Configuring Infranet Enforcer Resource Access Policies (NSM Procedure)

An Infranet Enforcer resource access policy specifies which users are allowed or denied access to a set of protected resources.

To configure Infranet Enforcer resource access policies:

  1. In the NSM navigation tree, select Device Manager> Devices.
  2. Click the Device Tree tab, and then double-click the Infranet Controller for which you want to configure Infranet Enforcer resource access policies.
  3. Click the Configuration tab. In the configuration tree, select UAC > Infranet Enforcer > Resource tab.
  4. Add or modify settings for resource access policies as specified in Table 27.
  5. Click one:
    • OK—Saves the changes.
    • Cancel—Cancels the modifications.

Table 27: Resource Access Policies Configuration Details

OptionFunctionYour Action

Name

Specifies the resource access policy name.

Enter a name for the resource access policy.

Description

Describes the resource access policy.

Enter a brief description for the resource access policy.

Resources

Specifies the protocol, IP address, network mask, and port of each resource for which this Infranet Enforcer resource access policy applies.

Enter the protocol, IP address, network mask, and port of each resource (or range of addresses) for which this Infranet Enforcer resource access policy applies, one per line. Do not insert any spaces in your entries. If you insert spaces, the policy may not be applied correctly.

Applies to roles

Specifies the roles to which this policy is applicable.

  • Select Policy applies to ALL roles to apply this Infranet Enforcer resource access policy to all users.
  • Select Policy applies to SELECTED roles to apply this Infranet Enforcer resource access policy only to users who are mapped to roles in the Selected roles list.
  • Select Policy applies to all roles OTHER THAN those selected to apply this Infranet Enforcer resource access policy to all users except those who map to the roles in the Selected roles list.

Note: Select the policies from the Non-members list and click Add to move it to the Members list before applying the policies to the roles.

Action

Specifies whether this Infranet Enforcer resource access policy should allow or deny access to the specified resources.

  • Select Allow access to allow access to the specified resources.
  • Select Deny access to deny access to the specified resources.

Note: If you choose to deny access, a text box appears that allows you to customize the message for users.

If you want to record deny actions in the User Access Log, select the Enforcer Deny Messages check box on the Log/monitoring > User Access > Settings page. The log records the user, source IP, destination IP, protocol, and destination port.

Applies to Enforcer options

Specifies the Enforcer options to which the policy is applicable.

Select Enforcer Option to select the Enforcer policy options that you want to apply to selected roles.

Note: By default, all policy options are enabled on the Infranet Controller. To enforce the policies, you must create corresponding policies on the Infranet Enforcer. If the Infranet Controller is upgraded from a previous version, all enforcer options are enabled for all of the resource access policies that were available prior to the upgrade.

  • Select All Enforcer Options to apply to all enforcer options in the Enforcer Option dialog box.
  • Select SELECTED Enforcer Options to apply only the selected enforcer options from the Enforcer Option dialog box.
  • Select Enforcer options OTHER THAN those selected to apply to the enforcer options that are not selected in the Enforcer Option dialog box.

ScreenOS VSYS

Specifies the name of the VSYS created on the ScreenOS enforcer.

Enter the name of the VSYS, if you had created a VSYS on a ScreenOS Enforcer.

Related Documentation