Match Criteria
|
Source Address—Name of the source address or address set
as entered in the source zone’s address book.
Destination Address—Name of the destination address or
address set as entered in the destination zone’s address book.
Application—Name of a preconfigured or custom application
or application set.
|
Policy Action
|
Permit—Allows the packet to pass through the firewall.
Reject—Blocks the packet from traversing the firewall.
The firewall drops the packet and sends a TCP reset (RST) segment
to the source host for TCP traffic and an ICMP destination unreachable,
port unreachable message (type 3, code 3) for UDP traffic.
For TCP and UDP traffic, the firewall drops the packet and notifies
the source host as action Deny.
Deny—Blocks and drops the packet from traversing the firewall,
but doesn’t send notification back to the source.
|
IPSec-VPN Tunne
|
Name of the IPSec-VPN tunnel.
|
Pair Policy
|
Name of the policy with the same IPSec-VPN in the reverse direction
to create a pair policy.
|
Source NAT
|
Enable source Network Address Translation (NAT-src) and permit
address and port translation on the permitted traffic.
|
Destination NAT
|
Enable destination Network Address Translation (NAT-dst) and
permit address and port translation on the permitted traffic.
|
Firewall Authentication
|
Authenticate the client before forwarding the traffic. Two types
of firewall authentication:
Pass-through—Verifies traffic as it attempts to pass-through
the firewall.
Web authentication—Verifies client authentication.
|
Additional Policy Actions
|
Count—If count is enabled, counters are collected for
the number of packets, bytes, and sessions that enter the firewall
for a given policy. For counts (only for packets and bytes), you can
specify that alarms be generated whenever the traffic exceeds specified
thresholds.
Log (session-init and session-close)—Logs session creation
and session close events.
|
Scheduler
|
Optionally, name a scheduler whose schedule determines when
the policy is active.
|