Set Access Rules for a Policy

In each policy, you configure access rules that determine whether the policy allows or denies connections, and define the source and destination of connections the policy applies to.

To configure access rules for a policy, from Fireware Web UI, select the Settings tab.

To configure access rules for a policy, from Policy Manager, select the Policy tab of the Edit Policy Properties dialog box.

Specify the Disposition

The disposition specifies what action the policy takes for connections that match the rules in the policy. The Connections are drop-down list has actions that specify whether the policy allows or denies connections that match the rules in the policy. To configure the disposition, select one of these settings:

Allowed

The Firebox allows traffic that uses this policy if it matches the rules you set in the policy. You can configure the policy to create a log message when network traffic matches the policy.

Denied

The Firebox denies all traffic that matches the rules in this policy and does not send a notification to the device that sent the traffic. You can configure the policy to create a log message when a computer tries to use this policy. The policy can also automatically add a computer or network to the Blocked Sites list if it tries to start a connection with this policy.

For more information, go to Block Sites Temporarily with Policy Settings.

Denied (send reset)

The Firebox denies all traffic that matches the rules in this policy. You can configure it to create a log message when a computer tries to use this policy. The policy can also automatically add a computer or network to the Blocked Sites list if it tries to start a connection with this policy.

For more information, go to Block Sites Temporarily with Policy Settings.

With this option, the Firebox sends a packet to tell the device which sent the network traffic that the session is refused and the connection is closed. You can set a policy to return other errors instead, which tell the device that the port, protocol, network, or host is unreachable. To make sure that your network operates correctly with other networks, use these options with caution.

Policy action drop-down list and deny response drop-down list

Connections selection in Policy Manager

Policy action drop-down list and deny response drop-down list

Connections selection in Fireware Web UI

Specify the Source and Destination

In each policy, you must specify the source and destination of connections the policy applies to. A connection must match both the source and destination specified in the policy for the policy to apply to that traffic.

In each policy, you configure:

  • A From list (or source) that specifies the source of connections that this policy applies to.
  • A To list (or destination) that specifies the destination of connections that this policy applies to.

For example, you could configure a ping packet filter policy to allow ping connections from all computers on the external network to one web server on your optional network. However, when you open the destination network to connections over the port or ports that the policy controls, you can make the network vulnerable. To avoid vulnerabilities, make sure you configure your policies carefully.

The members of the source and destination lists can be a an IPv4 or IPv6 host IP address, host IP range, or network address, a host name, user name, alias, VPN tunnel, FQDN (includes wildcard domains), or any combination of those objects.

IPv6 is supported for proxy policies and subscription services. IPv6 is not supported for the SIP-ALG and H323-ALG policies.

For more information on how to use FQDN in policies, go to About Policies by Domain Name (FQDN).

  1. On the Settings tab, below the From or To list, click Add.
    The Add Member dialog box appears.

Screen shot of the Add Member dialog box

The members list contains the members you can add to the From or To lists. A member can be an alias, user, group, IP address, range of IP addresses, or FQDN (includes wildcard domains).

  1. From the Member Type drop-down list, select the type of member you want to add.
    The member list updates to show only members of the type you selected.
  2. From the member list, select a member.
  3. Click OK.
    The member appears in the member list on the Settings tab.
  4. To add other members to the From or To list, repeat the previous steps.
  5. Click Save.
  1. Adjacent to the From or To member list, click Add.
    The Add Address dialog box appears.

Screen shot of the Add Address dialog box

The Available Members list contains the members you can add to the From or To lists. A member can be an alias, user, group, IP address, range of IP addresses, or FQDN (includes wildcard domains).

To add hosts, users, aliases, or tunnels to the policy that do not appear in the Available Members list, follow the steps in the topic Add New Members to a Policy.

  1. From the Available Members list, select a member and click Add, or double-click a member in the list.
    The member you selected appears in the Selected Members and Addresses list.
  2. Click OK.
    The member you selected appears in the From or To list.
  3. To add other members to the From or To list, repeat the previous steps.
  4. Click OK.

For more information on the aliases that appear in the From and To lists, go to About Aliases.

For more information about how to create a new alias or edit a user-defined alias, go to Create an Alias.

Related Topics

About Policy Properties

Configure Static NAT (SNAT)