Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Firewall Policies Overview

 

Security Director provides you with four types of firewall policies:

  • Device Policy—Type of firewall policy that is created per device. This type of policy is used when you want to push a unique firewall policy configuration per device. You can create device rules for a device firewall policy.

    Security Director views a logical system like it does any other security device, and it takes ownership of the security configuration of the logical system. In Security Director, each logical system is managed as a unique security device.

    During a device assignment for a device policy, only devices from the current domain are listed.

    Note

    If Security Director discovers the root logical system, the root lsys discovers all other user lsys inside the device.

    Security Director allows a device to have a device-specify policy and to be part of multiple group policies. Rules for a device are updated in the following order:

    • Rules within Policies Applied Before 'Device Specific Policies'

    • Rules within Device-Specific Policies

    • Rules within Policies Applied After 'Device Specific Policies'

    Rules within Policies Applied Before 'Device Specific Policies' take priority and cannot be overridden. However, you can override rules within Policies Applied After 'Device Specific Policies' by adding an overriding rule in the Device-Specific Policies. In an enterprise scenario, “common-must-enforce” rules can be assigned to a device from the Policies Applied Before ‘Device Specific Policies’, and “common-nice-to-have” rules can be assigned to a device from the Policies Applied After ‘Device Specific Policies’.

    Note

    An exception can be added on a per device basis in “Device-Specific Policies” . For a complete list of rules applied to a device, select Configure > Firewall Policy > Devices. Select a device to view rules associated with that device.

    All devices policy enables rules to be enforced globally to all the devices managed by Security Director. All devices policy is part of the Global domain and is visible in all the child domains if the view parent is enabled.

  • Group—Type of firewall policy that is shared with multiple devices. This type of policy is used when you want to update a specific firewall policy configuration to a large set of devices. You can select the policy placement to be before device specific or after device specific. When a group firewall policy is updated on the devices, the rules are updated in the following order:

    • Rules within Policies Applied Before 'Device Specific Policies'

    • Rules within Device-Specific Policies

    • Rules within Policies Applied After 'Device Specific Policies'

    During a device assignment for a group policy, only devices from the current and child domains (with view parent enabled) are listed. Devices in the child domain with view parent disabled are not listed. Not all the group policies of the Global domain are visible in the child domain. Group policies of the Global domain (including All device policy) are not visible to the child domain, if the view parent of that child domain is disabled. Only the group policies of the Global domain, which has devices from the child domain assigned to it, are visible in the child domain. If there is a group policy in global domain with devices from both D1 and the Global domains assigned to it, only this group policy of the Global domain is visible in the D1 domain along with only the D1 domain devices. No other devices, that is the Device-Exception policy, of the Global domain is visible in the D1 domain.

    ou cannot edit a group policy of the Global domain from the child domain. This is true for All Devices policy as well. Modifying the policy, deletion of the policy, managing a snapshot, snapshot policy and acquiring the policy lock is also not allowed. Similarly, you cannot perform these actions on the Device-Exception policy of the D1 domain from the Global domain. You can prioritize group policies from the current domain. Group policies from the other domains are not listed.

The basic settings of a firewall policy are obtained from the policy profile. The basic settings include log options, firewall authentication schemes, and traffic redirection options.

Firewall policies are displayed in a tabular view. You can select a policy and apply rules either inline or using the + icon. For more information, see Creating Firewall Policy Rules.

Related Documentation