IpGenericFilterAction statement

Use the IpGenericFilterAction statement to indicate whether selected traffic should be denied, permitted, or permitted with IPSec protection. It is also used to indicate actions (for example, logging) that are applicable to both IPSec and non-IPSec traffic.

Syntax

Read syntax diagramSkip visual syntax diagramIpGenericFilterActionnamePut Braces and Parameters on Separate Lines
Put Braces and Parameters on Separate Lines
Read syntax diagramSkip visual syntax diagram{IpGenericFilterAction Parameters}
IpGenericFilterAction Parmeters
Read syntax diagramSkip visual syntax diagramIpFilterActionPermitDenyIpFilterLogging NoIpFilterLoggingYesNoIpSecIpFilterLogging NoIpFilterLoggingYesLogPermitLogDenyNoDiscardAction SilentDiscardActionICMPSilent

Parameters

name
A string 1 - 32 characters in length specifying the name of this IpGenericFilterAction statement. The name cannot start with a dash (-) or contain any commas (,).
IpFilterAction
Indicates the action that should be applied to a packet matching this rule.
Permit
Traffic is permitted to flow without IPSec protection.
Deny
Traffic is denied.
IpSec
Traffic must be protected by IPSec. The IpFilterRule statement must also specify an IpManVpnAction statement or an IpDynVpnAction statement based on the type of tunnel (manual or dynamic) that is going to be used to provide IPSec protection for the traffic.
IpFilterLogging
Specifies a logging action that is applied to one or more filter rules (those that reference the IpGenericFilterAction statement). The logging action can be disabled by the setting of the FilterLogging parameter on the IpFilterPolicy statement.
IpFilterLogging (for IpFilterAction Permit or Deny)
Indicates whether a log record should be written when a packet matches this rule.
IpFilterLogging (for IpFilterAction IpSec)
No
Log record is not written when a packet matches this rule.
Yes
Log record is written when a packet matches this rule regardless of whether a valid SA is found or not.
LogPermit
Log record is written when a packet matches this rule and a valid SA is found.
LogDeny
Log record is written when a packet matches this rule and a valid SA is not found.
DiscardAction
Specifies a discard action that is applied to one or more filter rules (those that reference the IpGenericFilterAction statement). The discard action is applied whenever a packet is discarded. A packet might be discarded because the value deny is specified on the IpFilterAction parameter, but it might also be discarded for having a mismatch with filter policy (for example, a packet arrived over the wrong tunnel, or was sent in the clear when a tunnel was required).
Silent
Specify this value to discard the packet silently.
ICMP
Specify this value to send an ICMP or ICMPv6 destination unreachable error with reason administratively prohibited to the originating address of the discarded packet. ICMP errors are not generated for locally originated traffic; they are generated only for remote traffic that is being received or forwarded.

Guideline: If you specify ImplicitDiscardAction ICMP, create a filter rule permitting these ICMP errors.

Restriction: This parameter is valid only for V1R10 and later releases. See General syntax rules for Policy Agent for more information.