances and click OK.

    In the Associate with Instance dialog box, you can search instances by resource group, instance name, and instance ID.

Related operations

Operation

Procedure

Clone an ACL

You can clone an existing ACL, including its rules, and associate the new ACL with other SAG CPE instance.

  1. On the ACL page, find the ACL that you want to manage and choose Related operations > Clone in the Actions column.

  2. In the Clone ACL message, confirm the information and click OK.

Modify an ACL rule

  1. On the details page of the ACL, click the Rules tab and find the rule that you want to modify.

  2. Click Modify in the Actions column.

  3. In the Edit Rule dialog box, modify the settings and click OK.

Delete an ACL rule

  1. On the details page of the ACL, click the Rules tab and find the rule that you want to delete.

  2. Click Delete in the Actions column.

  3. In the Delete Rule message, click OK.

Disassociate an ACL rule from an SAG CPE instance

  1. On the details page of the ACL, click the Associated Instances tab.

  2. On the Associated Instances tab, find the SAG CPE instance that you want to manage and click Disassociate in the Actions column.

  3. In the Disassociate Instance message, confirm the instance information and click OK.

Delete an ACL

  1. On the ACL page, find the ACL that you want to delete and choose Related operations > Delete in the Actions column.

  2. In the Delete ACL message, confirm the information and click OK.

References