Академический Документы
Профессиональный Документы
Культура Документы
Security Policy
1
Security Policy Basis
2
Policy
Policy is designed to control the traffic forwarding between security zones/segments. By
default, Hillstone devices will deny all traffic between security zones/segments, while the
policy can identify which flow between security zones or segments will be permitted and
which will be denied based on the policy rules.
2
Policy Rule
3
Generally a policy rule consists of two parts:
filtering condition and action.
You can set the filtering condition by specifying traffic's source zone/address, destination zone/address,
Action - The actions for processing traffic include Permit, Deny, Tunnel, From tunnel and WebAuth.
When traffic flows into a Hillstone device, the device will query for policy rules in the list by turns (from top to
the bottom), and processes the traffic according to the first matched rule.
3
Matching Sequence Example
4
4
Configuring PolicyWebUI
Policy> Security Policy, click Newto configure a new policy 5
5
Configuring an Address Book (WebUI)
6
Object > Address Entry, click New
6
Service Book
Object > Service Book > Service 7
8
Application
9
Object > APP Book > Application
You can view or edit the predefined applications, the predefined application will be
updatedonline automatically.
9
Configuring a Policy Rule (CLI)
To enter the policy configuration mode, in global configuration mode, use the following command:
policy-global 10
After entering the policy configuration mode, to create a policy rule, use the following command:
rule [id id] [top | before id | after id] [role {UNKNOWN | role-name} | user aaa-server-name username
| user-group aaa-server-name user-group-name] from src-addr to dst-addr service servicename
{permit | deny | tunnel tunnel-name | fromtunnel tunnel-name | webauth}
id id - Specifies the ID of the policy rule. If not specified, the system will automatically assign an ID to the
policy rule.
top | before id | after id - Specifies the location of the policy rule.
By default, the newly-created policy rule is located at the end of all the rules.
from src-addr - Specifies the source address of the policy rule.
to dst-addr - Specifies the destination address of the policy rule.
service service-name - Specifies the service name of the policy rule.
permit | deny | tunnel tunnel-name| fromtunnel tunnel-name
- Specifies the action of the policy rule
show policy [id id] [from src-zone] [to dst-zone]
id id - Shows the detailed information of the specified policy rule.
from src-zone - Shows the detailed information of the policy rule whose source
security zone is the specified zone.
to dst-zone - Shows the detailed information of the policy rule whose destination security zone is the specified
zone.
10
Moving a Policy Rule
Policy > Security Policy
11
To move a policy rule, in the policy rule configuration mode, use the
following command:
move id {top | bottom | before id | after id}
11
Schedule
12
Schedules control the effective time for some functional modules, such as allowing a
policy rule to take effect in a specified time, and controls the duration for the PPPoE
interface connection.
There are two types of schedule: periodic schedule and absolute schedule. The periodic
schedule specifies a time point or time range by periodic schedule entries, while the
absolute schedule decides a time range in which the periodic schedule will take effect.
You can add up to 16 schedule entries to a periodic schedule.
12
Creating a Schedule
13
Click Object > Schedule. Click New to create a schedule.
13
Applying a Schedule to a Policy Rule
14
Click Security Policy. Click New to create a policy rule which allows the traffic
forwarding from the trust zone to the untrust zone within the period of the specified
schedule. Click Option
14
Viewing Schedule Info in a Policy Rule
Policy rules with a schedule can take effect only in the time period specified by 15
the schedule.
CLI: show policy
15
Thank you
16