You can do the following after you have configured named ACLs for access control:
- Preview the list of ACEs in a named ACL, as described in Previewing ACEs in Named ACLs.
- Validate ACEs in a named ACL, as described in Validating Named ACLs.
- View a complete list of configured named ACLs, as described in Viewing Named ACLs.
- Modify information in a named ACL, as described in Modifying Named ACLs.
- Apply a named ACL to supported operations, as described in Applying Access Control to Operations.
- Delete a named ACL, as described in Deleting Named ACLs.
- Export and print the list of named ACLs.
Previewing ACEs in Named ACLs
You can preview the list of ACEs in a named ACL when you add or modify it. When you click the Preview icon in the Add Named ACL wizard or Named ACL editor, the appliance lists all the entries in the named ACL, even if you have selected only one or a few entries in the wizard or editor.
To preview a named ACL:
- From the Administration tab, select the Named ACLs tab -> named_acl check box, and then click the Preview icon.
- In a separate browser window, Grid Manager displays the following information for each ACE in the named ACL:
- Entry: Displays one of the following: IPv4 or IPv6 address, IPv4 or IPv6 network, or TSIG key. Note that if the named ACL contains nested ACLs, all entries in the nested ACLs are displayed in a flat view. Grid Manager does not display the name of the nested ACL.
- Type: The access control type of the entry. This can be IPv4 Address, IPv6 Address, IPv4 Network, IPv6 Network, TSIG Key, or DNSone 2.x TSIG Key.
- Operation: Displays the access permission for the entry. This can be Allow or Deny.
Validating Named ACLs
When you add or modify a named ACL, the appliance does not automatically validate the ACEs in the list. In addition, when you import named ACLs or ACEs to a named ACL, no automatic validation is performed. To avoid unintended consequences, ensure that you validate your named ACLs before you save them or use them for access control.
When you click the Validate icon in the Add Named ACL wizard or Named ACL editor, the appliance validates all the entries in the named ACL, even if you have selected only one or a few entries in the wizard or editor.
The following examples demonstrate the importance of validating named ACLs:
You configure a named ACL "foo" that includes a Deny permission to 10.0.0.0/16. You then assign "foo" to DNS zone transfers. You later import an "Allow/10.0.0.0/24" entry to "foo" through CSV import. The appliance appends the entry to the end of "foo." When you perform an ACL validation on "foo" after a DNS service restart, the appliance displays a warning message indicating that the new "Allow/10.0.0.0/24" entry is now included in the previously
configured "Deny/10.0.0.0/16" entry. Since DNS service works on a first-match access control basis, zone transfers will not be allowed for the 10.0.0.0/24 network, which is probably not your original intent. You can then modify the named ACL to correct this error. On the other hand, if you do not perform the ACL validation, the appliance is not notified about the new network entry in "foo." As a result, you are not notified about the denial of zone transfers to 10.0.0.0/24.
You add a nested named ACL "bar" as the first entry to the named ACL "foo." You then add a "Deny All" entry right after "bar" (as the second entry). You later import a new "Allow All" entry to "bar" through CSV import. The "Allow All" entry will be appended to the end of "bar." When you perform an ACL validation on "foo" after the CSV import, the appliance detects a conflict between the "Allow All" (in "bar") and "Deny All" (right after "bar") permissions and displays a warning. Imagine if you do not perform the ACL validation on "foo," the appliance is not notified about the new "Allow All" entry in "bar" and therefore cannot detect the conflict between the "Allow All" and "Deny All" entries. As a result, almost all hosts will get zone transfers, which may not be the outcome you have intended.
It is important that you manually validate each named ACL after a CSV import to ensure data and performance integrity. The appliance does not automatically perform ACL validation.
To validate a named ACL:
- From the Administration tab, select the Named ACLs tab -> named_acl check box, and then click the Validate icon.
In the Add Named ACL wizard or Named ACL editor, click the Validate icon.
- Grid Manager validates all the ACEs in the named ACL and displays a system message at the top of the screen indicating whether all ACEs in the named ACL are valid or not, depending on the validation results. When the appliance detects conflicts or issues related to specific ACEs, it displays the results in a CSV file. You can save the file or open it. Grid Manager displays the following information in the file:
- Defined ACL: The name of the named ACL.
- Type of Issue: The type of issue found. This can be one of the following:
- Optimize: An ACE is a duplicate of a previous entry or an ACE configuration can be a subset of another entry. See optimized suggestions in the Issue field.
- Conflict: The same IP address or network has a conflicting permission. Re-configure the ACE based on your requirements.
- Warning: An ACE is a subset of a previously configured entry, but it has a conflicting permission.
- ACE A: The ACE that has a conflict or an optimized issue with ACE B.
- ACE B: The ACE that has a conflict or an optimized issue with ACE A.
- Issue: Detailed information and optimized suggestions about the conflict or issue.
It may take a long time to validate a named ACL that contains a large number of ACEs.
Viewing Named ACLs
To view a list of named ACLs:
- From the Administration tab, select the Named ACLs tab. Grid Manager displays the following information for each named ACL:
- Name: The name of the named ACL.
- Comment: Information about the named ACL.
- Site: The site to which the named ACL belongs. This is one of the predefined extensible attributes.
You can also do the following in the Named ACLs tab:
- Modify data in the table. Double click a row, and either modify the data in the field or select an item from a drop-down list. Click Save to save the changes or Cancel to exit.
- Sort the named ACLs in ascending or descending order by column.
- Select a named ACL and click the Edit icon to modify data, or click the Delete icon to delete it.
- Use filters and the Go to function to narrow down the list. With the autocomplete feature, you can just enter the first few characters of an object name in the Go to field and select the object from the possible matches.
- Create a quick filter to save frequently used filter criteria. For information, see Using Quick Filters.
- Print and export data in this tab.
Modifying Named ACLs
You can modify ACEs in an existing named ACL. When you update a named ACL, the appliance validates the updates to ensure that ACEs in the named ACL are valid for the operations to which the name ACL has been applied. For example, if a named ACL is used for file distribution access, you are not allowed to add IPv6 address access control to it because the file transfer operation does not support IPv6 addresses.
To modify a named ACL:
- From the Administration tab, select the Named ACLs tab -> named_acl check box, and then click the Edit icon.
- The Named ACL editor provides the following tabs from which you can modify data:
- Genera Basic: You can modify data in this tab as described in Defining Named ACLs.
- Extensible Attributes: Add and delete extensible attributes that are associated with a specific named ACL. You can also modify the values of the extensible attributes. For information, see About Extensible Attributes.
- Permissions: This tab appears only if you belong to a superuser admin group. For information, see Managing Permissions.
Deleting Named ACLs
When you delete a named ACL, the appliance puts it in the Recycle Bin, if enabled. You can restore the named ACL later if needed.
You cannot delete a named ACL that has been applied to an operation or is currently in use by another operation.
To delete a named ACL:
- From the Administration tab, select the Named ACLs tab -> named_acl check box, and then click the Delete icon. You can select multiple named ACLs for deletion.
- In the Delete Confirmation dialog box, click Yes.