In This Section: |
You configure Application Control and URL Filtering in the Security Policies view, in the Access Control Policy of R80 SmartConsole.
See the logs in the Logs tab of the Logs & Monitor view.
See real-time traffic statistics and analysis in the Access Control tab of the Logs & Monitor view, and in the SmartEvent GUI.
This chapter explains the Application Control and URL Filtering configuration and management that you do in the Access Control Policy section of R80 SmartConsole.
When you upgrade a pre-R80 Security Management Server that manages pre-R80 Security Gateways to R80, the existing Access Control policies are converted in this way:
Important – After upgrade, do not change the Action of the implicit cleanup rules, or the order of the Policy Layers. If you do, the policy installation will fail.
New Access Control Policy for pre-R80 Security Gateways on an R80 Security Management Server must have this structure:
If the Access Control Policy has a different structure, the policy will fail to install.
You can change the names of the Layers, for example, to make them more descriptive.
Each new Policy Layer will have the explicit default rule, added automatically and set to Drop all the traffic that does not match any rule in that Policy Layer. We recommend that the Action is set to Drop for the Network Policy Layer and Accept for the Application Control Policy Layer.
If you remove the default rule, the Implicit Cleanup Rule will be enforced. The Implicit Cleanup Rule is configured in the Policy configuration window and is not visible in the Rule Base table. Make sure the Implicit Cleanup Rule is configured to Drop the unmatched traffic for the Network Policy Layer and to Accept the unmatched traffic for the Application Control Policy Layer.
These are the fields of the rules in the Access Control policy. Not all of these are shown by default. To select a field that does not show, right-click on the Rule Base table header, and select it.
Field |
Description |
---|---|
No. |
Rule number in the Rule Base Layer. |
Hits |
Number of connections that match this rule. |
Name |
Name that the system administrator gives this rule. |
Source |
Network object that defines where the traffic starts. |
Destination |
Network object that defines the destination of the traffic. |
Services & Applications |
Services, Applications, Categories, and Sites. |
Action |
Action that is done when traffic matches the rule. Options include: Accept, Drop, Ask, Inform (UserCheck message), and Reject. |
Track |
Tracking and logging action that is done when traffic matches the rule. |
Install On |
Network objects that will get the rule(s) of the policy. |
Time |
Time period that this rule is enforced. |
Comment |
An optional field that lets you summarize the rule. |
There are three types of rules in the Rule Base - explicit, implied and implicit.
Explicit rules
The rules that the administrator configures explicitly, to allow or to block traffic based on specified criteria.
Important - The Cleanup rule is a default explicit rule and is added with every new layer. You can change or delete the default Cleanup rule. We recommend that you have an explicit cleanup rule as the last rule in each layer. |
Implied rules
The default rules that are available as part of the Global properties configuration and cannot be edited. You can only select the implied rules and configure their position in the Rule Base:
Implied rules are configured to allow connections for different services that the Security Gateway uses. For example, the Accept Control Connections rules allow packets that control these services:
Implicit cleanup rule
The default "catch-all" rule that deals with traffic that does not match any explicit or implied rules in the Policy Layers. For R77.30 or earlier versions Security Gateways, the action of the implicit rule depends on the Policy Layer:
Note - If you change the default values, the policy installation will fail.
The implicit rules do not show in the Rule Base.
In the Services & Applications column, define the Web applications, sites, services and protocols that are included in the rule. A rule can contain one or more:
Notes -
It is not supported to configure a service and application in the same rule.
Applications are matched on their Recommended services, where each service runs on a specific port. The recommended services for Facebook, for example, are the default Application Control Web browsing services: http
, https
, HTTP_proxy
, and HTTPS_proxy
. To change this see Changing Services for Applications and Categories.
To add an application or site to a rule:
The Application viewer window opens.
To create a new application or site:
The Application viewer window opens.
If you used a regular expression in the URL, click URLs are defined as Regular Expressions.
Note - If the application or site URL is defined as a regular expression you must use the correct syntax.
To create a custom category:
The Application viewer window opens.
By default, applications and categories are matched on their recommended services.
To change the services that are matched for an application or category:
The application or category is changed everywhere that it is used in the policy.
To override categorization for a URL:
The Override Categorization for URL window opens.
http:\\.
The selected categories are shown in the Additional Categories list.
Application traffic generates a very large amount of activity. To make sure that the amount of logs is manageable, by default, logs are consolidated by session. A session is a period that starts when a user first accesses an application or site. During a session, the Security Gateway records one log for each application or site that a user accesses. All activity that the user does within the session is included in the log.
You can add these options to a Log, Full Log, or Network Log:
Alert:
If an Alert is selected, Log is selected automatically.
You can add a Time object to a rule to make the rule active only during specified times. If you do not include a Time object in a rule, the rule is always active.
You can include one or more Time objects and Time Groups in a rule. A Time Group contains Time objects.
When you have multiple Time objects or a Time Group, each Time object works independently. For example, if a rule has two Time objects:
The rule is active each day from 9:00 - 17:00 and all day on Mondays. For the rule to be active from 9:00 - 17:00 on Mondays only, make one Time object that contains all of the criteria.
To add the Time Column to the Access Control Policy:
To create a new Time object:
To add Time objects to a rule:
Notes -
To add a Limit object to a rule:
The Limit is added to the rule.
Note - The Security Gateway implements the Limit action by dropping successive packets which exceed the allowed bandwidth. |
By default, Hit Count is globally enabled for all supported Security Gateways (from R75.40). The timeframe setting that defines the data collection time range is configured globally. If necessary, you can disable Hit Count for one or more Security Gateways.
After you enable or disable Hit Count you must install the Policy for the Security Gateway to start or stop collecting data.
To enable or disable Hit Count globally:
To enable or disable Hit Count on each Security Gateway:
These are the options you can configure for how matched connection data is shown in the Hits column:
The values are shown with these letter abbreviations:
For example, 259K represents 259 thousand connections and 2M represents 2 million connections.
The hit count range = Maximum hit value - Minimum hit value (does not include zero hits)
Hit Count Level |
Icon |
Range |
---|---|---|
Zero |
0 hits |
|
Low |
Less than 10 percent of the hit count range |
|
Medium |
Between 10 - 70 percent of the hit count range |
|
High |
Between 70 - 90 percent of the hit count range |
|
Very High |
Above 90 percent of the hit count range |
To show the Hit Count in the Rule Base:
Right-click the heading row of the Rule Base and select Hits.
To configure the Hit Count in a rule:
To update the Hit Count in a rule:
UserCheck Interaction Objects add flexibility and give the Security Gateway a mechanism to communicate with users. UserCheck objects are used in a Rule Base to:
If a UserCheck object is set as the action on a policy rule, the user browser redirects to the Gaia Administration web portal on port 443 or 80. The portal hosts UserCheck notifications.