Link Search Menu Expand Document

Security Policies Tab

Configuration > Overlays & Security > Security > Firewall Zone Security Policies

This tab displays the Security Policies, which manage traffic between firewall zones.

  • Zones are created on the Orchestrator. A zone is applied to an Interface.

  • By default, traffic is allowed between interfaces labeled with the same zone. Any traffic between interfaces with different zones is dropped. Users can create exception rules (Security Policies) to allow traffic between interfaces with different zones.

  • When Routing Segmentation (VRF) is enabled, by default, traffic is allowed between interfaces labeled with the same zone and the same segment. Any traffic between different zones or between different segments is dropped.

  • When segmentation is enabled, define your security policies from the Routing Segmentation (VRF) tab.

  • When segmentation is enabled, do not use templates. If a security policy template is applied while segmentation is enabled, it will only apply within the default segment. It will override the default-default security policy defined on the Routing Segmentation (VRF) tab. This behavior is designed to prevent a disruption in traffic when segmentation is enabled for the first time, and during a migration to segments. After the migration process is complete, the security policy template should be removed.

  • If segments are disabled, define your security policies by creating templates. You can then apply template groups to appliances.

  • Clicking the edit icon opens the Security Policy that has been applied. Any changes made here are local to that appliance. Making changes from this tab is not recommended.

  • Logging: In table view, you can specify the log level when adding and editing a rule. Select the appropriate level from the options in the list.

  • Define your Security Policies by creating templates. You can then apply templates to Interfaces or Overlays.

  • Clicking the edit icon opens the Security Policy that has been applied. Any changes made here are local to that appliance.

  • Click Firewall Drops to see statistics on various flows, packets, and bytes dropped or allowed by a zone-based firewall for a given time range.

  • Click Manage Security Policies with Templates to define policies on all appliances within your network. You can use the matrix and table view to further specify your policies. If segmentation is enabled, do not use templates. Manage from the Routing Segmentation (VRF) tab instead.

Wildcard-based Prefix Matching

  • When using a range or a wildcard, the IPv4 address must be specified in the 4-octet format, separated by the dot notation. For example, A.B.C.D.

  • Range is specified using a dash. For example, 128-129.

  • Wildcard is specified as an asterisk (*).

  • Range and Wildcard can both be used in the same address, but an octet can only contain one or the other. For example, 10.136-137.*.64-95.

  • A wildcard can only be used to define an entire octet. For example, 10.13*.*.64-95 is not supported. The correct way to specify this range is 10.130-139.*.64-94.

  • The same rules apply to IPv6 addressing.

  • CIDR notation and (Range or Wildcard) are mutually exclusive in the same address. For example, use either 192.168.0.0/24 or 192.168.0.1-127.

  • These prefix-matching rules only apply to the following policies: Router, QoS, Optimization, NAT, Security, and ACLs.

Security Policies Edit Row

This dialog box displays the Security Policies, which manage traffic between segments and their firewall zones.

Complete the following steps to add or modify rules in your security policies:

  1. Select the default logging level to be applied to all “Deny All” events.

  2. Select the Source and Destination Segment.

  3. Click the cell for the source and destination zone to open the rule editor.

  4. Click Add Rule to create a new rule.

  5. Modify the following fields in a new or existing rule:

    FieldDescription
    PriorityPriority of the rule.
    Match CriteriaClick the edit icon to add or modify match criteria for the rule.
    ActionSelect the action to apply to traffic matching the rule:
    • allow – Matching traffic will be allowed.
    • deny – Matching traffic will be denied.
    • inspect – Matching traffic will be inspected by the Intrusion Detection System (IDS).
    EnabledSelect the check box to enable the rule or clear the check box to disable the rule.
    LoggingSelect the logging level to be applied when logging matches for the specific rule. If you do not want to log matching traffic, select None.
    TagUse this field to specify a tag to be logged with matching events.
    CommentUse this field to add comments or additional information about the rule.
  • Zones are created on the Orchestrator. A zone is applied to an Interface.

  • By default, traffic is allowed between interfaces labeled with the same zone. Any traffic between interfaces with different zones is dropped. Users can create exception rules (Security Policies) to allow traffic between interfaces with different zones or between their segments and firewall zones.

  • Define your Security Policies by creating templates. You then can apply templates to Interfaces or Overlays.

  • Clicking the Edit icon opens the Security Policy that has been applied. Any changes made here are local to that appliance.

Wildcard-based Prefix Matching

  • When using a range or a wildcard, the IPv4 address must be specified in the 4-octet format, separated by the dot notation. For example, A.B.C.D.

  • Range is specified using a dash. For example, 128-129.

  • Wildcard is specified as an asterisk (*).

  • Range and Wildcard can both be used in the same address, but an octet can only contain one or the other. For example, 10.136-137.*.64-95.

  • A wildcard can only be used to define an entire octet. For example, 10.13*.*.64-95 is not supported. The correct way to specify this range is 10.130-139.*.64-94.

  • The same rules apply to IPv6 addressing.

  • CIDR notation and (Range or Wildcard) are mutually exclusive in the same address. For example, use either 192.168.0.0/24 or 192.168.0.1-127.

  • These prefix-matching rules only apply to the following policies: Router, QoS, Optimization, NAT, Security, and ACLs.


Back to top

© Copyright 2022 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.