需求:10.132.0.0/16 需要访问互联网,但是又不想让他访问公司其它网段 10.0.0.0/8
思路:使用destination-address-excluded来实现
实现命令脚本:
set security policies from-zone TEST to-zone Core_SW policy TEST-PASS_WWW match source-address ip_10.132.0.0/16
set security policies from-zone TEST to-zone Core_SW policy TEST-PASS_WWW match destination-address ip_10.0.0.0/8
set security policies from-zone TEST to-zone Core_SW policy TEST-PASS_WWW match destination-address-excluded
set security policies from-zone TEST to-zone Core_SW policy TEST-PASS_WWW match application tcp1-65535
set security policies from-zone TEST to-zone Core_SW policy TEST-PASS_WWW match application udp1-65535
set security policies from-zone TEST to-zone Core_SW policy TEST-PASS_WWW then permit
#不能访问10.0.0.0的地址,其它的都可以访问,比如说可以访问互联网。