You are here: Webhelp 5.5R6 > Policy > Security Policy

Security Policy

Security policy is the basic function of devices that is designed to control the traffic forwarding between security zones/segments. Without security policy rules, the devices will deny all traffic between security zones/segments by default. After configuring the security policy rule, the device can identify what traffic between security zones or segments will be permitted, and the others will be denied.

The basic elements of policy rules:

  • The source zone and address of the traffic
  • The destination zone and address of the traffic
  • The service type of the traffic

  • Actions that the devices will perform when processing the specific type of traffic, including Permit, Deny, Tunnel, From tunnel, WebAuth, and Portal server.

Generally a security policy rule consists of two parts: filtering conditions and actions. You can set the filtering conditions by specifying traffic's source zone/address, destination zone/address, service type, and user. Each policy rule is labeled with a unique ID which is automatically generated when the rule is created. You can also specify a policy rule ID at your own choice. All policy rules in system are arranged in a specific order. When traffic flows into a device, the device will query for policy rules by turn, and processes the traffic according to the first matched rule.

The max global security policy rule numbers may vary in different models.

Security policy supports IPv4 and IPv6 address. If IPv6 is enabled, you can configure IPv6 address entry for the policy rule.

This section contains the following contents:

  • Configure a security policy rule
  • Manage the security policy rules: enable/disable a policy rule, clone a policy rule, adjust security rule position, configure default action, view and clear policy hit count, hit count check, and rule redundancy check.
  • Configure a security policy group
  • View and search the security policy rules/ security policy groups

Configuring a Security Policy Rule

To configure a security policy rule, take the following steps:

  1. Select Policy > Security Policy.
  2. At the top-right corner of list, click Policy.
  3. At the top-left corner, click New. The Policy Configuration dialog box will appear.

  4. Click OK to save your settings.

Managing Security Policy Rules

Managing security policy rules include the following matters: enable/disable a policy rule, clone a policy rule, adjust security rule position, configure default action, view and clear policy hit count, hit count check, and rule redundancy check.

Enabling/Disabling a Policy Rule

By default the configured policy rule will take effect immediately. You can terminate its control over the traffic by disabling the rule.

To enable/disable a policy rule:

  1. Select Policy > Security Policy.
  2. At the top-right corner of list, click Policy.
  3. Select the security policy rule that you want to enable/disable.
  4. Click ..., and then select Enable or Disable to enable or disable the rule.

The disabled rule will not display in the list. Click ..., and then select Show Disabled Policies to show them.

Cloning a Policy Rule

To clone a policy rule, take the following steps:

  1. Select Policy > Security Policy.
  2. At the top-right corner of list, click Policy.
  3. Select the security policy rule that you want to clone and click Copy.
  4. Click Paste. In the pop-up, select the desired position. Then the rule will be cloned to the desired position.

Adjusting Security Policy Rule Position

To adjust the rule position, take the following steps:

  1. Select Policy > Security Policy.

  2. At the top-right corner of list, click Policy.
  3. Select the check box of the security policy whose position will be adjusted.

  4. Click Move.
  5. In the pop-up menu, type the rule ID or name , and click Before ID , After ID , Before Name or After Name. Then the rule will be moved before or after the specified ID or name.

Configuring Default Action

You can specify a default action for the traffic that is not matched with any configured policy rule. System will process the traffic according to the specified default action. By default system will deny such traffic.

To specify a default policy action, take the following steps:

  1. Select Policy > Security Policy.

  2. At the top-right corner of list, click Policy.
  3. Click ... and select Default Policy Action.
  4. Click OK to save your changes.

Viewing and Clearing Policy Hit Count

System supports statistics on policy hit counts, i.e., statistics on the matching between traffic and policy rules. Each time the inbound traffic is matched with a certain policy rule, the hit count will increase by 1 automatically.

To view a policy hit count, click Policy > Security Policy. In the policy rule list, view the statistics on policy hit count under the Hit Count column.

To clear a policy hit count, take the following steps:

  1. Select Policy > Security Policy.

  2. At the top-right corner of list, click Policy.
  3. Click ... and select Clearing Policy Hit Count.

  4. Click OK to perform the hit count clearing.

Hit Count Check

System supports to check policy rule hit counts.

To check hit count, take the following steps:

  1. Select Policy > Security Policy.

  2. At the top-right corner of list, click Policy.
  3. Click ... and select Hit Count Check. After the check, the policy rules whose hit count is 0 will be highlighted. That means that the policy rule is not used in system.

Rule Redundancy Check

In order to make the rules in the policy effective, system provides a method to check the conflicts among rules in a policy. With this method, administrators can check whether the rules overshadow each other.

To start a rule redundancy check, take the following steps:

  1. Select Policy > Security Policy.

  2. At the top-right corner of list, click Policy.
  3. Click ... and select Redundancy Check. After the check, system will highlight the policy rule which is overshadowed.

    Status will be shown below the policy list when redundancy check is started. It is not recommended to edit a policy rule during the redundancy check. You can click to stop the check manually.

Schedule Validity Check

In order to make sure that the policies based on schedule are effective, system provides a method to check the validity of policies. After checking the policy, the invalid policies based on schedule will be highlighted by yellow.

To check schedule validity:

  1. Select Policy > Security Policy .

  2. At the top-right corner of list, click Policy to enter the Security Policy page.
  3. Click ... and select Schedule Validity Check. After check, system will highlight the invalid policy based on schedule by yellow. Meanwhile, you can view the validity status in the policy list.

Showing Disabled Policies

To show disabled policies:

  1. Select Policy > Security Policy .
  2. At the top-right corner of list, click Policy to enter the Security Policy page.
  3. Click ... and select Show Disabled Policies. The disabled policies will be highlighted by green in the policy list.

