Managing Policies and Layers
What can I do here?
Use this window to view, edit, delete policies or create new ones.
|
Getting Here - Menu > Manage policies and layers
Or:
Security Policies > click (+) tab > Manage Policies > Manage policies and layers link
|
Working with Policy Packages
A policy package is a collection of different types of policies. After installation, the Security Gateway enforces all the policies in the package. A policy package can have one or more of these policy types:
- Access Control - consists of these types of rules:
- Firewall
- NAT
- Application and URL Filtering
- Content Awareness
- QoS - Quality of Service rules for bandwidth management
- Desktop Security - the Firewall policy for endpoint computers that have the Endpoint Security VPN remote access client installed as a standalone client.
- Threat Prevention - consists of:
- IPS - IPS protections continually updated by IPS Services
- Anti-Bot - Detects bot-infected machines, prevents bot damage by blocking bot commands and Control (C&C) communications
- Anti-Virus - Includes heuristic analysis, stops viruses, worms, and other malware at the gateway
- Threat Emulation - Detects zero-day and advanced polymorphic attacks by opening suspicious files in a sandbox
- Threat Extraction - Extracts potentially malicious content from e-mail attachments before they enter the corporate network
The installation process:
- Runs a heuristic verification on rules to make sure they are consistent and that there are no redundant rules.
If there are verification errors, the policy is not installed. If there are verification warnings (for example, if anti-spoofing is not enabled for a Security Gateway with multiple interfaces), the policy package is installed with a warning.
- Makes sure that each of the Security Gateways enforces at least one of the rules. If none of the rules are enforced, the default drop rule is enforced.
- Distributes the user database and object database to the selected installation targets.
You can create different policy packages for different types of sites in an organization.
Example:
An organization has four sites, each with its own requirements. Each site has a different set of Software Blades installed on the Security Gateways:
Item
|
Security Gateway
|
Installed Software Blades
|
1
|
Sales California
|
Firewall, VPN
|
2
|
Sales Alaska
|
Firewall, VPN, IPS, DLP
|
3
|
Executive management
|
Firewall, VPN, QoS, and Mobile Access
|
4
|
Server farm
|
Firewall
|
5
|
Internet
|
|
To manage these different types of sites efficiently, you need to create three different Policy Packages. Each Package includes a combination of policy types that correspond to the Software Blades installed on the site's gateway. For example:
- A policy package that includes the Access Control policy type. The Access Control policy type controls the firewall, NAT, Application and URL Filtering , and Content Awareness Software Blades. This package also determines the VPN configuration.
Install the Access Control policy package on all Security Gateways.
- A policy package that includes the QoS policy type for the QoS blade on gateway that manages bandwidth.
Install this policy package on the executive management Gateway.
- A policy package that includes the Desktop Security Policy type for the gateway that handles Mobile Access.
Install this policy package on the executive management Gateway.
