Configuring a Policy Rule
This section describes how to configure a policy rule.
Creating a Policy Rule
To create a policy rule, take the following steps:
- On the Navigation pane, click Configure > Security > Policy to visit the Policy page.
- Click New.
- On the Basic tab in the Policy Configuration dialog, configure basic options for the policy rule.
- Src zone: Specifies a source zone for the policy rule.
- Dst zone: Specifies a destination zone for the policy rule.
- Src address: Specifies a source address for the policy rule. Select an address entry from the Src address drop-down list, or select New addressbook to create one at your own choice. Click Multiple to add an address/addresses in the Source Address Configuration dialog.
- Dst address: Specifies a destination address for the policy rule. Select an address entry from the Dst address drop-down list, or select New addressbook to create one at your own choice. Click Multiple to add an address/addresses in the Destination Address Configuration dialog.
- Service: Specifies a service for the policy rule. Select a service from the Service drop-down list, or select New service/New service group/New app group to create one at your own choice. Click Multiple to add a service entry/service entries in the Service Configuration dialog.
- Schedule: Specifies a schedule for the policy rule. Select a schedule from the Schedule drop-down list, or select New to create one at your own choice. Click Multiple to add a schedule/schedules in the Schedule Configuration dialog.
- Source user: Specifies a role, user or user group for the policy rule. Click Multiple after Source user, and configure options as below in the Role/User/User Group dialog:
Specify a role - Click Role, select a role from the Role drop-down list, and then click Add to add to the list below. You can add multiple roles at your own choice, or click Delete to delete a role. Click OK to save your settings and return to the Policy Configuration dialog.
Specify a user - Click User, select a server from the AAA server drop-down list, select a user from the User drop-down list, and then click Add to add to the list below. You can add multiple users at your own choice, or click Delete to delete a user. Click OK to save your settings and return to the Policy Configuration dialog.
Specify a user group - Click User group, select a server from the AAA server drop-down list, select a user group from the User Group drop-down list, and then click Add to add to the list below. You can add multiple user groups at your own choice, or click Delete to delete a user group. Click OK to save your settings and return to the Policy Configuration dialog.
- Action: Specifies an action for the traffic that is matched to the policy rule, including:
Permit - Click Permit to permit the traffic to pass through.
Deny - Click Deny to deny the traffic.
WebAuth - Performs Web authentication on the matched traffic. Select WebAuth from the Security Connection drop-down list, and then select an authentication server from the following drop-down list.
From tunnel (VPN) - For the traffic from local to a peer, select this option to allow the traffic to pass through the VPN tunnel. Select From tunnel (VPN) from the Security Connection drop-down list, and then select a tunnel from the following drop-down list.
Tunnel (VPN) - For the traffic from a peer to local, if this option is selected, system will first determine if the traffic originates from a tunnel. Only such traffic will be permitted.
- On the Advanced tab, configure advanced options for the policy rule.
- Application controls (at present only Anti-Virus and IPS rules are supported): The combination of policies and application controls enable security appliance to implement fine-grained application layer policy control. Select a rule from the Anti-Virus or IPS drop-down list.
- Online notification page: Policy-based online notification is designed to redirect the HTTP request from clients to a specified page automatically. With this function enabled, system will redirect the page you are requesting over HTTP to a prompt page. If you click continue on the prompt page, then you will be redirected to the specified page. To visit the original requested URL, you will have to type the URL again in the Web browser. Select the Enable check box to enable this function, and type a redirect URL into the Notification page URL box.
- QoS tag: Controls traffic combined with QoS. For more information about QoS configuration, see Introduction to QoS. Type a value into the QoS tag box.
- Description: Type descriptions into the Description box.
- Record log: You can log policy rule matchings in system logs according to your needs. For the policy rules of Permit, logs will be generated in two conditions: the traffic that is matched to policy rules starts and ends its session; for the policy rules of Deny, logs will be generated when the traffic that is matched to policy rules is denied. Select one or more check boxes to enable the corresponding log type(s):
Policy deny - Generates logs when the traffic that is matched to policy rules is denied.
Session start - Generates logs when the traffic that is matched to policy rules starts its session.
Session end - Generates logs when the traffic that is matched to policy rules ends its session.
- Rule position: Each policy rule is labeled with a unique ID. When traffic flows into a security appliance, the device will query for policy rules by turn, and processes the traffic according to the first matched rule. However, the policy rule ID is not related to the matching sequence during the query. The sequence displayed in policy rule list is the query sequence for policy rules. The rule position can be an absolute position, i.e., at the top or bottom, or a relative position, i.e., before or after an ID. Select a rule position from the Rule position drop-down list:
Top - Select this option to place the policy rule to the top.
Bottom - Select this option to place the policy rule to the bottom.
Before ID - Select this option and type an ID into the box behind to move the policy rule to the position before the ID.
After ID - Select this option and type an ID into the box behind to move the policy rule to the position after the ID.
- Click OK to save your settings.
Note: Both the Src zone and the Dst zone of a policy rule can be set to Any.
Editing a Policy Rule
To edit a policy rule, take the following steps:
- On the Navigation pane, click Configure > Security > Policy to visit the Policy page.
- Select the policy rule you want to edit and click Edit. In the Policy Configuration dialog, modify according to your need.
- Click OK to save your changes.
Deleting a Policy Rule
To delete a policy rule, take the following steps:
- On the Navigation pane, click Configure > Security > Policy to visit the Policy page.
- Select the policy rule you want to delete and click Delete.
Cloning a Policy Rule
To clone a policy rule, take the following steps:
- On the Navigation pane, click Configure > Security > Policy to visit the Policy page.
- Select the policy rule you want to clone and click Clone. The rule will be cloned, and displayed at the bottom of the list below.
Enabling/Disabling a Policy Rule
By default the configured policy rule will take effect immediately. You can terminate its control over the traffic by disabling the rule.
To enable/disable a policy rule, take the following steps:
- On the Navigation pane, click Configure > Security > Policy to visit the Policy page.
- Select the policy rule you want to enable/disable and click Enable/Disable.
Viewing a Policy Hit Count
System supports statistics on policy hit counts, i.e., statistics on the matchings between traffic and policy rules. Each time the inbound traffic is matched to a specific policy rule, the hit count will increment by 1 automatically.
To view a policy hit count, take the following steps:
- On the Navigation pane, click Configure > Security > Policy to visit the Policy page.
- In the policy rule list, view the statistics on policy hit counts under the Hit count column.