  • By default( the "Schedule Validity Check" and "Show Disabled Policies" are not selected), the policy list only displays the enabled policies which are not highlighted.
  • When you select both "Schedule Validity Check" and "Show Disabled Policies", the policy is managed as follows:
    • The policy list will display the "Validity" column, which shows the validity status of policies.
    • The invalid policy based on schedule will be highlighted by yellow no matter if the policy is disabled or not.
    • If the valid policy based on schedule is disabled, it will be highlighted by green.

Configuring a Policy Group

You can organize some policy rules together to form a policy group, and configure the policy group directly.

Configuring a security policy group include the following matters: creating a policy group, deleting a policy group, enable/disable a policy group, add/delete a policy rule member, edit a policy group and show disabled policy group.

Creating a Policy Group

To create a policy group, take the following steps:

  1. Select Policy > Security Policy .
  2. At the top-right corner of list, click Policy Group to enter the Security Policy Group page.
  3. Click New,the Policy Group Configuration dialog box will appear.

  4. Click OK to save your settings.

Deleting a Policy Group

To delete a policy group, take the following steps:

  1. Select Policy > Security Policy .
  2. At the top-right corner of list, click Policy Group to enter the Security Policy Group page.
  3. Select the check box of the policy group that you want to delete, and click Delete.

Enabling/Disabling a Policy Group

By default the configured policy group will take effect immediately.

To enable/disable a policy group, take the following steps:

  1. Select Policy > Security Policy .
  2. At the top-right corner of list, click Policy Group to enter the Security Policy Group page.
  3. Select the check box of the policy group that you want to enable or disable, and click the enable button under Status column. The enabled state is displayed as , and the disabled state is displayed as .

Adding/Deleting a Policy Rule Member

To add a policy rule member to the policy group, take the following steps:

  1. Select Policy > Security Policy .
  2. At the top-right corner of list, click Policy Group to enter the Security Policy Group page.
  3. In the policy group list, click the "+" in front of the policy group item to expand the member list of the policy group.

  4. Click Add Members button to open Policy Group-Add policy dialog box, which displays the list of policy rules that are not added to policy group.
  5. Select the check box of the policy rules that you want to add to the policy group.
  6. Click OK to save your settings.
A policy rule only can be added to a policy group.

To delete a policy rule member to the policy group, take the following steps:

  1. Select Policy > Security Policy .
  2. At the top-right corner of list, click Policy Group to enter the Security Policy Group page.
  3. In the policy group list, click the "+" in front of the policy group item to expand the member list of the policy group.

  4. Select the check box of the policy group that needs to be deleted, and click Delete .

Editing a Policy Group

To modify the name or description of policy group, take the following steps:

  1. Select Policy > Security Policy .
  2. At the top-right corner of list, click Policy Group to enter the Security Policy Group page.
  3. Select the check box of the policy group that you want to edit, and click Edit.
  4. Modify the name or description of policy group in the Policy Group Configuration dialog.

Showing Disabled Policy Group

To show disabled policy groups, take the following steps:

  1. Select Policy > Security Policy .
  2. At the top-right corner of list, click Policy Group to enter the Security Policy Group page.
  3. Select the check box of Show Disabled Policy Group. The disabled policy group will be displayed in the policy group list, otherwise the policy group list will show only the enabled policy group.

Viewing and Searching Security Policy Rules/ Policy Groups

You can view and search the policy rules or policy groups in the policy/ policy group list.

Viewing the Policy/ Policy Group

View the security policy rules in the policy rule list.

  • Each column displays the corresponding configurations.
  • Click the button under Session column in the Policy list, and then the Session Detail dialog box will appear. You can view the current session status of the selected policy.

  • Hover over your mouse on the configuration in a certain column. Then based on the configuration type, the WebUI displays either the icon or the detailed configurations.
    • You can view the detailed configurations directly.
    • You can click the icon. Based on the configuration type, the WebUI displays Filter or Detail.
      • Click Detail to see the detailed configurations.
      • Click Filter, the filter condition of the configuration you are hovering over with your mouse appears on the top of the list, and then you can filter the policy according to the filter condition. For detailed information of filtering policy rules, see Searching Security Policy Rules/ Policy Groups.

View the policy groups in the policy group list.

  • Each column displays the corresponding configurations.
  • You can view the current policy group status in Status column. The enabled state is displayed as , and the disabled state is displayed as .

Searching Security Policy Rules/ Policy Groups

Use the Filter to search for the policy rules that match the filter conditions.

  1. Click Policy > Security Policy.
  2. At the top-right corner of list, click Policy/ Policy Group to enter the Security Policy/ Security Policy Group page.
  3. At the top-right corner of the Security Policy/ Security Policy Group page, click Filter. Then a new row appears at the top.
  4. Click +Filter to add a new filter condition. Then select a filter condition from the drop-down menu and enter a value.
  5. Press Enter to search for the policy rules that matches the filter conditions.
  6. Repeat the above two steps to add more filter conditions. The relationship between each filter condition is AND.
  7. To delete a filter condition, hover your mouse on that condition and then click the icon. To close the filter, click the icon on the right side of the row.

Save the filter conditions.

  1. After adding the filter conditions, click the + Filter after the next arrow, in the drop-down menu, click Save Filters.
  2. Specifies the name of the filter condition to save, the maximum length of name is 32 characters, and the name supports only Chinese and English characters and underscores.

  3. Click the Save button on the right side of the text box.

  4. To use the saved filter condition, double click the name of the saved filter condition.
  5. To delete the saved filter condition, click on the right side of the filter condition.
  • You can add up to 20 filter conditions as needed.
  • After the device has been upgraded, the saved filter condition will be cleared.