Link Search Menu Expand Document

Security Policies Template

Use this page to set up security policies, also known as zone-based firewalls.

CAUTION: If segmentation is enabled, do not use the Security Policies Template. Instead, configure Security Policies from the Routing Segmentation (VRF) tab.

  • Zones are created on the Orchestrator and applied to an Interface.

  • By default, traffic is allowed between interfaces labeled with the same zone. Any traffic between interfaces with different zones is dropped. Users can create exception rules (Security Policies) to allow traffic between interfaces with different zones.

  • When you create an interface, it is assigned Default zone.

  • If you create a new zone and assign that to an interface, all traffic between that interface and rest of the interfaces (which are still in the Default zone) are dropped. This implies that zone creation and assignment to interfaces should be performed during a planned network maintenance.

  • You can also assign a zone label to an Overlay. On a new system, all overlays are assigned the Default zone.

  • Traffic between an Interface and an Overlay follows the same rules as traffic between Interfaces or two Overlays; traffic is allowed between zones with the same label and any traffic between different zones is dropped. Users can create Security Policies to allow traffic between different zones.

Implicit Drop Logging

Implicit Drop Logging enables you to configure implicit zone-based firewall drop logging levels. Implicit zone-based firewall drop is for inter-zone traffic by default. For example, if all the zone_x to zone_y traffic is the default Deny All (all the red cells from matrix), the traffic will be dropped by the zone-based firewall engine.

Select one of the following levels for the Implicit Drop Logging from the list: None, Emergency, Alert, Critical, Error, Warning, Notice, Info, or Debug.

NOTE: The default logging level is Alert.

Template

Complete the following steps to create a Security Policies Template:

  1. Create zone names in Configuration > Overlays & Security > Security > Firewall Zones.

  2. Create security policies to define exceptions.

    To edit or add a rule, select the desired square in the matrix, and when the Edit Rules pop-up appears, make the desired changes.

  3. Select the edit icon in the Match Criteria column and the Match Criteria pop-up appears. Make the desired changes.

  4. You can select More Options to customize your rules. Select the check box next to the specific match criteria and select your desired changes from the list.

  5. Click Save.

Wildcard-based Prefix Matching Rules

  • Even when using a range or a wildcard, the IPv4 address must be specified in the 4-octet format, separated by the dot notation. For example, A.B.C.D.

  • Range is specified using a single dash. For example, 128-129.

  • Wildcard is specified as an asterisk (*).

  • Range and Wildcard can both be used in the same address, but an octet can only contain one or the other. For example, 10.136-137.*.64-95.

  • A wildcard can only be used to define an entire octet. For example, 10.13*.*.64-95 is not supported. Use 10.130-139.*.64-95 to specify this range.

  • The same rules apply to IPv6 addressing.

  • CIDR notation and (Range or Wildcard) are mutually exclusive in the same address. For example, 192.168.0.1-127/24 is not supported. Use either 192.168.0.0/24 or 192.168.0.1-127.

  • These prefix-matching rules apply to the following policies only: Route, QoS, Optimization, NAT, Security, and ACLs.


Back to top

© Copyright 2022 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.