Security Policies Tab
Configuration > Overlays & Security > Security > Firewall Zone Security Policies
This tab displays the Security Policies, which manage traffic between firewall zones.
-
Zones are created on the Orchestrator. A zone is applied to an Interface.
-
By default, traffic is allowed between interfaces labeled with the same zone. Any traffic between interfaces with different zones is dropped. Users can create exception rules (Security Policies) to allow traffic between interfaces with different zones.
-
When Routing Segmentation (VRF) is enabled, by default, traffic is allowed between interfaces labeled with the same zone and the same segment. Any traffic between different zones or between different segments is dropped.
-
When segmentation is enabled, define your security policies from the Routing Segmentation (VRF) tab.
-
When segmentation is enabled, do not use templates. If a security policy template is applied while segmentation is enabled, it will only apply within the default segment. It will override the default-default security policy defined on the Routing Segmentation (VRF) tab. This behavior is designed to prevent a disruption in traffic when segmentation is enabled for the first time, and during a migration to segments. After the migration process is complete, the security policy template should be removed.
-
If segments are disabled, define your security policies by creating templates. You can then apply template groups to appliances.
-
Clicking the edit icon opens the Security Policy that has been applied. Any changes made here are local to that appliance. Making changes from this tab is not recommended.
-
Logging: In table view, you can specify the log level when adding and editing a rule. Select the appropriate level from the options in the list.
-
Define your Security Policies by creating templates. You can then apply templates to Interfaces or Overlays.
-
Clicking the edit icon opens the Security Policy that has been applied. Any changes made here are local to that appliance.
-
Click Firewall Drops to see statistics on various flows, packets, and bytes dropped or allowed by a zone-based firewall for a given time range.
-
Click Manage Security Policies with Templates to define policies on all appliances within your network. You can use the matrix and table view to further specify your policies. If segmentation is enabled, do not use templates. Manage from the Routing Segmentation (VRF) tab instead.
Wildcard-based Prefix Matching Rules
-
Even when using a range or a wildcard, the IPv4 address must be specified in the 4-octet format, separated by the dot notation. For example, A.B.C.D.
-
Range is specified using a single dash. For example, 128-129.
-
Wildcard is specified as an asterisk (*).
-
Range and Wildcard can both be used in the same address, but an octet can only contain one or the other. For example, 10.136-137.*.64-95.
-
A wildcard can only be used to define an entire octet. For example, 10.13*.*.64-95 is not supported. Use 10.130-139.*.64-95 to specify this range.
-
The same rules apply to IPv6 addressing.
-
CIDR notation and (Range or Wildcard) are mutually exclusive in the same address. For example, 192.168.0.1-127/24 is not supported. Use either 192.168.0.0/24 or 192.168.0.1-127.
-
These prefix-matching rules apply to the following policies only: Route, QoS, Optimization, NAT, Security, and ACLs.
Security Policies Edit Row
This dialog box displays the Security Policies, which manage traffic between segments and their firewall zones.
Complete the following steps to add or modify rules in your security policies:
-
Select the default logging level to be applied to all “Deny All” events.
-
Select the Source and Destination Segment.
-
Click the cell for the source and destination zone to open the rule editor.
-
Click Add Rule to create a new rule.
-
Modify the following fields in a new or existing rule:
Field Description Priority Priority of the rule. Match Criteria Click the edit icon to add or modify match criteria for the rule. Action Select the action to apply to traffic matching the rule:
allow – Matching traffic will be allowed.
deny – Matching traffic will be denied.
inspect – Matching traffic will be inspected by the Intrusion Detection System (IDS).Enabled Select the check box to enable the rule or clear the check box to disable the rule. Logging Select the logging level to be applied when logging matches for the specific rule. If you do not want to log matching traffic, select None. Tag Use this field to specify a tag to be logged with matching events. Comment Use this field to add comments or additional information about the rule.
-
Zones are created on the Orchestrator. A zone is applied to an Interface.
-
By default, traffic is allowed between interfaces labeled with the same zone. Any traffic between interfaces with different zones is dropped. Users can create exception rules (Security Policies) to allow traffic between interfaces with different zones or between their segments and firewall zones.
-
Define your Security Policies by creating templates. You then can apply templates to Interfaces or Overlays.
-
Clicking the Edit icon opens the Security Policy that has been applied. Any changes made here are local to that appliance.
Wildcard-based Prefix Matching Rules
-
Even when using a range or a wildcard, the IPv4 address must be specified in the 4-octet format, separated by the dot notation. For example, A.B.C.D.
-
Range is specified using a single dash. For example, 128-129.
-
Wildcard is specified as an asterisk (*).
-
Range and Wildcard can both be used in the same address, but an octet can only contain one or the other. For example, 10.136-137.*.64-95.
-
A wildcard can only be used to define an entire octet. For example, 10.13*.*.64-95 is not supported. Use 10.130-139.*.64-95 to specify this range.
-
The same rules apply to IPv6 addressing.
-
CIDR notation and (Range or Wildcard) are mutually exclusive in the same address. For example, 192.168.0.1-127/24 is not supported. Use either 192.168.0.0/24 or 192.168.0.1-127.
-
These prefix-matching rules apply to the following policies only: Route, QoS, Optimization, NAT, Security, and ACLs.