问

ACL Failed / 日志看见PFILTER_IF_NOT_SUPPORT

2022-11-14提问

0关注
0收藏，1078浏览

zhiliao_fuVIFU

zhiliao_fuVIFU 四段

粉丝：0人关注：0人

问题描述：

客户发觉有一条rule 170 ACL FAILed , 在日志看见PFILTER_IF_NOT_SUPPORT ,请问大家一下

型号 : LS-10506X

版本: 7624P12

<IRDRRCORE>disp object-group
Ip address object group PAMS-PROD: 3 objects(in use)
PAMS-PROD
0 network host address 10.31.202.200
10 network host address 10.31.202.201
20 network host address 10.31.202.202

acl advanced name ACL-SystemPrinter-IN

step 10

rule 0 permit icmp

rule 10 permit ospf

rule 20 permit tcp source 10.31.238.0 0.0.1.255 destination 10.31.0.0 0.0.255.255 source-port eq nntp

rule 30 permit tcp source 10.31.238.0 0.0.1.255 destination 10.31.0.0 0.0.255.255 source-port eq www established

rule 40 permit tcp source 10.31.238.0 0.0.1.255 destination 10.31.0.0 0.0.255.255 source-port eq 139 established

rule 50 permit tcp source 10.31.238.0 0.0.1.255 destination 10.31.0.0 0.0.255.255 source-port eq 445 established

rule 60 permit tcp source 10.31.238.0 0.0.1.255 destination 10.31.0.0 0.0.255.255 source-port eq 443 established

rule 70 permit tcp source 10.31.238.0 0.0.1.255 destination 10.31.0.0 0.0.255.255 source-port eq lpd established

rule 80 permit tcp source 10.31.238.0 0.0.1.255 destination 10.31.0.0 0.0.255.255 source-port eq 631 established

rule 90 permit tcp source 10.31.238.0 0.0.1.255 destination 10.31.0.0 0.0.255.255 source-port eq 5001 established

rule 100 permit tcp source 10.31.238.0 0.0.1.255 destination 10.31.0.0 0.0.255.255 source-port eq 5002 established

rule 110 permit tcp source 10.31.238.0 0.0.1.255 destination 10.31.0.0 0.0.255.255 source-port eq 9100 established

rule 120 permit tcp source 10.31.238.0 0.0.1.255 destination 10.31.0.0 0.0.255.255 source-port eq 9101 established

rule 130 permit tcp source 10.31.238.0 0.0.1.255 destination 10.31.0.0 0.0.255.255 source-port eq 9102 established

rule 140 permit tcp source 10.31.238.0 0.0.1.255 destination 10.31.0.0 0.0.255.255 source-port eq 9103 established

rule 150 permit udp source 10.31.238.0 0.0.1.255 destination 10.31.0.0 0.0.255.255 source-port eq netbios-ssn

rule 160 permit udp source 10.31.238.0 0.0.1.255 destination 10.31.0.0 0.0.255.255 source-port eq 445

rule 170 permit tcp source 10.31.238.0 0.0.1.255 destination object-group PAMS source-port eq 3389 established counting

rule 171 permit tcp source 10.31.238.0 0.0.1.255 destination 10.31.202.200 0 source-port eq 3389 established counting

rule 172 permit tcp source 10.31.238.0 0.0.1.255 destination 10.31.202.201 0 source-port eq 3389 established counting

rule 173 permit tcp source 10.31.238.0 0.0.1.255 destination 10.31.202.202 0 source-port eq 3389 established counting

rule 174 permit tcp source 10.31.238.0 0.0.1.255 destination 10.31.202.200 0 destination-port eq 3389 established counting

rule 175 permit tcp source 10.31.238.0 0.0.1.255 destination 10.31.202.201 0 destination-port eq 3389 established counting

rule 176 permit tcp source 10.31.238.0 0.0.1.255 destination 10.31.202.202 0 destination-port eq 3389 established counting

rule 180 permit ip source 10.31.238.0 0.0.1.255 destination 10.31.202.220 0

rule 190 permit tcp source 10.31.238.0 0.0.1.255 destination 10.31.202.0 0.0.0.255 source-port eq 3389 established counting

rule 200 permit tcp source 10.31.238.0 0.0.1.255 destination 10.31.101.165 0 source-port eq 3389 established

rule 200 comment For Testing & can be removed

rule 9999 deny ip

show the statistics as below:

[IRDRRCORE-acl-ipv4-adv-ACL-SystemPrinter-IN]disp packet-filter sta interface Vlan-interface 2381 i

Interface: Vlan-interface2381

Inbound policy:

IPv4 ACL ACL-SystemPrinter-IN, Hardware-count

From 2022-11-11 10:47:45 to 2022-11-11 11:19:54