Creating an access control list

An access control list (ACL) defines clauses that identify which IP addresses to allow or deny access to a service. You assign an ACL to a service. Candidate addresses are evaluated against each clause sequentially. A candidate address is denied or granted access based on the first clause that matches. Therefore, the clause order is vital.

Before you begin

The DataPower® Gateway provides the following ACL configurations.
  • The rest-mgmt ACL for use by the REST management interface.
  • The ssh ACL for use by the SSH service.
  • The web-mgmt ACL for use by the web management service.
  • The xml-mgmt ACL for use by the XML management interface.

Each of these configurations, when enabled, provides full access from all IPv4 addresses. If the Ethernet for the local address for these services supports IPv6 addresses, modify its ACL to include an allow clause for specific or all IPv6 addresses.

About this task

Tip: The equivalent entry point in the CLI is the global acl command.

The configuration of an ACL consists of a sequence of allow and deny clauses. Each clause identifies an IP address or range of addresses that allows or denies access. An ACL grants access to only addresses that allow clauses define. All other addresses are denied access.

When you define the allow and deny clauses, use a forward slash (/) between the address and the prefix length (netmask). The following list provides samples of address ranges.
  • 10.10.100.0/28 specifies the IPv4 address range from 10.10.100.0 through 10.10.100.15.
  • 10.10.100.9/32 specifies the single IPv4 address.
  • 0.0.0.0 (without a prefix length) specifies all IPv4 addresses.
  • ::/0 specifies all IPv4 and IPv6 addresses.
The following example ACL fails its intended purpose. The address range for the deny clause (192.168.14.224 - 192.168.14.255) is granted access before the allow clause.
allow 192.168.14.0/24
deny 192.168.14.0/27
However, when you reverse the clause order, the ACL achieves its intended purpose.
deny 192.168.14.0/27
allow 192.168.14.0/24
An ACL that contains only deny clauses effectively disables the service. To complete the ACL, include an allow clause to ensure that addresses that are not explicitly denied access are granted access. The following example denies access to two ranges of addresses and allows access to all other IPv4 addresses.
deny 10.10.10.0/24
deny 172.16.0.0/16
allow 0.0.0.0

Procedure

  1. In the search field, enter access control.
  2. From the search results, click Access control list.
  3. Click Add.
  4. Define the basic properties - Name, administrative state, and comments.
  5. In the Entry area, define allow and deny clauses.
    1. Click Add.
    2. From the Access list, select the clause type.
    3. In the Address range field, enter an IP address or range of addresses.
    4. Click Apply.
    5. Repeat this step to define another clause.
  6. Click Apply to save changes to the running configuration.
  7. Click Save to save changes to the persisted configuration.