You are here: Webhelp 5.5R7 > Policy > Security Policy

Security Policy

Security policy is the basic function of devices that is designed to control the traffic forwarding between security zones/segments. Without security policy rules, the devices will deny all traffic between security zones/segments by default. After configuring the security policy rule, the device can identify what traffic between security zones or segments will be permitted, and the others will be denied.

The basic elements of policy rules:

  • The source zone and address of the traffic
  • The destination zone and address of the traffic
  • The service type of the traffic

  • Actions that the devices will perform when processing the specific type of traffic, including Permit, Deny, Tunnel, From tunnel, WebAuth, and Portal server.

Generally a security policy rule consists of two parts: filtering conditions and actions. You can set the filtering conditions by specifying traffic's source zone/address, destination zone/address, service type, and user. Each policy rule is labeled with a unique ID which is automatically generated when the rule is created. You can also specify a policy rule ID at your own choice. All policy rules in system are arranged in a specific order. When traffic flows into a device, the device will query for policy rules by turn, and processes the traffic according to the first matched rule.

The max global security policy rule numbers may vary in different models.

Security policy supports IPv4 and IPv6 address. If IPv6 is enabled, you can configure IPv6 address entry for the policy rule.

This section contains the following contents:

  • Configure a security policy rule
  • Manage the security policy rules: enable/disable a policy rule, clone a policy rule, adjust security rule position, configure default action, view and clear policy hit count, hit count check, and rule redundancy check.
  • Configure a security policy group
  • View and search the security policy rules/ security policy groups
  • Configure the policy assistant

Configuring a Security Policy Rule

To configure a security policy rule, take the following steps:

  1. Select Policy > Security Policy > Policy.
  2. At the top-left corner, click New. The Policy Configuration dialog box will appear.

  3. Click OK to save your settings.

Managing Security Policy Rules

Managing security policy rules include the following matters: enable/disable a policy rule, clone a policy rule, adjust security rule position, configure default action, view and clear policy hit count, hit count check, and rule redundancy check.

Enabling/Disabling a Policy Rule

By default the configured policy rule will take effect immediately. You can terminate its control over the traffic by disabling the rule.

To enable/disable a policy rule:

  1. Select Policy > Security Policy > Policy.
  2. Select the security policy rule that you want to enable/disable.
  3. Click ..., and then select Enable or Disable to enable or disable the rule.

The disabled rule will not display in the list. Click ..., and then select Show Disabled Policies to show them.

Cloning a Policy Rule

When there are a large number of policy rules in system, to create a policy rule which is similar to an configured policy rule easily, you can copy the policy rule and paste it to the specified location.

To clone a policy rule, take the following steps:

  1. Select Policy > Security Policy > Policy.
  2. Select the security policy rule that you want to clone and click Copy.
  3. Click Paste. In the pop-up, select the desired position. Then the rule will be cloned to the desired position.

Adjusting Security Policy Rule Position

To adjust the rule position, take the following steps:

  1. Select Policy > Security Policy > Policy.

  2. Select the check box of the security policy whose position will be adjusted.

  3. Click Move.
  4. In the pop-up menu, type the rule ID or name , and click Before ID , After ID , Before Name or After Name. Then the rule will be moved before or after the specified ID or name.

Configuring Default Action

You can specify a default action for the traffic that is not matched with any configured policy rule. System will process the traffic according to the specified default action. By default system will deny such traffic.

To specify a default policy action, take the following steps:

  1. Select Policy > Security Policy > Policy.

  2. Click ... and select Default Policy Action.
  3. Click OK to save your changes.

Rule Redundancy Check

In order to make the rules in the policy effective, system provides a method to check the conflicts among rules in a policy. With this method, administrators can check whether the rules overshadow each other.

To start a rule redundancy check, take the following steps:

  1. Select Policy > Security Policy > Policy.

  2. Click ... and select Redundancy Check. After the check, system will highlight the policy rule which is overshadowed.

    Status will be shown below the policy list when redundancy check is started. It is not recommended to edit a policy rule during the redundancy check. You can click to stop the check manually.

Schedule Validity Check

In order to make sure that the policies based on schedule are effective, system provides a method to check the validity of policies. After checking the policy, the invalid policies based on schedule will be highlighted by yellow.

To check schedule validity:

  1. Select Policy > Security Policy > Policy .

  2. Click ... and select Schedule Validity Check. After check, system will highlight the invalid policy based on schedule by yellow. Meanwhile, you can view the validity status in the policy list.

Showing Disabled Policies

To show disabled policies:

  1. Select Policy > Security Policy > Policy .
  2. Click ... and select Show Disabled Policies. The disabled policies will be highlighted by green in the policy list.

  • By default( the "Schedule Validity Check" and "Show Disabled Policies" are not selected), the policy list only displays the enabled policies which are not highlighted.
  • When you select both "Schedule Validity Check" and "Show Disabled Policies", the policy is managed as follows:
    • The policy list will display the "Validity" column, which shows the validity status of policies.
    • The invalid policy based on schedule will be highlighted by yellow no matter if the policy is disabled or not.
    • If the valid policy based on schedule is disabled, it will be highlighted by green.
Importing Policy Rule

You can import the configuration file of the local policy rules into the device to avoid creating policy rules manually. Only the DAT format file is supported currently.

To import the configuration file of policy rules, take the following steps:

  1. Click Policy > Security Policy > Policy.
  2. Click the Import button, and the dialog pops up.
  3. In the Import dialog, click Browse and select the local configuration file of policy rule to upload.
  4. Click OK, and the imported policy rule will be displayed in the list.
  • If there's an error during import, system will stop importing immediately and roll back configurations automatically.
  • The imported policy will be displayed on the bottom of the policy list.
Exporting Policy Rule

You can export the policy rules existing on the device to the local in the format of HTML or DAT formats. At the same time, all the custom objects such as address book, service book and application can be exported.

To export the policy rules, take the following steps:

  1. Click Policy > Security Policy > Policy.
  2. Click Export, and the Export dialog pops up.
  3. Click OK to download the exported files. There're four kinds of files: policyExport.html, " policy+exported time.zip", "book+exported time.zip" and the policy configurations in the DAT format.
  4. Double-click the policyExport.html, click Import File and import the " policy+exported time.zip" to view the table of exported policies.
  5. Double-click the policyExport.html, click Import File and import the "book+exported time.zip" to view the table of object configurations.

Configuring a Policy Group

You can organize some policy rules together to form a policy group, and configure the policy group directly.

Configuring a security policy group include the following matters: creating a policy group, deleting a policy group, enable/disable a policy group, add/delete a policy rule member, edit a policy group and show disabled policy group.

Creating a Policy Group

To create a policy group, take the following steps:

  1. Select Policy > Security Policy > Policy Group .
  2. Click New,the Policy Group Configuration dialog box will appear.

  3. Click OK to save your settings.

Deleting a Policy Group

To delete a policy group, take the following steps:

  1. Select Policy > Security Policy > Policy Group .
  2. Select the check box of the policy group that you want to delete, and click Delete.

Enabling/Disabling a Policy Group

By default the configured policy group will take effect immediately.

To enable/disable a policy group, take the following steps:

  1. Select Policy > Security Policy > Policy Group .
  2. Select the check box of the policy group that you want to enable or disable, and click the enable button under Status column. The enabled state is displayed as , and the disabled state is displayed as .

Adding/Deleting a Policy Rule Member

To add a policy rule member to the policy group, take the following steps:

  1. Select Policy > Security Policy > Policy Group .
  2. In the policy group list, click the "+" in front of the policy group item to expand the member list of the policy group.

  3. Click Add Members button to open Policy Group-Add policy dialog box, which displays the list of policy rules that are not added to policy group.
  4. Select the check box of the policy rules that you want to add to the policy group.
  5. Click OK to save your settings.
A policy rule only can be added to a policy group.

To delete a policy rule member to the policy group, take the following steps:

  1. Select Policy > Security Policy .
  2. At the top-right corner of list, click Policy Group to enter the Security Policy Group page.
  3. In the policy group list, click the "+" in front of the policy group item to expand the member list of the policy group.

  4. Select the check box of the policy group that needs to be deleted, and click Delete .

Editing a Policy Group

To modify the name or description of policy group, take the following steps:

  1. Select Policy > Security Policy > Policy Group .
  2. Select the check box of the policy group that you want to edit, and click Edit.
  3. Modify the name or description of policy group in the Policy Group Configuration dialog.

Showing Disabled Policy Group

To show disabled policy groups, take the following steps:

  1. Select Policy > Security Policy > Policy Group .
  2. Select the check box of Show Disabled Policy Group. The disabled policy group will be displayed in the policy group list, otherwise the policy group list will show only the enabled policy group.

Viewing and Searching Security Policy Rules/ Policy Groups

You can view and search the policy rules or policy groups in the policy/ policy group list.

Viewing the Policy/ Policy Group

View the security policy rules in the policy rule list.

  • Each column displays the corresponding configurations.
  • Click the button under Session column in the Policy list, and then the Session Detail dialog box will appear. You can view the current session status of the selected policy. You can also click "+Filter" to add filtering conditions and search out the filtered sessions.

  • Hover over your mouse on the configuration in a certain column. Then based on the configuration type, the WebUI displays either the icon or the detailed configurations.
    • You can view the detailed configurations directly.
    • You can click the icon. Based on the configuration type, the WebUI displays Filter or Detail.
      • Click Detail to see the detailed configurations.
      • Click Filter, the filter condition of the configuration you are hovering over with your mouse appears on the top of the list, and then you can filter the policy according to the filter condition. For detailed information of filtering policy rules, see Searching Security Policy Rules/ Policy Groups.

View the policy groups in the policy group list.

  • Each column displays the corresponding configurations.
  • You can view the current policy group status in Status column. The enabled state is displayed as , and the disabled state is displayed as .

Searching Security Policy Rules/ Policy Groups

Use the Filter to search for the policy rules that match the filter conditions.

  1. Click Policy > Security Policy > Policy or Policy > Security Policy > Policy Group.
  2. At the top-right corner of the Security Policy/ Security Policy Group page, click Filter. Then a new row appears at the top.
  3. Click +Filter to add a new filter condition. Then select a filter condition from the drop-down menu and enter a value.
  4. Press Enter to search for the policy rules that matches the filter conditions.
  5. Repeat the above two steps to add more filter conditions. The relationship between each filter condition is AND.
  6. To delete a filter condition, hover your mouse on that condition and then click the icon. To close the filter, click the icon on the right side of the row.

Save the filter conditions.

  1. After adding the filter conditions, click the + Filter after the next arrow, in the drop-down menu, click Save Filters.
  2. Specifies the name of the filter condition to save, the maximum length of name is 32 characters, and the name supports only Chinese and English characters and underscores.

  3. Click the Save button on the right side of the text box.

  4. To use the saved filter condition, double click the name of the saved filter condition.
  5. To delete the saved filter condition, click on the right side of the filter condition.
  • You can add up to 20 filter conditions as needed.
  • After the device has been upgraded, the saved filter condition will be cleared.

Policy Optimization

If you want to clear up the rules which haven’t been used for a long time, it is hard to determine which policy rules need to be deleted when there are a large number of policy rules on the device. System supports to check the policy rule hit counts, that is, when traffic matches a certain policy rule, the hit count will increase by 1 automatically. With the statistics of the first hit time, the last hit time, and the days since last hit, you can identify the policy rule that need to be cleared. You can view the specified policy rules by setting up filters.

To check the hit counts, take the following steps:

  1. Select Policy > Security Policy > Policy Optimization.
  2. Select filter conditions from the +Filter drop-down list, and configure filter conditions as needed.
  3. Click the Export button, and the analysis of the filtered policy rules will be exported in the format of CSV.
  4. Click Analyze button to view the latest result of Policy Optimization.
  5. Clickicon in front of policy ID to view the details of the policy rule.
  6. Clickicon on the left side of +Filter to save the selected filters. Click Save Filters, type the name of the filters and click Save. After saved, the combined filters can be selected directly in the drop-down list.
  7. To delete a filter condition, hover your mouse on that condition and then clickicon. To delete all filter conditions, click theicon on the right side of the row.

To clear a policy hit count, take the following steps:

  1. Select Policy > Security Policy > Policy Optimization.
  2. Click Clear.
  3. Click OK.

You can also perform other operations:

  • Clickicon to delete the policy rule.
  • Clickicon to disable the policy rule.

Configuring the Policy Assistant

In order to improve the integrity, accuracy and speed of policy configuration, system provides the function of policy assistant. Policy assistant can analyze the traffic data hit the specified policy ID, and aggregate the traffic list according to the user-defined aggregation rules, and finally the security policy rules that meet your expectations can be generated.

To configure the policy assistant, take the following steps:

  1. Select Policy > Security Policy > Policy, and click New or Edit to enter the Policy Configuration page. On the Options tab, enable Policy Assistant.
  2. Select Policy > Security Policy > Policy to enter the Policy Assistant page.

  3. After configuring the policy aggregation filter, you should click the Generate Policy button. The filtered traffic data will be aggregated into the security policy rules in the order from top to bottom, and a dialog pops up.
    Tips: For the generated security policy, the source IP, destination IP and application depends on the configured policy aggregation condition; the source zone, destination zone, service and action inherits the original policy.

  4. Click Back to return to the Policy Assistant page.