To see all my blog posts on IP filtering see here.
Within an IpFilterRule you specify IP addresses of the source and destination, for example
IpFilterRule GroupPort443
{
IpSourceAddr 10.1.0.2
IpSourceAddr 10.1.0.0-10.1.0.8
IpDestAddrGroupRef zGroup
IpGenericFilterActionRef permit
IpService
{
Protocol Tcp
SourcePortRange 443
Direction inbound
Routing local
}
}
You can specify, using IpSource… or IpDest…
- a single IP address using
- inline
- IpFilterRule … { IpSourceAddr 10.1.0.2 … }
- as a reference to an out of line definition
- IpSourceAddrRef name1 -> IpAddr name1 {Addr 10.1.0.2}
- inline
- as a subnet using
- inline
- IpFilterRule … { IpSourceAddr 10.1.0.2/24 … }
- as a reference to an out of line definition
- IpSourceSetRef name2 -> IpAddrSet name2 {Prefix 10.1.0.224}
- inline
- as a range using
- as a reference to an out of line definition
- IpSourceSetRef name3 -> IpAddrSet name3 {Range 10.1.0.2-10.1.0.6}
- as a reference to an out of line definition
- as a group, or collection of IP addresss
- as a reference to out of line definition
- IpSourceSetRef name4 -> IpAddrGroup name4 {inline IpAddr, IpAddr reference , Inline IpAddrSet, IP Address Setreference…}
- as a reference to out of line definition
An example of three host IP addresses in the common file is:
IpAddrGroup zGroup
{
IpAddr
{
Addr 10.1.0.2 ZOSA
}
IpAddr
{
Addr 10.1.0.3 ZOSB
}
IpAddr
{
Addr 10.1.0.4 ZOSC
}
}
Where the ZOSA, ZOSB, ZOSC are treated as comments because they come after the attribute-value.
This is used in the TCPIP instance configuration
IpFilterRule Group443
{
IpSourceAddr 10.1.0.2
IpDestAddrGroupRef zGroup
IpGenericFilterActionRef permit
IpService ...
You cannot define a group in the TCPIP instance configuration file, it has to be in the
CommonIpSecConfig //'USER.Z24C.TCPPARMS(PAGEICOM)'
of the Policy Agent Configuration file.
ColinPaice 
One thought on “CS IP filtering: specifying IP addresses to Policy Agent”