Security Policies Template
Use this page to set up security policies, also known as zone-based firewalls.
CAUTION: If segmentation is enabled, do not use the Security Policies Template. Instead, configure Security Policies from the Routing Segmentation (VRF) tab.
-
Zones are created on the Orchestrator and applied to an Interface.
-
By default, traffic is allowed between interfaces labeled with the same zone. Any traffic between interfaces with different zones is dropped. Users can create exception rules (Security Policies) to allow traffic between interfaces with different zones.
-
When you create an interface, it is assigned Default zone.
-
If you create a new zone and assign that to an interface, all traffic between that interface and rest of the interfaces (which are still in the Default zone) are dropped. This implies that zone creation and assignment to interfaces should be performed during a planned network maintenance.
-
You can also assign a zone label to an Overlay. On a new system, all overlays are assigned the Default zone.
-
Traffic between an Interface and an Overlay follows the same rules as traffic between Interfaces or two Overlays; traffic is allowed between zones with the same label and any traffic between different zones is dropped. Users can create Security Policies to allow traffic between different zones.
Implicit Drop Logging
Implicit Drop Logging enables you to configure implicit zone-based firewall drop logging levels. Implicit zone-based firewall drop is for inter-zone traffic by default. For example, if all the zone_x to zone_y traffic is the default Deny All (all the red cells from matrix), the traffic will be dropped by the zone-based firewall engine.
Select one of the following levels for the Implicit Drop Logging from the list: None, Emergency, Alert, Critical, Error, Warning, Notice, Info, or Debug.
NOTE: The default logging level is Alert.
Template
Complete the following steps to create a Security Policies Template:
-
Create zone names in Configuration > Overlays & Security > Security > Firewall Zones.
-
Create security policies to define exceptions.
To edit or add a rule, select the desired square in the matrix, and when the Edit Rules pop-up appears, make the desired changes.
-
Select the edit icon in the Match Criteria column and the Match Criteria pop-up appears. Make the desired changes.
-
You can select More Options to customize your rules. Select the check box next to the specific match criteria and select your desired changes from the list.
-
Click Save.
Wildcard-based Prefix Matching Rules
-
Even when using a range or a wildcard, the IPv4 address must be specified in the 4-octet format, separated by the dot notation. For example, A.B.C.D.
-
Range is specified using a single dash. For example, 128-129.
-
Wildcard is specified as an asterisk (*).
-
Range and Wildcard can both be used in the same address, but an octet can only contain one or the other. For example, 10.136-137.*.64-95.
-
A wildcard can only be used to define an entire octet. For example, 10.13*.*.64-95 is not supported. Use 10.130-139.*.64-95 to specify this range.
-
The same rules apply to IPv6 addressing.
-
CIDR notation and (Range or Wildcard) are mutually exclusive in the same address. For example, 192.168.0.1-127/24 is not supported. Use either 192.168.0.0/24 or 192.168.0.1-127.
-
These prefix-matching rules apply to the following policies only: Route, QoS, Optimization, NAT, Security, and ACLs.