Policy List

Use the Configure Policy List page to create, copy, and edit policy list policy objects. You can create policy list objects to use when you are configuring route maps. When a policy list is referenced within a route map, all of the match statements within the policy list are evaluated and processed. Two or more policy lists can be configured with a route map. A policy list can also coexist with any other preexisting match and set statements that are configured within the same route map but outside of the policy list. When multiple policy lists perform matching within a route map entry, all policy lists match on the incoming attribute only.

You can use this object with threat defense devices.

Procedure

Step 1

Select Objects > Object Management and choose Policy List from the table of contents.

Step 2

Click Add Policy List.

Step 3

Enter a name for the policy list object in the Name field. Object names are not case-sensitive.

Step 4

Select whether to allow or block access for matching conditions from the Action drop-down list.

Step 5

Click the Interface tab to distribute routes that have their next hop out of one of the interfaces specified.

In the Zones/Interfaces list, add the zones that contain the interfaces through which the device communicates with the management station. For interfaces not in a zone, you can type the interface name into the field below the Selected Zone/Interface list and click Add. The host will be configured on a device only if the device includes the selected interfaces or zones.

Step 6

Click the Address tab to redistribute any routes that have a destination address that is permitted by a standard access list or prefix list.

Choose whether to use an Access List or Prefix List for matching and then enter or select the Standard Access List Objects or Prefix list objects you want to use for matching.

Step 7

Click the Next Hop tab to redistribute any routes that have a next hop router address passed by one of the access lists or prefix lists specified.

Choose whether to use an Access List or Prefix List for matching and then enter or select the Standard Access List Objects or Prefix list objects you want to use for matching.

Step 8

Click the Route Source tab to redistribute routes that have been advertised by routers and access servers at the address specified by the access lists or prefix list.

Choose whether to use an Access List or Prefix List for matching and then enter or select the Standard Access List Objects or Prefix list objects you want to use for matching.

Step 9

Click the AS Path tab to match a BGP autonomous system path. If you specify more than one AS path, then the route can match either AS path.

Step 10

Click the Community Rule tab to enable matching of the BGP community or extended community with the specified community list objects or the extended community list objects respectively. If you specify more than one rule, the routes are verified against the rules until a matching permit or deny is met.

  1. To specify a community list to the rule, click Edit (edit icon) given in the Selected Community List field. The community lists appear under Available Community List. Select the required list, click Add, and then click Ok.

    To enable matching the BGP community exactly with the specified community, check the Match the specified community exactly check box.

  2. To add the extended community list, click Edit (edit icon) given in the Selected Extended Community List field. The extended community lists appear under the Available Extended Community List. Select the required list, click Add, and then click Ok.

    Note

    The extended community lists are applicable only for configuring import or export of routes.

Step 11

Click the Metric & tag tab to match the metric and security group tag of a route.

  1. Enter the metric values to use for matching in the Metric field. You can enter multiple values separated by commas. This setting allows you to match any routes that have a specified metric. The metric values can range from 0 to 4294967295.

  2. Enter the tag values to use for matching in the Tag field. You can enter multiple values separated by commas. This setting allows you to match any routes that have a specified security group tag. The tag values can range from 0 to 4294967295.

Step 12

If you want to allow overrides for this object, check the Allow Overrides check box; see Allowing Object Overrides.

Step 13

Click Save.