Configuring a Policy Rule

This section describes how to configure a policy rule.

Creating a Policy Rule

To create a policy rule, take the following steps:

1. On the Navigation pane, click Configuration > Security > Policy to visit the Policy page.
2. Click New.
   
3. On the Basic tab in the Policy Configuration dialog, configure basic options for the policy rule.
   • Source zone: Specifies a source zone for the policy rule.
   • Destination zone: Specifies a destination zone for the policy rule.
   • Source address: Specifies a source address for the policy rule. Select an address entry from or type an address into the Source address combo box, or you can select New addressbook to create one at your own choice. Click Multiple to add an address/addresses in the Source Address Configuration dialog.
   • Destination address: Specifies a destination address for the policy rule. Select an address entry from or type an address into the Destination address combo box, or you can select New addressbook to create one at your own choice. Click Multiple to add an address/addresses in the Destination Address Configuration dialog.
   • Service: Specifies a service for the policy rule. Select a service from or type service name into the Service combo box, or you can select New service/New service group/New app group to create one at your own choice. Click Multiple to add a service entry/service entries in the Service Configuration dialog.
   • Schedule: Specifies a schedule for the policy rule. Select a schedule from or type the schedule name into the Schedule combo box, or you can select New to create one at your own choice. Click Multiple to add a schedule/schedules in the Schedule Configuration dialog.
   • Application: Specifies an application for the policy rule. In the Application drop-down menu, select the desired application or type the application name. You can also click New Application Group to create a new application group. To add multiple applications, click Multiple.
   • Source user: Specifies a role, user or user group for the policy rule. Click Multiple after Source user, and configure options as below in the Role/User/User Group dialog:
     Specify a role - Click Role, select a role from the Role drop-down list, and then click Add to add to the list below. You can add multiple roles at your own choice, or click Delete to delete a role. Click OK to save your settings and return to the Policy Configuration dialog.
     Specify a user - Click User, select a server from the AAA server drop-down list, select a user from the User drop-down list, and then click Add to add to the list below. You can add multiple users at your own choice, or click Delete to delete a user. Click OK to save your settings and return to the Policy Configuration dialog.
     Specify a user group - Click User group, select a server from the AAA server drop-down list, select a user group from the User Group drop-down list, and then click Add to add to the list below. You can add multiple user groups at your own choice, or click Delete to delete a user group. Click OK to save your settings and return to the Policy Configuration dialog.
   • Action: Specifies an action for the traffic that is matched to the policy rule, including:
     Permit - Click Permit to permit the traffic to pass through.
     Deny - Click Deny to deny the traffic.
     WebAuth - Performs Web authentication on the matched traffic. Select WebAuth from the Security Connection drop-down list, and then select an authentication server from the following drop-down list.
     From tunnel (VPN) - For the traffic from local to a peer, select this option to allow the traffic to pass through the VPN tunnel. Select From tunnel (VPN) from the Security Connection drop-down list, and then select a tunnel from the following drop-down list.
     Tunnel (VPN) - For the traffic from a peer to local, if this option is selected, StoneOS will first determine if the traffic originates from a tunnel. Only such traffic will be permitted.
   • Descriptioin: Specifies the description information into the Description text box if necessary.
4. On the Advanced tab, configure advanced options for the policy rule.
   • Application controls (at present only Anti-Virus and IPS rules are supported): The combination of policies and application controls enable Hillstone devices to implement fine-grained application layer policy control. Select a rule from the Anti-Virus or IPS drop-down list.
   • Online notification page: Policy-based online notification is designed to redirect the HTTP request from clients to a specified page automatically. With this function enabled, StoneOS will redirect the page you are requesting over HTTP to a prompt page. If you click continue on the prompt page, then you will be redirected to the specified page. To visit the original requested URL, you will have to type the URL again in the Web browser. Select the Enable check box to enable this function, and type a redirect URL into the Notification page URL box.
   • QoS tag: Controls traffic combined with QoS. For more information about QoS configuration, see Introduction to QoS. Type a value into the QoS tag box.
   • Description: Type descriptions into the Description box.
   • Record log: You can log policy rule matchings in system logs according to your needs. For the policy rules of Permit, logs will be generated in two conditions: the traffic that is matched to policy rules starts and ends its session; for the policy rules of Deny, logs will be generated when the traffic that is matched to policy rules is denied. Select one or more check boxes to enable the corresponding log type(s):
     Policy deny - Generates logs when the traffic that is matched to policy rules is denied.
     Session start - Generates logs when the traffic that is matched to policy rules starts its session.
     Session end - Generates logs when the traffic that is matched to policy rules ends its session.
   • Rule position: Each policy rule is labeled with a unique ID. When traffic flows into a Hillstone device, the device will query for policy rules by turn, and processes the traffic according to the first matched rule. However, the policy rule ID is not related to the matching sequence during the query. The sequence displayed in policy rule list is the query sequence for policy rules. The rule position can be an absolute position, i.e., at the top or bottom, or a relative position, i.e., before or after an ID. Select a rule position from the Rule position drop-down list:
     Top - Select this option to place the policy rule to the top. StoneOS will match this rule in the first place.
     Bottom - Select this option to place the policy rule to the bottom. StoneOS will match this rule in the last place.
     Before ID - Select this option and type an ID into the box behind to move the policy rule to the position before the ID.
     After ID - Select this option and type an ID into the box behind to move the policy rule to the position after the ID.
5. Click OK to save your settings.

