access - Manage the Access policy
access [web [raz | (add <ip> [<network-mask> [<qos>]]) | (del <ip> <network-mask>)]]
access [admin [raz | (add | del) <ip> [<network-mask>]]]
access [mon [raz | (add | del) (<ip> | <name>)]]
access [file [raz | ((add (<ip> | <name>) [(ftp | sftp) <login> [<password>]]) | (del (<ip> | <name>)))]]
access [antivirus [raz | (add <ip> [<network-mask> [<qos>]]) | (del <ip> <network-mask>)]]
This command is used to get or set access policies for traffic destined to the appliance. To setup access policies for traffic not destined to the appliance use the command firewall.
The first usage form is used to define allowed networks to use the appliance as a Web gateway (the appliance acts as a forwarding Web proxy for those networks). Traffic bandwidths can also be customised for a network using the optional <qos> parameter. The <qos> value represents the percentage of the bandwidth defined for a given type of traffic (with the command qos) and should be an integer between 1 and 100. If no <qos> is given, the value of 100% is used by default. Please note that the <qos> value given here is only taken into account for web traffic exchanged via the internal network interface.
If no web access entry is defined, all networks located behind the internal and auxiliary interfaces are allowed to access the Web with a QoS of 100% (of the value defined with the qos command). If at least one web access entry is defined, only clients located on explicitly defined networks and behind the internal and auxiliary interfaces are allowed to use the appliance as a forwarding proxy. In this case if the transparent mode is activated (see the command mode), the appliance will act as a transparent forwarding proxy only for defined transparent networks. Use the command transparent to define transparent networks.
Please note that there is no obligation to have a total of 100% even if this is a recommended configuration.
The <qos> is defined for the whole access entry network. The effective <qos> for a Web end-user (Web surfer) or a Web server on a network depends on the number of concurrent traffic coming from that network. An automatic scheduling system manages concurrent traffic to equitably share the allocated total bandwidth. In a concurrent environment the <qos> limit may be surpassed when the load of other networks is under their <qos> limits. This mechanism is called borrowing. The borrowing could be activated ot deactivated. See the command qos for further information on the borrowing mechanism.
The second usage form sets access policies for administrators using ssh or the Web administration GUI. Only administrators defined with this command are allowed to remotely administrate the system (see the command admin).
The administration IP address is the internal, external or the auxiliary IP address according to the administration topology defined with the command admin. When the VLAN mode is activated (see the command mode), the internal administration IP address is the IP address associated to the admin 802.1q pseudo device (see the command vlan).
The third usage form sets access policy for management servers using the snmp protocol. To configure the access policy for monitoring servers via SNMP use the keyword mon followed by the manager server IP address. Only managers defined with this command are allowed to access the system. If no management access policy is defined, the management accessibility is not allowed.
Operations like backing up the system or loading a URL list require access to a file server. Only file servers defined with this command are allowed to exchange data with the system. The fourth usage form (with file keyword) allows you to define the access policy for file servers. A file server is represented by its IP address or network name. If no file access policy is defined, file transfers to and from the system are not allowed. Supported protocols for file servers are FTP, SFTP and TFTP. For ftp and sftp servers, if a login name is given, a mandatory password is then required. If no password is given on the command line, the password is requested in hidden mode (see also the command password). Please note that file servers and given here should be located behind the appropriate network interface according to the administration topology defined with the command admin.
The integrated antivirus can be used as a service offered to external systems such as an MTA (Mail Transfer Agent). The fifth usage form (with antivirus keyword) allows you to define the access policy for external systems that can connect to the antivirus. If no antivirus access policy is defined, the antivirus can’t be used as a service. Traffic bandwidths can also be customised for an external system using the optional <qos> parameter. The <qos> value represents the percentage of the bandwidth defined for a given type of traffic (with the command qos) and should be an integer between 1 and 100. If no <qos> is given, the value of 100% is used by default.
Please note that external systems towards the antivirus should be located behind the appropriate network interface according to the antivirus topology defined with the command antivirus .
admin (1) antivirus (1) apply (1) firewall (1) mode (1) password (1) peer (1) qos (1) transparent (1) vlan (1)
CacheGuard Technologies Ltd <www.cacheguard.com>
Send bug reports or comments to the above author.
Copyright (C) 2009-2018 CacheGuard - All rights reserved