Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Environment Variables and Conditions Overview

    You can use environment variables and conditions to configure dynamic policy actions for your firewall policy rules. With traditional firewall rules, if you want to block all outbound traffic, then you must manually modify the action of the rules from permit to deny. Similarly, if you want to allow all traffic, you modify the action from deny to permit. When handling critical events, going through hundreds of firewall policy rules and modifying them is both time consuming and inefficient. Further, when the event is over, you might need to revert those rule settings to the previously configured values.

    To avoid such manual configurations to the firewall rules and to improve your control over configurations, as a network administrator, you can define environment variables and apply conditions by using these variables. Based on the conditions that you define, certain preconfigured actions are taken on the firewall policy rules dynamically.

    Along with the action, you can define certain advanced security properties. You can also disable the rules based on the action and change the logging options.

    Table 1 and Table 2 show examples of the usage of custom-defined environment variables and rule actions based on variable values.

    Table 1: Example of Custom-Defined Environment Variables

    Environment Variable

    Type

    Possible Value

    Default Value

    Current Value

    Threat Level

    String

    Low, Medium, High

    Low

    High

    Table 2: Example of Rule Actions Based on Variable Values

    Rule #

    Source

    Destination

    Service

    Firewall

    IPS

    m

    Employee

    Internet video

    http

    If (ThreatLevel= High) Deny Else Permit

    None

    n

    WebZone

    DBZone

    DB

    Permit

    If (ThreatLevel=High) Adv_profile Else Std_Profile

    Table 3 shows an example of how conditions are used. In the Environment Condition column, the condition is first evaluated to identify the related set of action the system will take. For example, if the value of the ThreatLevel environment variable is Medium at any point of time, the system automatically enables the intrusion prevention system (IPS) service for the corresponding traffic.

    Table 3: Example of Environment Condition

    Rule Number

    Source Traffic Match Criteria

    Destination Traffic Match Criteria

    Environment Condition

    Firewall Action

    Other Actions

    1000

    Any

    MyCriticalServers

    ThreatLevel=Low

    PERMIT

    LOG

       

    ThreatLevel=Medium

    PERMIT

    LOG IPS_STD_PROFILE

       

    ThreatLevel=High

    DENY

    LOG

    Benefits of Environment Variables and Conditions

    • Simplifies the task of creating, in advance, different security actions that the security team can take to test the system’s behavior under different environmental conditions.
    • Reduces the time required to react to security threats or situations and take the required actions. During critical situations, security administrators must focus on identifying the attacks and, with environment variables configured, they do not have to spend too much time and effort in manipulating the rules table.
    • Reduces the probability of manual errors, especially during critical events when a large number of firewall policy rules need to be edited.
    • Helps reduce business risks by streamlining security operations for normal conditions as well as for other dynamic conditions.

    Modified: 2018-03-15