Link Search Menu Expand Document

Security Policies Template

Use this page to set up security policies, also known as zone-based firewalls.

CAUTION: If segmentation is enabled, do not use the Security Policies Template. Instead, configure Security Policies from the Routing Segmentation (VRF) tab.

  • Zones are created on the Orchestrator and applied to an Interface.

  • By default, traffic is allowed between interfaces labeled with the same zone. Any traffic between interfaces with different zones is dropped. Users can create exception rules (Security Policies) to allow traffic between interfaces with different zones.

  • When you create an interface, it is assigned Default zone.

  • If you create a new zone and assign that to an interface, all traffic between that interface and rest of the interfaces (which are still in the Default zone) are dropped. This implies that zone creation and assignment to interfaces should be performed during a planned network maintenance.

  • You can also assign a zone label to an Overlay. On a new system, all overlays are assigned the Default zone.

  • Traffic between an Interface and an Overlay follows the same rules as traffic between Interfaces or two Overlays; traffic is allowed between zones with the same label and any traffic between different zones is dropped. Users can create Security Policies to allow traffic between different zones.

Implicit Drop Logging

Implicit Drop Logging enables you to configure implicit zone-based firewall drop logging levels. Implicit zone-based firewall drop is for inter-zone traffic by default. For example, if all the zone_x to zone_y traffic is the default Deny All (all the red cells from matrix), the traffic will be dropped by the zone-based firewall engine.

Select one of the following levels for the Implicit Drop Logging from the list: None, Emergency, Alert, Critical, Error, Warning, Notice, Info, or Debug.

NOTE: The default logging level is Alert.

Template

Complete the following steps to create a Security Policies Template:

  1. Create zone names in Configuration > Overlays & Security > Security > Firewall Zones.

  2. Create security policies to define exceptions.

    To edit or add a rule, select the desired square in the matrix, and when the Edit Rules pop-up appears, make the desired changes.

  3. Select the edit icon in the Match Criteria column and the Match Criteria pop-up appears. Make the desired changes.

  4. You can select More Options to customize your rules. Select the check box next to the specific match criteria and select your desired changes from the list.

  5. Click Save.

Wildcard-based Prefix Matching Rules

  • Even when using a range or a wildcard, the IPv4 address must be specified in the 4-octet format, separated by the dot notation. For example, A.B.C.D.

  • Range is specified using a single dash. For example, 128-129.

  • Wildcard is specified as an asterisk (*).

  • Range and Wildcard can both be used in the same address, but an octet can only contain one or the other. For example, 10.136-137.*.64-95.

  • A wildcard can only be used to define an entire octet. For example, 10.13*.*.64-95 is not supported. Use 10.130-139.*.64-95 to specify this range.

  • The same rules apply to IPv6 addressing.

  • CIDR notation and (Range or Wildcard) are mutually exclusive in the same address. For example, 192.168.0.1-127/24 is not supported. Use either 192.168.0.0/24 or 192.168.0.1-127.

  • These prefix-matching rules apply to the following policies only: Route, QoS, Optimization, NAT, Security, and ACLs.


Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP.

For third-party trademark acknowledgements, go to Trademark Acknowledgements. All third-party marks are property of their respective owners.

To view the end-user software agreement, go to HPE Aruba Networking EULA.

Open Source Code:

This product includes code licensed under certain open source licenses which require source compliance. The corresponding source for these components is available upon request. This offer is valid to anyone in receipt of this information and shall expire three years following the date of the final distribution of this product version by Hewlett Packard Enterprise Company. To obtain such source code, please check if the code is available in the HPE Software Center at https://myenterpriselicense.hpe.com/cwp-ui/software but, if not, send a written request for specific software version and product for which you want the open source code. Along with the request, please send a check or money order in the amount of US $10.00 to:

Hewlett Packard Enterprise Company
Attn: General Counsel
WW Corporate Headquarters
1701 E Mossy Oaks Rd Spring, TX 77389
United States of America