Note: Both the Source zone and the Destination zone of a policy rule can be set to Any.

Editing a Policy Rule

To edit a policy rule, take the following steps:

1. On the Navigation pane, click Configuration > Security > Policy to visit the Policy page.
2. Select the policy rule you want to edit and click Edit. In the Policy Configuration dialog, modify according to your need.
3. Click OK to save your changes.

Deleting a Policy Rule

To delete a policy rule, take the following steps:

1. On the Navigation pane, click Configuration > Security > Policy to visit the Policy page.
2. Select the policy rule you want to delete and click Delete.

Searching Policy Rules

To search the policy rules, take the following steps:

1. On the Navigation pane, click Configuration > Security > Policy to visit the policy page.
2. Specify the search conditions and click Search. The matched rules will be shown in the policy rule table. To clear the specified search conditions, click Clear.

When searching the policy rules by an IP address, the system follows these principles:

• If the specified source/destination address is complete, the following policy rules will be filtered out:
  • The policy rules whose source/destination address is the specified IP address;
  • The policy rules whose source/destination address contains the specified IP address.
• If the specified source/destination address is uncompleted, the system will treat it as a string and the policy rules whose source/destination address entry containing the specified uncompleted address will be filtered out.

Cloning a Policy Rule

To clone a policy rule, take the following steps:

1. On the Navigation pane, click Configuration > Security > Policy to visit the Policy page.
2. Select the policy rule you want to clone and click Clone. The rule will be cloned, and displayed at the bottom of the list below.

Enabling/Disabling a Policy Rule

By default the configured policy rule will take effect immediately. You can terminate its control over the traffic by disabling the rule.

To enable/disable a policy rule, take the following steps:

1. On the Navigation pane, click Configuration > Security > Policy to visit the Policy page.
2. Select the policy rule you want to enable/disable and click Enable/Disable.

Viewing a Policy Hit Count

StoneOS supports statistics on policy hit counts, i.e., statistics on the matchings between traffic and policy rules. Each time the inbound traffic is matched to a specific policy rule, the hit count will increment by 1 automatically.

To view a policy hit count, take the following steps:

1. On the Navigation pane, click Configuration > Security > Policy to visit the Policy page.
2. In the policy rule list, view the statistics on policy hit counts under the Hit count column.