Creating Firewall Policy Intents

Use this page to configure a firewall intent that controls transit traffic within a context (source zone to destination zone). The traffic is classified by matching its source and destination zones, the source and destination addresses, and the application that the traffic carries in its protocol headers with the policy database.

You can also enable protection against multiple threat types including spam and malware, and control access to unapproved websites and content by enabling the UTM option and selecting an appropriate UTM profile.

To configure a firewall policy intent:

Select Configuration > Firewall > Firewall Policy.
Click the add icon (+).
The Firewall Policy page appears.
Complete the configuration according to the guidelines provided in Table 1.Note
When you create a site specific firewall policy intent, the intent will be deployed on the respective site. However, when you create an address based firewall policy intent, the intent will be deployed to all the sites associated with a tenant.
Click Save to save the changes. If you want to discard your changes, click Cancel instead.

If you click Save, a new firewall policy intent with the provided configuration is created.

Table 1 provides guidelines on using the fields on the Create Firewall Policy page.

Table 1: Fields on the Create Firewall Policy Page

Field	Description
General Information
Name	Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed and the maximum length is 255 characters. If you do not enter a name, the intent is saved with a default name assigned by CSO.
Description	Enter a description for the policy intent; maximum length is 1024 characters. Comments entered in this field are sent to the device.
Identify the traffic that the intent applies to
Source	Click on the add icon (+) to select the source endpoints on which the firewall policy intent applies, from the displayed list of addresses, departments, sites, site groups, users, or the Internet. You can also select a source endpoint using the methods described in Selecting Firewall Source.
Destination	Click on the add icon (+) to select the destination endpoints on which the firewall policy intent applies, from the displayed list of addresses, departments, sites, site groups, or the Internet. You can also select a destination endpoint using the methods described in Selecting Firewall Destination.
Select Action	Click the add icon (+) to choose whether you want to permit, deny, or reject traffic between the source and destination. Allow—Device permits traffic using the type of firewall authentication you applied to the policy. Deny—Device silently drops all packets for the session and does not send any active control messages such as TCP Resets or ICMP unreachable. Reject—Device sends a TCP reset if the protocol is TCP, and device sends an ICMP reset if the protocols are UDP, ICMP, or any other IP protocol. This option is useful when dealing with trusted resources so that applications do not waste time waiting for timeouts and instead get the active message.
Options
Scheduling	Policy schedules enable you to define when a policy is active, and thus are an implicit match criterion. You can define the day of the week and the time of the day when the policy is active. For instance, you can define a security policy that opens or closes access based on business hours. Select a pre-saved schedule and the schedule options are populated with the selected schedule’s data. To add a schedule to a firewall policy: Click on Scheduling, to enable scheduling. Click the add icon (+), to add an existing schedule. If you want to view more results in the End Points pane, click View more results. Alternately, you can add a schedule from the End Points panel, by selecting the schedule and clicking on the check mark icon (√). The selected schedule is added to the firewall policy. You can also create new schedules and then associate the schedule to your firewall policy. To create a new schedule and then add it to a firewall policy: Click on Scheduling, to enable scheduling. Click the add icon (+), and then click Add new schedule. The Create Schedules page appears. Alternately, click the lesser-than icon (<) to open the End Points panel. Click on the add icon (+) on the top right of the panel and select Schedule. The Create Schedules page appears. Create a new schedule. See Creating Schedules. The new schedule appears in the list of schedules when you click on Scheduling and in the End Points tab, under Schedules. Select the schedule and click on the add icon (+) to add it to the firewall policy.
Logging	Enable logging by selecting the Logging option. You can see the logged firewall events in the Firewall Events page by using Monitor > Security Events > Firewall Events. For more information on the Firewall Events page, see About the Firewall Events Page.
UTM	Enable the UTM option for protection against multiple threat types including spam and malware, and control access to unapproved websites and content. Click Select UTM profile to select a UTM profile from the list of UTM profiles displayed. Click on View more results to see more UTM profile in the Endpoints panel on the right. Click Add new profile to create a new UTM profile. See Creating UTM Profiles for more information on creating a new UTM profile.
Create source and destination endpoints
End Points	To add an end point to the source or destination: Click on Source or Destination and then click the lesser-than icon on the right side of the page to open the End Points panel. The End Points panel displayed the end points relevant to the source or destination based on your selection. End points from addresses, departments, users, and sites are displayed for source. Note: If JIMS is not configured for CSO, users will not be listed in the Endpoints panel. Instead you will be provided with an option to import users through the Administration > Identity Management page. To import users, click Set Up and follow the steps provided in About the Identity Management Page. End points from addresses, applications, departments, services, and sites are displayed for destination. Note: You can also search for a specific end point using the search option. (Optional) Click on the edit icon (pencil symbol) to modify an end point. (Optional) Click on the details icon on the right of the endpoint, to view more information about a source or destination endpoint. Select the end point you want to add and click on the check mark icon (√) to add it the source or destination. The selected end point is added to the source or destination. To create new source and destination endpoints: Click the less-than icon (<) on the right side of the page, to open the End Points panel. Click on the add icon (+) on the top right of the End Points panel. A list of end points that you can create is displayed. Select the end point you want to create. You can create the following end points: Create an address. See Creating Addresses or Address Groups. Create a site group. See Creating Site Groups. Create a department. See Creating a Department. Create a service. See Creating Services and Service Groups. Create an application signature group. See Creating Application Signature Groups. Create a schedule. See Creating Schedules. Click Save to create the new end point. The created end point is listed in the End Points panel. Select the end point you want to add to the source or destination, and click on the check mark icon (√). The end point is added to the source or destination.

Creating Firewall Policy Intents

Related Documentation