Environment In AOS 6.4, on enabling Deep packet inspection, below behaviour is seen.
Answer A Global-Sacl is an ACL:
Placed at the beginning of every user role configured
Position 1
Will be empty by default and can be edited. Eg- if one wants to disable bittorrent globally for all roles.
Will not allow any ACL to be placed in position 1
(Abilash-Lab-Cont-master-6.4) #show ip access-list global-sacl
ip access-list session global-sacl
global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
(Abilash-Lab-Cont-master-6.4) #
It can be seen from the below output that all user created roles on controller has this Global-sacl.
(Abilash-Lab-Cont-master-6.4) #show rights
RoleTable
---------
Name ACL Bandwidth ACL List Type
---- --- --------- -------- ----
Corporate-role 78 Up: No Limit,Dn: No Limit global-sacl/,apprf-Corporate-role-sacl/,social-network-policy/,allowall/ User
IAP-role 82 Up: No Limit,Dn: No Limit global-sacl/,apprf-IAP-role-sacl/,IAP-role/ User
ap-role 6 Up: No Limit,Dn: No Limit ra-guard/,control/,ap-acl/,v6-control/,v6-ap-acl/ System
app-rf-role 68 Up: Traditional-BW-cont (per role),Dn: Traditional-BW-cont (per role) global-sacl/,apprf-app-rf-role-sacl/,Youtube/,blogger/,facebook/,ipv6-allowall/ User
authenticated 72 Up: No Limit,Dn: No Limit global-sacl/,apprf-authenticated-sacl/,ra-guard/,allowall/,v6-allowall/ User
cpbase 71 Up: No Limit,Dn: No Limit global-sacl/,apprf-cpbase-sacl/ User
default-via-role 67 Up: No Limit,Dn: No Limit global-sacl/,apprf-default-via-role-sacl/,allowall/ User
default-vpn-role 70 Up: No Limit,Dn: No Limit global-sacl/,apprf-default-vpn-role-sacl/,ra-guard/,allowall/,v6-allowall/ User
denyall 73 Up: No Limit,Dn: No Limit User
guest 4 Up: No Limit,Dn: No Limit global-sacl/,apprf-guest-sacl/,ra-guard/,http-acl/,https-acl/,dhcp-acl/,icmp-acl/,dns-acl/,v6-http-acl/,v6-https-acl/,v6-dhcp-acl/,v6-icmp-acl/,v6-dns-acl/ User
guest-logon 9 Up: No Limit,Dn: No Limit ra-guard/,logon-control/,captiveportal/,v6-logon-control/,captiveportal6/ User
logon 2 Up: No Limit,Dn: No Limit ra-guard/,logon-control/,captiveportal/,vpnlogon/,v6-logon-control/,captiveportal6/ User
stateful-dot1x 7 Up: No Limit,Dn: No Limit global-sacl/,apprf-stateful-dot1x-sacl/ System
sys-ap-role 10 Up: No Limit,Dn: No Limit sys-control/,sys-ap-acl/ System (not editable)
test-no-app 76 Up: No Limit,Dn: No Limit global-sacl/,apprf-test-no-app-sacl/ User
voice 69 Up: No Limit,Dn: No Limit global-sacl/,apprf-voice-sacl/,ra-guard/,sip-acl/,noe-acl/,svp-acl/,vocera-acl/,skinny-acl/,h323-acl/,dhcp-acl/,tftp-acl/,dns-acl/,icmp-acl/ User
Total Roles:16
(Abilash-Lab-Cont-master-6.4) #
One can edit a Global-Sacl. Below is an example where all Intranet traffic is permitted, but youtube and bittorrent are disabled for all user created roles.
(Abilash-Lab-Cont-master-6.4) (config) #ip access-list session global-sacl
(Abilash-Lab-Cont-master-6.4) (config-sess-global-sacl)#any any app intranet permit
(Abilash-Lab-Cont-master-6.4) (config-sess-global-sacl)#any any app youtube deny
(Abilash-Lab-Cont-master-6.4) (config-sess-global-sacl)#any any app bittorrent deny
(Abilash-Lab-Cont-master-6.4) (config-sess-global-sacl)#exit
(Abilash-Lab-Cont-master-6.4) (config) #write mem
Saving Configuration...
Configuration Saved.
(Abilash-Lab-Cont-master-6.4) (config) #exit
(Abilash-Lab-Cont-master-6.4) #show ip access-list global-sacl
ip access-list session global-sacl
global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any any app intranet permit Low 4
2 any any app youtube deny Low 4
3 any any app bittorrent deny Low 4
(Abilash-Lab-Cont-master-6.4) #