Creating an Access Control Policy

Multicast Access Control

Multicast IP transmits one copy of each datagram (IP packet) to a multicast address, where each recipient in the group takes their copy. The routers in the network forward the datagrams only to routers and hosts with access to receive the multicast packets.

To configure multicast access control:

1. Open a gateway object.
2. On the Network Management page, select an interface and click Edit.
3. On Interface > Advanced, click Drop Multicast packets by the following conditions.
4. Select a multicast policy for the interface:
   • Drop multicast packets whose destination is in the list
   • Drop all multicast packets except those whose destination is in the list

   When access is denied to a multicast group on an interface for outbound IGMP packets, inbound packets are also denied.

   If you do not define access restrictions for multicast packets, multicast datagrams to one interface of the gateway are allowed out of all other interfaces.

5. Click Add.

   The Add Object window opens, with the Multicast Address Ranges object selected.

6. Click New > Multicast Address Range.

   The Multicast Address Range Properties window opens.

7. Enter a name for this range.
8. Define an IP address Range or a Single IP Address in the range: 224.0.0.0 - 239.255.255.255.

   Class D IP addresses are reserved for multicast traffic and are allocated dynamically. The multicast address range 224.0.0.0 - 239.255.255.255 is used only for the destination address of IP multicast traffic.

   Every IP datagram whose destination address starts with 1110 is an IP multicast datagram. The remaining 28 bits of the multicast address range identify the group to which the datagram is sent.

   The 224.0.0.0 - 224.0.0.255 range is reserved for LAN applications that are never forwarded by a router. These addresses are permanent host groups. For example: an ICMP request to 224.0.0.1 is answered by all multicast capable hosts on the network, 224.0.0.2 is answered by all routers with multicast interfaces, and 224.0.0.13 is answered by all PIM routers. To learn more, see the IANA website.

   The source address for multicast datagrams is always the unicast source address.

9. Click OK.
10. In the Add Object window, click OK.
11. In the Interface Properties window, click OK.
12. In the gateway window, click OK.
13. In the Rule Base, add a rule that allows the multicast address range as the Destination.
14. In the Services of the rule, add the multicast protocols.
    • Multicast routing protocols - For example: Protocol-Independent Multicast (PIM), Distance Vector Multicast Routing Protocol (DVMRP), and Multicast Extensions to OSPF (MOSPF).
    • Dynamic registration - Hosts use the Internet Group Management Protocol (IGMP) to let the nearest multicast router know they want to belong to a specified multicast group. Hosts can leave or join the group at any time.
15. Install the policy.

Managing Pre-R80.10 Security Gateways

When you upgrade a pre-R80 Security Management Server that manages pre-R80.10 Security Gateways to R80 or higher, the existing Access Control policies are converted in this way:

• The pre-R80 Firewall policy is converted into the Network Policy Layer of the R80 Access Control Policy. The implicit cleanup rule for it is set to Drop all traffic that is not matched by any rule in this Layer.
• The pre-R80 Application & URL Filtering policy is converted into the Application Policy Layer, which is the second Layer of the R80 Access Control Policy. The implicit cleanup rule for it is set to Accept all traffic that is not matched by any rule in this Layer.

Important – After upgrade, do not change the Action of the implicit cleanup rules, or the order of the Policy Layers. If you do, the policy installation will fail.

New Access Control Policy for pre-R80 Security Gateways on an R80 Security Management Server must have this structure:

1. The first Policy Layer is the Network Layer (with the Firewall blade enabled on it).
2. The second Policy Layer is the Application & URL Filtering Layer (with the Application & URL Filtering blade enabled on it).
3. There are no other Policy Layers.

If the Access Control Policy has a different structure, the policy will fail to install.

You can change the names of the Layers, for example, to make them more descriptive.

Each new Policy Layer will have the explicit default rule, added automatically and set to Drop all the traffic that does not match any rule in that Policy Layer. We recommend that the Action is set to Drop for the Network Policy Layer and Accept for the Application Control Policy Layer.

If you remove the default rule, the Implicit Cleanup Rule will be enforced. The Implicit Cleanup Rule is configured in the Policy configuration window and is not visible in the Rule Base table. Make sure the Implicit Cleanup Rule is configured to Drop the unmatched traffic for the Network Policy Layer and to Accept the unmatched traffic for the Application Control Policy Layer.