ipv4|ipv6 deny|permit <ip-addr><ip-mask>|any|{host <ip-addr>} proto{<ip-protocol-number> ports <start port number><end port number>}|ftp|http|https|icmp|snmp|ssh|telnet|tftp [bandwidth-contract <name>|<pbwm>]



This command creates whitelist/allowlist session ACLs. Whitelist/allowlist ACLs consist of rules that explicitly permit or deny session traffic from being forwarded or not to the managed device. This prohibits traffic from being automatically forwarded to the managed device if it was not specifically denied in a blacklist/denylist. The maximum number of entries allowed in the whitelist/allowlist is 64.




Specifies ipv4 or ipv6.


Specifies the entry to reject (deny) on the session ACL whitelist/allowlist.

Specifies an entry that is allowed (permit) on the session ACL whitelist/allowlist.


IPv4/IPv6 source address and source mask.


Specifies any IPv4 or IPv6 source address.

host <ip-addr>

Indicates a specific IPv4 or IPv6 source address.


Specify one of the following protocols used by the session traffic:

  • ftp
  • http
  • https
  • icmp
  • scmp
  • ssh
  • telnet
  • tftp

bandwidth-contract <name>

Specify the name of a bandwidth contract. configures a bandwidth contract traffic rate, which can then be associated with a whitelist/allowlist session ACL

position <prio>

Specity filter position. Default is last position. 1 is first position.

IP protocol number

Specifies the IP protocol number that is permitted or denied.

Range: 1-255

start port

Specifies the starting port, in the port range, on which session traffic is running.

Range: 1-65535

end port

Specifies the last port, in the port range, on which session traffic is running.

Range: 1-65535


Bandwidth rate in packets/seconds.

Range: 1–64000


The following command creates a whitelist/allowlist ACL that allows on with the source address as and the source mask as The protocol is FTP and the bandwidth contract name is mycontract.

(host) [/md] (config-fw-cp) #ipv4 permit proto ftp bandwidth-contract name mycontract

The following command creates a whitelist/allowlist ACL entry that denies traffic using protocol 2 on port 5000 from being forwarded to the managed device:

(host) [/md] (config-fw-cp) #deny proto 6 ports 5000 6000

The following example configures a bandwidth contract named “cp-rate” with a rate of 100 pps.

(host) [/md] (config) #cp-bandwidth-contract cp-rate pps 100

The following example displays a configuration in which ports deactivated by default are enabled:

(DR-Mode) *[mm] (config) #firewall cp

(DR-Mode) ^*[mm] (config-submode)#ipv4 permit any proto 6 ports 389 389

(DR-Mode) ^*[mm] (config-submode)#write memory


Saving Configuration...


Configuration Saved.


(DR-Mode) *[mm] (config-submode)#show firewall-cp


CP firewall policies


IP Version Source IP Source Mask Protocol Start Port End Port Action hits contract wancp

---------- --------- ----------- -------- ---------- -------- -------------- ---- -------- -----

ipv4 any 6 6633 6633 Permit 0 0

ipv4 any 6 389 389 Permit 0 0

(DR-Mode) *[mm] (config-submode)#no ipv4 permit any proto 6 ports 389 389

(DR-Mode) ^*[mm] (config-submode)#write memory


Saving Configuration...


Configuration Saved.

(DR-Mode) *[mm] (config-submode)#show firewall-cp


CP firewall policies


IP Version Source IP Source Mask Protocol Start Port End Port Action hits contract wancp

---------- --------- ----------- -------- ---------- -------- -------------- ---- -------- -----

ipv4 any 6 6633 6633 Permit 0 0

(DR-Mode) *[mm] (config-submode)#

