Scheduling Security Policies
Scheduler is a security feature that allows a policy to be activated for a specified duration. You can define schedulers for a single (nonrecurrent) or recurrent time slot within which a policy is active. You can create schedulers irrespective of a policy, meaning that a scheduler cannot be used by any policies.
Security Policy Schedulers Overview
Schedulers are powerful features that allow a policy to be activated for a specified duration. You can define schedulers for a single (nonrecurrent) or recurrent time slot within which a policy is active. You can create schedulers irrespective of a policy, meaning that a scheduler cannot be used by any policies. However, if you want a policy to be active within a scheduled time, then you must first create a scheduler.
When a scheduler times out, the associated policy is deactivated. All sessions associated with the policy are subsequently timed out only if policy-rematch is used
If a policy contains a reference to a scheduler, the schedule determines when the policy is active, that is, when it can be used as a possible match for traffic. Schedulers allow you to restrict access to a resource for a period of time or remove a restriction.
The following guidelines apply to schedulers:
A scheduler can have multiple policies associated with it; however, a policy cannot be associated with multiple schedulers.
A policy is active during the time when the scheduler it refers to is also active.
When a scheduler is off, the policy is unavailable for policy lookup.
A scheduler can be configured as one of the following:
Scheduler can be active for a single time slot, as specified by a start date and time and a stop date and time.
Scheduler can be active forever (recurrent), but as specified by the daily schedule. The schedule on a specific day (time slot) takes priority over the daily schedule.
Scheduler can be active within a time slot as specified by the weekday schedule.
Scheduler can have a combination of two time slots (daily and timeslot).
Example: Configuring Schedulers for a Daily Schedule Excluding One Day
This example shows how to configure schedulers for packet match checks every day, from 8:00 AM to 5:00 PM, except Sunday.
Requirements
Before you begin:
Understand security policies schedulers. See Security Policies Overview.
Configure security zones before applying this configuration.
Overview
Schedulers are powerful features that allow a policy to be activated for a specified duration. You can define schedulers for a single (nonrecurrent) or recurrent time slot within which a policy is active. If you want a policy to be active within a scheduled time, then you must first create a scheduler.
To configure a scheduler, you enter a meaningful name and a start and stop time for the scheduler. You can also attach comments.
In this example, you:
Specify the scheduler, sch1, that allows a policy, which refers to it, to be used for packet match checks every day, from 8:00 AM to 5:00 PM, except Sunday.
Note:Use the 24-hour format (hh:mm) to specify the hours and minutes for the daily time.
Create a policy, abc, and specify the match conditions and action to be taken on traffic that matches the specified conditions. and bind the schedulers to the policy to allow access during the specified days.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
and then copy and paste the commands into the CLI at the [edit] hierarchy level.
set schedulers scheduler sch1 daily start-time 08:00 stop-time 17:00 set schedulers scheduler sch1 sunday exclude set security policies from-zone green to-zone red policy abc match source-address any set security policies from-zone green to-zone red policy abc match destination-address any set security policies from-zone green to-zone red policy abc match application any set security policies from-zone green to-zone red policy abc then permit set security policies from-zone green to-zone red policy abc scheduler-name sch1 set security policies default-policy permit-all
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure a scheduler:
Set a scheduler.
[edit schedulers ] user@host# set scheduler sch1 daily start-time 08:00 stop-time 17:00 user@host# set scheduler sch1 sunday exclude
Specify the match conditions for the policy.
[edit security policies from-zone green to-zone red policy abc] user@host# set match source-address any destination-address any application any
Specify the action.
[edit security policies from-zone green to-zone red policy abc] user@host# set then permit
Associate the scheduler to the policy.
[edit security policies from-zone green to-zone red policy abc ] user@host# set scheduler-name sch1
Results
From configuration mode, confirm your configuration
by entering the show schedulers command. If the output
does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
[edit]
[user@host]show schedulers
scheduler sch1 {
daily {
start-time 08:00 stop-time 17:00;
sunday exclude;
}
[edit]
[user@host]show security policies
from-zone green to-zone red {
policy abc {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
scheduler-name sch1;
}
}
default-policy {
permit-all;
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying Schedulers are Active
Purpose
Verify if schedulers are enabled or not.
Action
From operational mode, enter the show schedulers command.
Verifying Scheduled Policies
Purpose
Display information about scheduled security policies.
Action
Use the show schedulers CLI command to display
information about schedulers configured on the system. If a specific
scheduler is identified, detailed information is displayed for that
scheduler only.
user@host# show schedulers
scheduler sche1 {
/* This is sched1 */
start-date 2006-11-02.12:12 stop-date 2007-11-02.12:11;
}
scheduler sche2 {
daily {
all-day;
}
sunday {
start-time 16:00 stop-time 17:00;
}
friday {
exclude;
}
}
scheduler sche3 {
start-date 2006-11-02.12:12 stop-date 2007-11-02.12:11;
daily {
start-time 10:00 stop-time 17:00
}
sunday {
start-time 12:00 stop-time 14:00;
start-time 16:00 stop-time 17:00;
}
monday {
all-day;
}
friday {
exclude;
}
}
Meaning
The output displays information about schedulers configured on the system. Verify the following information:
Daily (recurrent) and one-time only (nonrecurrent) schedulers are configured correctly.
Schedulers are active if policies are associated.