Security Policies Tab

Configuration > Overlays & Security > Security > Firewall Zone Security Policies

This tab lists the security policies for your appliances. They manage traffic between firewall zones.

  • Zones are created on the Orchestrator. A zone is applied to an Interface.

  • By default, traffic is allowed between interfaces labeled with the same zone. Any traffic between interfaces with different zones is dropped. You can create exception rules (security policies) to allow traffic between interfaces with different zones or between their segments and firewall zones.

  • When Routing Segmentation (VRF) is enabled:

    • By default, traffic is allowed between interfaces labeled with the same zone and the same segment. Any traffic between different zones or between different segments is dropped.

    • Define your security policies from the Routing Segmentation (VRF) tab.

    • Do not use templates. If a security policy template is applied while segmentation is enabled, it only applies within the default segment. It overrides the default security policy defined on the Routing Segmentation (VRF) tab. This behavior is designed to prevent a disruption in traffic when segmentation is enabled for the first time, and during a migration to segments. After the migration process finishes, the security policy template should be removed.

  • If Routing Segmentation is disabled, define security policies by creating templates. You can then apply the template to interfaces and overlays.

  • To view statistics on various flows, packets, and bytes dropped or allowed by a zone-based firewall for a given time range, click Firewall Drops. For information about troubleshooting flows that were denied by the firewall with the reason “outbound pkt new dst zone” or “Zone change detected on outbound packet,” see this troubleshooting video.

  • To define policies on all appliances within your network, click Manage Security Policies with Templates. Use the matrix and table views to further specify your policies. If segmentation is enabled, do not use templates. Manage policies from the Routing Segmentation (VRF) tab instead.

  • Clicking the edit icon opens the Security Policies dialog box, which shows the applied security policy. Any changes you make are local to that appliance. Making changes from this dialog box is not recommended.

Security Policies Dialog Box

Use the Security Policies dialog box to manage your security policies by adding or modifying rules.

  1. Select the default logging level to apply to all “Deny All” events.

  2. Select the Source and Destination Segment.

  3. Click the cell for the source and destination zone to open the rule editor.

  4. To create a new rule, click Add Rule.

  5. Modify the following fields for a new or existing rule:

    Field Description
    Priority Priority of the rule.
    Match Criteria Click the edit icon to add or modify match criteria for the rule.
    Action Select the action to apply to traffic matching the rule:

    Allow—Matching traffic is allowed.

    Deny—Matching traffic is denied.

    Inspect—Matching traffic is inspected by the Intrusion Detection System (IDS).
    Enabled Select the check box to enable the rule. Clear the check box to disable the rule.
    Logging Select the logging level to apply when logging matches for the specific rule. To not log matching traffic, select None.
    Tag Specify a tag to be logged with matching events.
    Comment Add comments about the rule.

  6. Click Save.

Wildcard-based Prefix Matching Rules

  • Even when using a range or a wildcard, the IPv4 address must be specified in the 4-octet format, separated by the dot notation. For example, A.B.C.D.

  • Range is specified using a single dash. For example, 128-129.

  • Wildcard is specified as an asterisk (*).

  • Range and Wildcard can both be used in the same address, but an octet can only contain one or the other. For example, 10.136-137.*.64-95.

  • A wildcard can only be used to define an entire octet. For example, 10.13*.*.64-95 is not supported. Use 10.130-139.*.64-95 to specify this range.

  • The same rules apply to IPv6 addressing.

  • CIDR notation and (Range or Wildcard) are mutually exclusive in the same address. For example, 192.168.0.1-127/24 is not supported. Use either 192.168.0.0/24 or 192.168.0.1-127.

  • These prefix-matching rules apply to the following policies only: Route, QoS, Optimization, NAT, Security, and ACLs.