Adding Firewall Policy Intents
Use this page to add a firewall intent that controls transit traffic within a context
. The traffic is classified by matching its source and destination
zones, the source and destination addresses, and the application that
the traffic carries in its protocol headers with the policy database.
You can also enable advanced
security protection by specifying one or more of the following:
Procedure
To configure a firewall policy intent:
- Select Configuration > Firewall > Firewall Policy.
The Firewall Policy page appears.
- Click the firewall policy to which you want to add the
intent.
The Firewall-Policy-Name page appears.
- Click the add icon (+).
The option to create firewall policy intent appears inline on
the Firewall-Policy-Name page.
- Complete the configuration according to the guidelines
provided in Table 125.
- Click Save to save the changes. If you want
to discard your changes, click Cancel instead.
If you click Save, a new firewall policy intent with
the provided configuration is saved and a confirmation message is
displayed. Based on the source and destination end points, the intents are categorized
as zone-based intents and enterprise-based intents.
Note After the policy intent is created, you must deploy the
policy to ensure that the changes take effect on the applicable sites,
departments, or applications. When a firewall policy intent is created,
the Undeployed field is incremented by one indicating that intents
are pending deployment.
Table 125: Fields
on the <Firewall-Policy-Name> Page
Field | Description |
|---|
| General Information |
Name | Enter a unique string of alphanumeric characters, colons,
periods, dashes, and underscores. No spaces are allowed and the maximum
length is 255 characters. If you do not enter a name, the intent is
saved with a default name assigned by CSO. |
Description | Enter a description for the policy intent; maximum length
is 1024 characters. |
Select Schedule | Policy schedules enable you to define when a policy is
active, and thus are an implicit match criterion. You can define the
day of the week and the time of the day when the policy is active.
For instance, you can define a security policy that opens or closes
access based on business hours. Select a pre-saved schedule and the
schedule options are populated with the selected schedule’s
data. ProcedureYou can add a schedule from the End Points panel, by selecting the schedule and clicking on the check mark
icon (√). You can also create new schedules and then associate the schedule
to your firewall policy. ProcedureTo create a new schedule and then add it to a firewall
policy: - Click Select Schedule.
- Click Add new.
Alternately, click the lesser-than icon (<) to open the End Points panel. Click on the add icon (+) on the top right
of the panel and select Schedule. The Create Schedules page appears. - Create a new schedule. See Creating Schedules.
The new schedule appears in the End Points tab, under Schedules. - Select the schedule and click on the add icon (+) to add
it to the firewall policy.
|
Logging | Click the toggle button to enable logging; by default,
logging is disabled. You can see the logged firewall events in the Firewall Events page by using Monitor > Security
Events > Firewall Events. For more information, see About the Firewall Events Page. |
Identify the traffic that the intent applies to | |
Source | Click the add icon (+) to select the source end
points on which the firewall policy intent applies, from
the displayed list of addresses, departments, sites, site groups,
users, zones, or the Internet. You can also select a source end point using the methods
described in Selecting Firewall Source. |
Destination | Click the add icon (+) to select the destination end
points on which the firewall policy intent applies, from
the displayed list of addresses, departments, sites, site groups,
zones or the Internet. You can also select a destination end point using the methods
described in Selecting Firewall Destination. |
Select
Action | Click the add icon (+) to choose whether you want to
permit, deny, or reject traffic between the source and destination. Allow—Device permits traffic using the type of firewall authentication
you applied to the policy. Deny—Device silently drops all packets for the session and does
not send any active control messages such as TCP Resets or ICMP unreachable. Reject—Device sends a TCP reset if the protocol is TCP, and device
sends an ICMP reset if the protocols are UDP, ICMP, or any other IP
protocol. This option is useful when dealing with trusted resources
so that applications do not waste time waiting for timeouts and instead
get the active message.
|
Advanced Security | Note:
This field is enabled only if you either select Allow for the action or if you select a zone as a source and destination. UTM Profile—When you set the action to Allow, you can specify a UTM profile by selecting a profile from the list
(under UTM Profiles [UTM]). You specify a UTM profile for protection against multiple threat
types including spam and malware, and control access to unapproved
websites and content. You can add a new UTM profile by clicking + in the
End Points pane and selecting UTM Profiles. See Creating UTM Profiles. IPS Profile—When you set the action to Allow, you can specify an IPS profile by selecting a profile from the
list (under IPS Profiles [IPS]). You specify an IPS profile to monitor and prevent intrusions. SSL Proxy Profile—When you configure a zone as part
of the source and the destination, you can specify an SSL proxy profile
by selecting a profile from the list (under SSL Profiles [SSLP]). You add an SSL proxy profile to ensure the secure transmission
of data between a client and a server through a combination of privacy,
authentication, confidentiality, and data integrity. You can also add a new SSL proxy profile by clicking + in the End Points pane and selecting SSL Proxy Profile. See Creating SSL Forward Proxy Profiles.
|
Add source and destination end points | |
End Points | ProcedureTo add an end point to the source or destination: - Click on Source or Destination and
then click the lesser-than icon on the right side of the page to open
the End Points panel.
The End Points panel displays the end points relevant to the source
or destination based on your selection. End points from addresses, departments, users, and sites
are displayed for source. Note:
If JIMS is not configured for CSO, users will not be listed
in the End Points panel. Instead you will be provided with an option to import users
through the Administration > Identity Management page.
To import users, click Set Up and follow the steps provided
in About the Identity Management Page. End points from addresses, applications, departments,
services, and sites are displayed for destination.
Note:
You can also search for a specific end point using the
search option. - (Optional) Click on the edit icon (pencil symbol) to modify
an end point.
- (Optional) Click on the details icon on the right of the
end point,
to view more information about a source or destination end point.
- Select the end point you want to add and click on the
check mark icon (√) to add it the source or destination.
The selected end point is added to the source or destination.
ProcedureTo add new source
and destination end points: - Click the less-than icon (<) on the right side of the
page, to open the End Points panel.
- Click on the add icon (+) on the top right of the End Points panel.
A list of end points that you can add is displayed. - Select the end point you want to add.
You can add the following
end points: - Click Save to add the new end point.
The created end point is listed in the End Points panel. - Select the end point you want to add to the source or
destination, and click on the check mark icon (√).
The end point is added to the source or destination.
|
Related Documentation
Help us to improve. Rate this article.
Feedback Received. Thank You!