Link Search Menu Expand Document

Security Policies Tab

Configuration > Overlays & Security > Security > Firewall Zone Security Policies

This tab displays the Security Policies, which manage traffic between firewall zones.

  • Zones are created on the Orchestrator. A zone is applied to an Interface.

  • By default, traffic is allowed between interfaces labeled with the same zone. Any traffic between interfaces with different zones is dropped. Users can create exception rules (Security Policies) to allow traffic between interfaces with different zones.

  • When Routing Segmentation (VRF) is enabled, by default, traffic is allowed between interfaces labeled with the same zone and the same segment. Any traffic between different zones or between different segments is dropped.

  • When segmentation is enabled, define your security policies from the Routing Segmentation (VRF) tab.

  • When segmentation is enabled, do not use templates. If a security policy template is applied while segmentation is enabled, it will only apply within the default segment. It will override the default-default security policy defined on the Routing Segmentation (VRF) tab. This behavior is designed to prevent a disruption in traffic when segmentation is enabled for the first time, and during a migration to segments. After the migration process is complete, the security policy template should be removed.

  • If segments are disabled, define your security policies by creating templates. You can then apply template groups to appliances.

  • Clicking the edit icon opens the Security Policy that has been applied. Any changes made here are local to that appliance. Making changes from this tab is not recommended.

  • Logging: In table view, you can specify the log level when adding and editing a rule. Select the appropriate level from the options in the list.

  • Define your Security Policies by creating templates. You can then apply templates to Interfaces or Overlays.

  • Clicking the edit icon opens the Security Policy that has been applied. Any changes made here are local to that appliance.

  • Click Firewall Drops to see statistics on various flows, packets, and bytes dropped or allowed by a zone-based firewall for a given time range.

  • Click Manage Security Policies with Templates to define policies on all appliances within your network. You can use the matrix and table view to further specify your policies. If segmentation is enabled, do not use templates. Manage from the Routing Segmentation (VRF) tab instead.

Wildcard-based Prefix Matching Rules

  • Even when using a range or a wildcard, the IPv4 address must be specified in the 4-octet format, separated by the dot notation. For example, A.B.C.D.

  • Range is specified using a single dash. For example, 128-129.

  • Wildcard is specified as an asterisk (*).

  • Range and Wildcard can both be used in the same address, but an octet can only contain one or the other. For example, 10.136-137.*.64-95.

  • A wildcard can only be used to define an entire octet. For example, 10.13*.*.64-95 is not supported. Use 10.130-139.*.64-95 to specify this range.

  • The same rules apply to IPv6 addressing.

  • CIDR notation and (Range or Wildcard) are mutually exclusive in the same address. For example, 192.168.0.1-127/24 is not supported. Use either 192.168.0.0/24 or 192.168.0.1-127.

  • These prefix-matching rules apply to the following policies only: Route, QoS, Optimization, NAT, Security, and ACLs.

Security Policies Edit Row

This dialog box displays the Security Policies, which manage traffic between segments and their firewall zones.

Complete the following steps to add or modify rules in your security policies:

  1. Select the default logging level to be applied to all “Deny All” events.

  2. Select the Source and Destination Segment.

  3. Click the cell for the source and destination zone to open the rule editor.

  4. Click Add Rule to create a new rule.

  5. Modify the following fields in a new or existing rule:

    Field Description
    Priority Priority of the rule.
    Match Criteria Click the edit icon to add or modify match criteria for the rule.
    Action Select the action to apply to traffic matching the rule:

    allow – Matching traffic will be allowed.

    deny – Matching traffic will be denied.

    inspect – Matching traffic will be inspected by the Intrusion Detection System (IDS).
    Enabled Select the check box to enable the rule or clear the check box to disable the rule.
    Logging Select the logging level to be applied when logging matches for the specific rule. If you do not want to log matching traffic, select None.
    Tag Use this field to specify a tag to be logged with matching events.
    Comment Use this field to add comments or additional information about the rule.
  • Zones are created on the Orchestrator. A zone is applied to an Interface.

  • By default, traffic is allowed between interfaces labeled with the same zone. Any traffic between interfaces with different zones is dropped. Users can create exception rules (Security Policies) to allow traffic between interfaces with different zones or between their segments and firewall zones.

  • Define your Security Policies by creating templates. You then can apply templates to Interfaces or Overlays.

  • Clicking the Edit icon opens the Security Policy that has been applied. Any changes made here are local to that appliance.

Wildcard-based Prefix Matching Rules

  • Even when using a range or a wildcard, the IPv4 address must be specified in the 4-octet format, separated by the dot notation. For example, A.B.C.D.

  • Range is specified using a single dash. For example, 128-129.

  • Wildcard is specified as an asterisk (*).

  • Range and Wildcard can both be used in the same address, but an octet can only contain one or the other. For example, 10.136-137.*.64-95.

  • A wildcard can only be used to define an entire octet. For example, 10.13*.*.64-95 is not supported. Use 10.130-139.*.64-95 to specify this range.

  • The same rules apply to IPv6 addressing.

  • CIDR notation and (Range or Wildcard) are mutually exclusive in the same address. For example, 192.168.0.1-127/24 is not supported. Use either 192.168.0.0/24 or 192.168.0.1-127.

  • These prefix-matching rules apply to the following policies only: Route, QoS, Optimization, NAT, Security, and ACLs.


Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP.

For third-party trademark acknowledgements, go to Trademark Acknowledgements. All third-party marks are property of their respective owners.

To view the end-user software agreement, go to HPE Aruba Networking EULA.

Open Source Code:

This product includes code licensed under certain open source licenses which require source compliance. The corresponding source for these components is available upon request. This offer is valid to anyone in receipt of this information and shall expire three years following the date of the final distribution of this product version by Hewlett Packard Enterprise Company. To obtain such source code, please check if the code is available in the HPE Software Center at https://myenterpriselicense.hpe.com/cwp-ui/software but, if not, send a written request for specific software version and product for which you want the open source code. Along with the request, please send a check or money order in the amount of US $10.00 to:

Hewlett Packard Enterprise Company
Attn: General Counsel
WW Corporate Headquarters
1701 E Mossy Oaks Rd Spring, TX 77389
United States of America