Adding Firewall Policy Intents
Use this page to add a firewall intent that controls transit traffic within a context. The traffic is classified by matching its source and destination zones, the source and destination addresses, and the application that the traffic carries in its protocol headers with the policy database.
You can also enable advanced security protection by specifying one or more of the following:
Unified threat management (UTM) profile
SSL proxy profile
Intrusion prevention system (IPS) profile
To configure a firewall policy intent:
- Select Configuration > Firewall > Firewall Policy.
The Firewall Policy page appears.
- Click the firewall policy to which you want to add the
The Firewall-Policy-Name page appears.
- Click the add icon (+).
The option to create firewall policy intent appears inline on the Firewall-Policy-Name page.
- Complete the configuration according to the guidelines provided in Table 1.
- Click Save to save the changes. If you want to discard your changes, click Cancel instead.
If you click Save, a new firewall policy intent with the provided configuration is saved and a confirmation message is displayed. Based on the source and destination end points, the intents are categorized as zone-based intents and enterprise-based intents.
After the policy intent is created, you must deploy the policy to ensure that the changes take effect on the applicable sites, departments, or applications. When a firewall policy intent is created, the Undeployed field is incremented by one indicating that intents are pending deployment.
Table 1: Fields on the <Firewall-Policy-Name> Page
Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed and the maximum length is 255 characters. If you do not enter a name, the intent is saved with a default name assigned by CSO.
Enter a description for the policy intent; maximum length is 1024 characters.
Policy schedules enable you to define when a policy is active, and thus are an implicit match criterion. You can define the day of the week and the time of the day when the policy is active. For instance, you can define a security policy that opens or closes access based on business hours. Select a pre-saved schedule and the schedule options are populated with the selected schedule’s data.
You can add a schedule from the End Points panel, by selecting the schedule and clicking on the check mark icon (√).
You can also create new schedules and then associate the schedule to your firewall policy.
To create a new schedule and then add it to a firewall policy:
Click the toggle button to enable logging; by default, logging is disabled. You can see the logged firewall events in the Firewall Events page by using Monitor > Security Events > Firewall Events.
For more information, see About the Firewall Events Page.
Identify the traffic that the intent applies to
Click the add icon (+) to select the source end points on which the firewall policy intent applies, from the displayed list of addresses, departments, sites, site groups, users, zones, or the Internet. You can also select a source end point using the methods described in Selecting Firewall Source.
Click the add icon (+) to select the destination end points on which the firewall policy intent applies, from the displayed list of addresses, applications, application groups, departments, services, sites, site groups, zones or the Internet. You can also select a destination end point using the methods described in Selecting Firewall Destination.
Click the add icon (+) to choose whether you want to permit, deny, or reject traffic between the source and destination.
Note: This field is enabled only if you either select Allow for the action or if you select a zone as a source and destination.
Add source and destination end points
To add an end point to the source or destination:
To add new source and destination end points: