Hillstone Networks

Security Policy

1
 Security Policy Basis
2
Policy
Policy is designed to control the traffic forwarding between security zones/segments. By
default, Hillstone devices will deny all traffic between security zones/segments, while the
policy can identify which flow between security zones or segments will be permitted and
which will be denied based on the policy rules.

2
 Policy Rule
3
Generally a policy rule consists of two parts:
filtering condition and action.
You can set the filtering condition by specifying traffic's source zone/address, destination zone/address,

service/application type, role, schedule.

Action - The actions for processing traffic include Permit, Deny, Tunnel, From tunnel and WebAuth.

Matching sequence of policy rules:

When traffic flows into a Hillstone device, the device will query for policy rules in the list by turns (from top to

the bottom), and processes the traffic according to the first matched rule.

The default policy rule denies all the traffic.

3
 Matching Sequence Example
4

4
 Configuring PolicyWebUI
Policy> Security Policy, click Newto configure a new policy 5

5
 Configuring an Address Book (WebUI)
6
Object > Address Entry, click New

6
 Service Book
Object > Service Book > Service 7

CLIshow service predefined

7
 Configuring a User-defined Service
8

Object > Service Book > Service, click New

CLI: service service-name

8
 Application
9
Object > APP Book > Application
You can view or edit the predefined applications, the predefined application will be
updatedonline automatically.

9
 Configuring a Policy Rule (CLI)
To enter the policy configuration mode, in global configuration mode, use the following command:
policy-global 10
After entering the policy configuration mode, to create a policy rule, use the following command:
rule [id id] [top | before id | after id] [role {UNKNOWN | role-name} | user aaa-server-name username
| user-group aaa-server-name user-group-name] from src-addr to dst-addr service servicename
{permit | deny | tunnel tunnel-name | fromtunnel tunnel-name | webauth}
id id - Specifies the ID of the policy rule. If not specified, the system will automatically assign an ID to the
policy rule.
top | before id | after id - Specifies the location of the policy rule.
By default, the newly-created policy rule is located at the end of all the rules.
from src-addr - Specifies the source address of the policy rule.
to dst-addr - Specifies the destination address of the policy rule.
service service-name - Specifies the service name of the policy rule.
permit | deny | tunnel tunnel-name| fromtunnel tunnel-name
- Specifies the action of the policy rule
show policy [id id] [from src-zone] [to dst-zone]
id id - Shows the detailed information of the specified policy rule.
from src-zone - Shows the detailed information of the policy rule whose source
security zone is the specified zone.
to dst-zone - Shows the detailed information of the policy rule whose destination security zone is the specified
zone.
10
 Moving a Policy Rule
Policy > Security Policy
11

To move a policy rule, in the policy rule configuration mode, use the
following command:
move id {top | bottom | before id | after id}

11
 Schedule
12
Schedules control the effective time for some functional modules, such as allowing a
policy rule to take effect in a specified time, and controls the duration for the PPPoE
interface connection.
There are two types of schedule: periodic schedule and absolute schedule. The periodic
schedule specifies a time point or time range by periodic schedule entries, while the
absolute schedule decides a time range in which the periodic schedule will take effect.
You can add up to 16 schedule entries to a periodic schedule.

12
 Creating a Schedule
13
Click Object > Schedule. Click New to create a schedule.

13
 Applying a Schedule to a Policy Rule
14
Click Security Policy. Click New to create a policy rule which allows the traffic
forwarding from the trust zone to the untrust zone within the period of the specified
schedule. Click Option

14
 Viewing Schedule Info in a Policy Rule
Policy rules with a schedule can take effect only in the time period specified by 15
the schedule.
CLI: show policy

15
 Thank you

16