Adding Firewall Policy Intents

Use this page to add a firewall intent that controls transit traffic within a context. The traffic is classified by matching its source and destination zones, the source and destination addresses, and the application that the traffic carries in its protocol headers with the policy database.

You can also enable advanced security protection by specifying one or more of the following:

Procedure

To configure a firewall policy intent:

  1. Select Configuration > Firewall > Firewall Policy.

    The Firewall Policy page appears.

  2. Click the firewall policy to which you want to add the intent.

    The Firewall-Policy-Name page appears.

  3. Click the add icon (+).

    The option to create firewall policy intent appears inline on the Firewall-Policy-Name page.

  4. Complete the configuration according to the guidelines provided in Table 111.
  5. Click Save to save the changes. If you want to discard your changes, click Cancel instead.

If you click Save, a new firewall policy intent with the provided configuration is saved and a confirmation message is displayed. Based on the source and destination end points, the intents are categorized as zone-based intents and enterprise-based intents.

Note After the policy intent is created, you must deploy the policy to ensure that the changes take effect on the applicable sites, departments, or applications. When a firewall policy intent is created, the Undeployed field is incremented by one indicating that intents are pending deployment.

Table 111: Fields on the <Firewall-Policy-Name> Page

 

Field

Description

General Information

Name

Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed and the maximum length is 255 characters. If you do not enter a name, the intent is saved with a default name assigned by CSO.

Description

Enter a description for the policy intent; maximum length is 1024 characters.

Select Schedule

Policy schedules enable you to define when a policy is active, and thus are an implicit match criterion. You can define the day of the week and the time of the day when the policy is active. For instance, you can define a security policy that opens or closes access based on business hours. Select a pre-saved schedule and the schedule options are populated with the selected schedule’s data.

Procedure

You can add a schedule from the End Points panel, by selecting the schedule and clicking on the check mark icon ().

You can also create new schedules and then associate the schedule to your firewall policy.

Procedure

To create a new schedule and then add it to a firewall policy:

  1. Click Select Schedule.
  2. Click Add schedule.

    The Create Schedules page appears.

  3. Create a new schedule. See Creating Schedules.

    The new schedule appears in the End Points tab, under Schedules.

  4. Select the schedule and click on the add icon (+) to add it to the firewall policy.

Logging

Click the toggle button to enable logging; by default, logging is disabled. You can see the logged firewall events in the Firewall Events page by using Monitor > Security Events > Firewall Events.

For more information, see About the Firewall Events Page.

Identify the traffic that the intent applies to

 

Source

Click the add icon (+) to select the source end points on which the firewall policy intent applies, from the displayed list of addresses, departments, sites, site groups, users, zones, or the Internet. You can also select a source end point using the methods described in Selecting Firewall Source.

Destination

Click the add icon (+) to select the destination end points on which the firewall policy intent applies, from the displayed list of addresses, applications, application groups, departments, services, sites, site groups, zones or the Internet. You can also select a destination end point using the methods described in Selecting Firewall Destination.

Select Action

Click the add icon (+) to choose whether you want to permit, deny, or reject traffic between the source and destination.

  • Allow—Device permits traffic using the type of firewall authentication you applied to the policy.

  • Deny—Device silently drops all packets for the session and does not send any active control messages such as TCP Resets or ICMP unreachable.

  • Reject—Device sends a TCP reset if the protocol is TCP, and device sends an ICMP reset if the protocols are UDP, ICMP, or any other IP protocol. This option is useful when dealing with trusted resources so that applications do not waste time waiting for timeouts and instead get the active message.

Advanced Security

Note: This field is enabled only if you either select Allow for the action or if you select a zone as a source and destination.

  • UTM Profile—When you set the action to Allow, you can specify a UTM profile by selecting a profile from the list (under UTM Profiles [UTM]).

    You specify a UTM profile for protection against multiple threat types including spam and malware, and control access to unapproved websites and content.

    You can add a new UTM profile by clicking + in the End Points pane and selecting UTM Profiles. See Creating UTM Profiles.

  • IPS Profile—When you set the action to Allow, you can specify an IPS profile by selecting a profile from the list (under IPS Profiles [IPS]).

    You specify an IPS profile to monitor and prevent intrusions.

  • SSL Proxy Profile—When you configure a zone as part of the source and the destination, you can specify an SSL proxy profile by selecting a profile from the list (under SSL Profiles [SSLP]).

    You add an SSL proxy profile to ensure the secure transmission of data between a client and a server through a combination of privacy, authentication, confidentiality, and data integrity.

    You can also add a new SSL proxy profile by clicking + in the End Points pane and selecting SSL Proxy Profile. See Creating SSL Forward Proxy Profiles.

Add source and destination end points

 

End Points

Procedure

To add an end point to the source or destination:

  1. Click on Select Source or Select Destination text box and then click the lesser-than icon on the right side of the page to open the End Points panel.

    The End Points panel displays the end points relevant to the source or destination based on your selection.

    • End points from addresses, departments, users, zones, and sites are displayed for source.

      Note: If JIMS is not configured for CSO, users will not be listed in the End Points panel. Instead you will be provided with an option to import users through the Administration > Identity Management page. To import users, click Set Up and follow the steps provided in About the Identity Management Page.

    • End points from addresses, applications, departments, services, zones, and sites are displayed for destination.

    Note: You can also search for a specific end point using the search option.

  2. (Optional) Click on the edit icon (pencil symbol) to modify an end point.
  3. (Optional) Click on the details icon on the right of the end point, to view more information about a source or destination end point.
  4. Select the end point you want to add and click on the check mark icon () to add it the source or destination.

    The selected end point is added to the source or destination.

Procedure

To add new source and destination end points:

  1. Click the less-than icon (<) on the right side of the page, to open the End Points panel.

  2. Click on the add icon (+) on the top right of the End Points panel.

    A list of end points that you can add is displayed.

  3. Select the end point you want to add.

    You can add the following end points:

  4. Click Save to add the new end point.

    The created end point is listed in the End Points panel.

  5. Select the end point you want to add to the source or destination, and click on the check mark icon ().

    The end point is added to the source or destination.