09-27-2017 04:12 PM - edited 03-01-2019 04:00 AM
I'm trying to create a nacm rule for a particular service I've created. The service looks like this:
services fw_acl_03 bk-app-1
device [ svlngen4-fab6-dmzdc-02-fw1 ]
dmz_hosts 10.1.1.1
!
allowed_dest_entry 192.168.1.0/24
protocol tcp
dst_port_start 22
dst_port_end 22
!
The rule and path that I have specified is:
nacm rule-list bk-app-1
group [ app-group-1 ]
rule bk-app-1_allow
path /services/fw_acl_03/bk-app-1
access-operations create,read,update,delete
action permit
However, it's not matching. Is there an error in the path?
Solved! Go to Solution.
09-27-2017 09:58 PM
Hi,
Are you looking into blocking access to the specific instance of that service, rather than all instances?
If so, I think that the value to the path leaf in your rule should be a little different.
If you log into ncs_cli and display the xpath to your service instance, you'd see something like this:
show run services fw_acl_03 bk-app-1 | display xpath
/services/fw_acl_03[name='bk-app-1']
...
...
...
Note that instead of 'name' you'll see that actual name of the key leaf (which might be 'name', or something different).
You need to have that path in your rule instead of the one you have at the moment.
Yftach
09-27-2017 09:58 PM
Hi,
Are you looking into blocking access to the specific instance of that service, rather than all instances?
If so, I think that the value to the path leaf in your rule should be a little different.
If you log into ncs_cli and display the xpath to your service instance, you'd see something like this:
show run services fw_acl_03 bk-app-1 | display xpath
/services/fw_acl_03[name='bk-app-1']
...
...
...
Note that instead of 'name' you'll see that actual name of the key leaf (which might be 'name', or something different).
You need to have that path in your rule instead of the one you have at the moment.
Yftach
09-27-2017 11:18 PM
Yep, that's working now. Thanks Yftach!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide