You are here: Webhelp > Policy > Security Policy

Security Policy

Security policy is the basic function of devices that is designed to control the traffic forwarding between security zones/segments. Without security policy rules, the devices will deny all traffic between security zones/segments by default. After configuring the security policy rule, the device can identify what traffic between security zones or segments will be permitted, and the others will be denied.

The basic elements of policy rules:

  • The source zone and address of the traffic
  • The destination zone and address of the traffic
  • The service type of the traffic
  • Actions that the devices will perform when processing the specific type of traffic, including Permit, Deny, Tunnel, From tunnel, WebAuth, and Portal server.

Generally a security policy rule consists of two parts: filtering conditions and actions. You can set the filtering conditions by specifying traffic's source zone/address, destination zone/address, service type, and user. Each policy rule is labeled with a unique ID which is automatically generated when the rule is created. You can also specify a policy rule ID at your own choice. All policy rules in system are arranged in a specific order. When traffic flows into a device, the device will query for policy rules by turn, and processes the traffic according to the first matched rule.

The max global security policy rule numbers may vary in different models.

Security policy supports IPv4 and IPv6 address. If IPv6 is enabled, you can configure IPv6 address entry for the policy rule.

This section contains the following contents:

  • Configure a security policy rule
  • Manage the security policy rules: enable/disable a policy rule, clone a policy rule, adjust security rule position, configure default action, view and clear policy hit count, hit count check, and rule redundancy check.
  • Configure a security policy group
  • View and search the security policy rules/ security policy groups
  • Configure the policy assistant

Configuring a Security Policy Rule

To configure a security policy rule, take the following steps:

  1. Select Policy > Security Policy > Policy.
  2. At the top-left corner, click New to open the Policy Configuration page.
  3. Click OK to save your settings.

Managing Security Policy Rules

Managing security policy rules include the following matters: enable/disable a policy rule, clone a policy rule, adjust security rule position, configure default action, view and clear policy hit count, hit count check, and rule redundancy check.

Enabling/Disabling a Policy Rule

By default the configured policy rule will take effect immediately. You can terminate its control over the traffic by disabling the rule.

To enable/disable a policy rule:

  1. Select Policy > Security Policy > Policy.
  2. Select the security policy rule that you want to enable/disable.
  3. Click icon , and then select Enable or Disable to enable or disable the rule.

The disabled rule will not display in the list. Click icon , and then select Show Disabled Policies to show them.

Cloning a Policy Rule

When there are a large number of policy rules in system, to create a policy rule which is similar to an configured policy rule easily, you can copy the policy rule and paste it to the specified location.

To clone a policy rule, take the following steps:

  1. Select Policy > Security Policy > Policy.
  2. Select the security policy rule that you want to clone and click Copy.
  3. Click Paste. In the drop-down list, select the desired position. Then the rule will be cloned to the desired position.

Adjusting Security Policy Rule Position

To adjust the rule position, take the following steps:

  1. Select Policy > Security Policy > Policy.
  2. Select the check box of the security policy whose position will be adjusted.
  3. Click Move.
  4. In the drop-down list, type the rule ID or name , and click Top, Bottom, Before ID , After ID , Before Name ,or After Name. Then the rule will be moved to the top, to the bottom, before or after the specified ID or name.

Configuring Default Action

You can specify a default action for the traffic that is not matched with any configured policy rule. System will process the traffic according to the specified default action. By default system will deny such traffic.

To specify a default policy action, take the following steps:

  1. Select Policy > Security Policy > Policy.
  2. Click icon and select Default Policy Action.
  3. Click OK to save your changes.

Schedule Validity Check

In order to make sure that the policies based on schedule are effective, system provides a method to check the validity of policies. After checking the policy, the invalid policies based on schedule will be highlighted by yellow.

To check schedule validity:

  1. Select Policy > Security Policy > Policy .
  2. Click icon and select Schedule Validity Check. After check, system will highlight the invalid policy based on schedule by yellow. Meanwhile, you can view the validity status in the policy list.

Showing Disabled Policies

To show disabled policies:

  1. Select Policy > Security Policy > Policy .
  2. Click icon and select Show Disabled Policies. The disabled policies will be highlighted by gray in the policy list.

  • By default( the "Schedule Validity Check" and "Show Disabled Policies" are not selected), the policy list only displays the enabled policies which are not highlighted.
  • When you select both "Schedule Validity Check" and "Show Disabled Policies", the policy is managed as follows:
    • The policy list will display the "Validity" column, which shows the validity status of policies.
    • The invalid policy based on schedule will be highlighted by yellow no matter if the policy is disabled or not.
    • If the valid policy based on schedule is disabled, it will be highlighted by gray.
Importing Policy Rule

You can import the configuration file of the local policy rules into the device to avoid creating policy rules manually. Only the DAT format file is supported currently.

To import the configuration file of policy rules, take the following steps:

  1. Click Policy > Security Policy > Policy.
  2. Click the Import button to open the Import page.
  3. Click Browse and select the local configuration file of policy rule to upload.
  4. Click OK, and the imported policy rule will be displayed in the list.
  • If there's an error during import, system will stop importing immediately and roll back configurations automatically.
  • The imported policy will be displayed on the bottom of the policy list.
Exporting Policy Rule

You can export the policy rules existing on the device to the local in the format of HTML or DAT formats. At the same time, all the custom objects such as address book, service book and application can be exported.

To export the policy rules, take the following steps:

  1. Click Policy > Security Policy > Policy.
  2. Click Export to open the Export page.
  3. Click OK to download the exported files. There're four kinds of files: policyExport.html, " policy+exported time.zip", "book+exported time.zip" and the policy configurations in the DAT format.
  4. Double-click the policyExport.html, click Import File and import the " policy+exported time.zip" to view the table of exported policies.
  5. Double-click the policyExport.html, click Import File and import the "book+exported time.zip" to view the table of object configurations.

Configuring an Aggregate Policy

According to the needs of different scenarios, you can create an aggregate policy, and add some policy rules with the same effect or the same attributes to the aggregation policy. If the administrator adjusts the position of an aggregate policy, the positions of all its members will be adjusted accordingly, so as to manage policy rules in bulk.

Configuring an aggregate policy includes: creating an aggregate policy, adding an aggregate policy member, removing an aggregate policy member, deleting an aggregate policy, adjusting the position of an aggregate policy, and enabling/disabling an aggregate policy.

Creating an Aggregate Policy

To create an aggregate policy, take the following steps:

  1. Click Policy > Security Policy > Policy.
  2. Click the New drop-down list, and select Aggregate Policy to open the Aggregate Policy Configuration page .

  3. Click OK to save your settings.

Adding an Aggregate Policy Member

After creating an aggregate policy, the administrator can add a policy rule to the aggregate policy to be an aggregate policy member. There are two methods for adding an aggregate policy member.

  • Editing the policy configuration

    As shown above, take the following steps:

    1. Click Policy > Security Policy > Policy.
    2. Select the policy rule that you want to add to an aggregate policy from the list.
    3. Click Edit to open the Policy Configuration page.
    4. Click Options to expand the relevant configuration items.
    5. Click the Aggregate Policy drop-down menu, and select the aggregate policy to be added to the aggregate policy to which you want to add.
    6. Click OK.
  • Selecting a policy rule you want to add

    As shown above, take the following steps:

    1. Click Policy > Security Policy > Policy.
    2. Select the policy rule that you want to add to an aggregate policy from the list. You can select multiple policy rules at a time
    3. Click the Add to aggregate policy drop-down list, and select the aggregate policy to which you want to add.

Removing an Aggregate Policy Member

To remove a member from an aggregate policy, take the following steps:

  1. Click Policy > Security Policy > Policy.
  2. In the list, click the arrow before an aggregate policy to expand it
  3. Select the aggregate policy member that you want to remove. You can select multiple policy rules at a time.
  4. Click the Move out from aggregate policy button.
  • If the member at the top position is removed from an aggregate policy, the removed member will be put before the aggregate policy.
  • If a member at a non-top position is removed from an aggregate policy, the removed member will be put after the aggregate policy.
  • If several aggregate policy members (including the member at the top position) in consecutive order are removed, they will be put before the policy all together.

Deleting an Aggregate Policy

To delete an aggregate policy, take the following steps:

  1. Click Policy > Security Policy > Policy.
  2. Select the aggregate policy that you want to delete from the list.
  3. Click Delete.
  4. Select a deletion method from the drop-down list.
    • Delete aggregate policy and members: When deleting an aggregate policy, the members in it will also be deleted.
    • Delete aggregate policy, unbind members: When deleting an aggregate policy, all members in it will be removed.
  5. Click OK.

Adjusting Position of an Aggregate Policy

The administrator can adjust the position of an aggregate policy by the following two methods. After the adjustment, the positions of all its members will be adjusted accordingly.

  • Editing the aggregate policy configuration:

    As shown above, take the following steps:
    1. Click Policy > Security Policy > Policy.
    2. Select the aggregate policy whose position that you want to adjust from the list.
    3. Click Edit to open the Aggregate Policy Configurationpage.
    4. Click the Position drop-down list, select a position for the aggregate policy.
  • Adjust directly in the policy list

    As shown above, take the following steps:

    1. Click Policy > Security Policy > Policy.
    2. Select the aggregate policy whose position that you want to adjust from the list.
    3. Click Move.
    4. In the pop-up menu, click Top, Bottom or type the rule ID /name , and click Before ID , After ID , Before Name or After Name. Then the rule will be moved before or after the specified ID or name.
  • The method for adjusting the position of an aggregate policy member is the same as the method for adjusting the position of an aggregate policy.
  • The position adjustment for an aggregate policy member can only be performed in the aggregate policy to which it belongs.
  • It is not supported to add a policy rule to or remove a policy rule from an aggregate policy by adjusting the position of the policy rule.

Enabling/Disabling an Aggregate Policy

By default, the configured aggregate policy will take effect immediately. By disabling an aggregate policy, the administrator can terminate its control over the traffic.

To enable/disable an aggregate policy, take the following steps:

  1. Click Policy > Security Policy > Policy.
  2. Select the aggregate policy that you want to enable/disable from the list.
  3. Click , and then select Enable or Disable to enable or disable the aggregate policy.

The disabled rule will not display in the list. Click , and then select Show Disabled Policies to show them.

  • After disabling an aggregate policy, its members will be disabled too.
  • After enabling an aggregate policy, the original status (enabled/disabled) of its members will remain unchanged. For example, if the original status of an aggregate policy member is "disabled", the status will remain unchanged after the policy to which it belongs is enabled.

Configuring a Policy Group

You can organize some policy rules together to form a policy group, and configure the policy group directly.

Configuring a security policy group include the following matters: creating a policy group, deleting a policy group, enable/disable a policy group, add/delete a policy rule member, edit a policy group and show disabled policy group.

Creating a Policy Group

To create a policy group, take the following steps:

  1. Select Policy > Security Policy > Policy Group .
  2. Click New to open the Policy Group Configuration page.

  3. Click OK to save your settings.

Deleting a Policy Group

To delete a policy group, take the following steps:

  1. Select Policy > Security Policy > Policy Group .
  2. Select the check box of the policy group that you want to delete, and click Delete.

Enabling/Disabling a Policy Group

By default the configured policy group will take effect immediately.

To enable/disable a policy group, take the following steps:

  1. Select Policy > Security Policy > Policy Group .
  2. Select the check box of the policy group that you want to enable or disable, and click the enable button under Status column. The enabled state is displayed as , and the disabled state is displayed as .

Adding/Deleting a Policy Rule Member

To add a policy rule member to the policy group, take the following steps:

  1. Select Policy > Security Policy > Policy Group .
  2. In the policy group list, click the "+" in front of the policy group item to expand the member list of the policy group.
  3. Click Add Members button to open the Policy Group-Add policy page, which displays the list of policy rules that are not added to policy group.
  4. Select the check box of the policy rules that you want to add to the policy group.
  5. Click OK to save your settings.
A policy rule only can be added to a policy group.

To delete a policy rule member to the policy group, take the following steps:

  1. Select Policy > Security Policy .
  2. At the top-right corner of list, click Policy Group to enter the Security Policy Group page.
  3. In the policy group list, click the "+" in front of the policy group item to expand the member list of the policy group.
  4. Select the check box of the policy group that needs to be deleted, and click Delete.

Editing a Policy Group

To modify the name or description of policy group, take the following steps:

  1. Select Policy > Security Policy > Policy Group .
  2. Select the check box of the policy group that you want to edit, and click Edit.
  3. Modify the name or description of policy group in the Policy Group Configuration page.

Showing Disabled Policy Group

To show disabled policy groups, take the following steps:

  1. Select Policy > Security Policy > Policy Group.
  2. Select the check box of Show Disabled Policy Group. The disabled policy group will be displayed in the policy group list, otherwise the policy group list will show only the enabled policy group.

Viewing and Searching Security Policy Rules/ Policy Groups

You can view and search the policy rules or policy groups in the policy/ policy group list.

Viewing the Policy/ Policy Group

View the security policy rules in the policy rule list.

  • Each column displays the corresponding configurations.
  • Click icon under the Session Detail column in the Policy list to open then the Session Detail page. You can view the current session status of the selected policy. You can also click button to add filtering conditions and search out the filtered sessions.
  • Hover over your mouse on the configuration in a certain column. Then based on the configuration type, the WebUI displays either icon or the detailed configurations.
    • You can view the detailed configurations directly.
    • You can click icon. Based on the configuration type, the WebUI displays Add Filter or Details.
      • Click Details to see the detailed configurations.
      • Click Add Filter, the filter condition of the configuration you are hovering over with your mouse appears on the top of the list, and then you can filter the policy according to the filter condition. For detailed information of filtering policy rules, see Searching Security Policy Rules/ Policy Groups.

View the policy groups in the policy group list.

  • Each column displays the corresponding configurations.
  • You can view the current policy group status in Status column. The enabled state is displayed as , and the disabled state is displayed as .

Searching Security Policy Rules/ Policy Groups

Use the Filter to search for the policy rules that match the filter conditions.

  1. Click Policy > Security Policy > Policy or Policy > Security Policy > Policy Group.
  2. At the top-right corner of the Security Policy/ Security Policy Group page, click Filter. Then a new row appears at the top.
  3. Click Filter to add a new filter condition. Then select a filter condition from the drop-down menu and enter a value.
  4. Press Enter to search for the policy rules that matches the filter conditions.
  5. Repeat the above two steps to add more filter conditions. The relationship between each filter condition is AND.
  6. To delete a filter condition, hover your mouse on that condition and then click icon. To close the filter, click icon on the right side of the row.

Save the filter conditions.

  1. After adding the filter conditions, click in , in the drop-down menu, click Save Filters.
  2. Specifies the name of the filter condition to save, the maximum length of name is 32 characters, and the name supports only Chinese and English characters and underscores.
  3. Click the Save button on the right side of the text box.
  4. To use the saved filter condition, double click the name of the saved filter condition.
  5. To delete the saved filter condition, click on the right side of the filter condition.
  • You can add up to 20 filter conditions as needed.
  • After the device has been upgraded, the saved filter condition will be cleared.

Policy Optimization

If you want to clear up the rules which haven't been used for a long time, it is hard to determine which policy rules need to be deleted when there are a large number of policy rules on the device. The system supports to operate the Policy Hit Analysis, operate the Rule Redundancy Check, and configure the Policy Assistant.

Policy Hit Analysis

Policy Hit Analysis is a process to check the policy rule hit counts, that is, when traffic matches a certain policy rule, the hit count will increase by 1 automatically. With the statistics of the first hit time, the last hit time, and the days since last hit, you can identify the policy rule that need to be cleared. You can view the specified policy rules by setting up filters.

To check the hit counts, take the following steps:

  1. Select Policy > Security Policy > Policy Optimization, and select the Policy Hit Analysis tab.
  2. Select filter conditions from the Filter drop-down list, and configure filter conditions as needed.
  3. Click the Export button, and the analysis of the filtered policy rules will be exported in the format of CSV.
  4. Click Enter or any blank space on the page to view the latest result of Policy Optimization.
  5. Click icon in front of policy ID to view the details of the policy rule.
  6. Click icon on the right side of to save the selected filters. Click Save Filters, type the name of the filters and click Save. After saved, the combined filters can be selected directly in the drop-down list.
  7. To delete a filter condition, hover your mouse on that condition and then click icon. To delete all filter conditions, click icon on the right side of the row.

To clear a policy hit count, take the following steps:

  1. Select Policy > Security Policy > Policy Optimization, and select the Policy Hit Analysis tab.
  2. Click Clear to open the Clear page.
  3. Click OK.

You can also perform other operations:

  • Clickicon to delete the policy rule.
  • Clickicon to disable the policy rule.

Rule Redundancy Check

In order to make the rules in the policy effective, system provides a method to check the conflicts among rules in a policy. With this method, administrators can check whether the rules overshadow each other.

To start a rule redundancy check, take the following steps:

  1. Select Policy > Security Policy > Policy Optimization, and select the Redundancy Check tab.
  2. Select Redundancy Check. After the check, system will list the policy rule which is overshadowed.
    Status will be shown below the policy list when redundancy check is started. It is not recommended to edit a policy rule during the redundancy check. You can click to stop the check manually.

Configuring the Policy Assistant

The policy assistant can help users generate targeted policies more quickly and accurately. With the function, system can analyze the traffic of a specified policy ID, generate service on the basis of the traffic, optimize the traffic via setting replacement conditions and aggregation conditions, and then generate the target policies.

Click Policy > Security Policy > Policy Optimization, and select the Policy Assistant tab. In the Policy Assistant tab, generate target policies as the wizard:

Display Traffic ->Generate Service ->Replace Policy ->Aggregate Policy -> Generate Policy

Enabling the Policy Assistant

Before configuring policy assistant related function, please enable the function first.

  1. Select Policy > Security Policy > Policy.
  2. Create a rule or select an existing rule which needs to enable the policy assistant function and click Edit to open the Policy Configuration page.
  3. Expand Options, and click the Policy Assistant button to enable the function.
For the root VSYS, at most 4 policies are allowed to enable the policy assistant function, while for the non-root VSYS, only 1 policy can enable the function.

Displaying Traffic

On the Display Traffic page, the source zone, source IP, destination zone, destination IP and service of traffic hit the selected policy ID will be displayed.

To display the traffic data, take the following steps:

  1. Click Policy > Security Policy > Policy Optimization, and select the Policy Assistant tab.
  2. Click Display Traffic on the configuration wizard.
  3. Click Next to enter into the next configurations.

Generating Service

The searched traffic data can display the protocol and port, and you can generate corresponding service based on the protocol and service, as well as add the service to the service book, so as to deliver the generated policies more accurately.

To generate service, take the following steps:

  1. Click Generate Service on the configuration wizard. The Generate Service page display items of all services, including the protocol, destination/source port and service status.

  2. Click Next to enter into the next configurations.

Replacing Policy

You can set the condition of source IP, destination IP or service. When the items of policies meet the condition, the items will be replaced with the condition.

Application Scenario Example

For example, when the admin get some traffic data originating form 172.16.1.47. After the analysis of the traffic data, the source IP is judged as normal. What's more, all IP address of 172.16.1.0/24 is judged as normal too. To enlarge the source IP range to 172.16.1.0/24, the admin can set the 172.16.1.0/24 as the replacement condition on the Replace Policy page, then the source IP of the searched traffic which is within the IP range will be changed to 172.16.1.0/24.

Configuring Replacement Conditions

To configure replacement conditions for the policy items, take the following steps:

  1. Click Replace Policy on the configuration wizard.
  2. Click Next to enter into the next configurations.

Aggregating Policy

You can aggregate the policy items of the same source IP, destination IP and service, so as to reduce the redundant policies.

To aggregate policies, take the following steps:

  1. Click Aggregate Policy on the configuration wizard.
  2. Select the aggregation conditions as Source IP, Destination IP or Service, and the policy items in the list will be aggregated as the selected condition.
  3. Click Next to enter into the next configurations.

Generating Policy

The Generate Policy page displays all policy items after the configurations in Generate Service, Replace Policy and Aggregate Policy. You can select policy items as needed to generate policy and the selected policy will be display on the Security Policy > Policy page.

Note: For the generated security policies, the source IP, destination IP and service are determined by the selected aggregation conditions, while the source zone, destination zone and action keep the same with the original policy items.

To generate policies, take the following steps:

  1. Click Generate Policy on the configuration wizard.
  2. Click Finish to finish the configurations of policy assistant.