Working with the Firewall Access Policy

In the Access Policy > Firewall Policy page you can manage the Firewall Access Policy Rule Base. You can create, edit, delete, enable or disable rules. In the Access Policy > Firewall Blade Control page you determine the basic firewall policy mode.

In Standard mode, this page shows you both automatically generated rules based on the configuration of your default policy and manually defined rules as exceptions to this default policy.

In Strict mode, all access is blocked by default and this page is the only way to configure access rules for your organization.

The Rule Base is divided into two sections. Each of the two sections represent a different security policy - how your organization browses to the Internet (the world outside your organization) and the security policy to access your organization's resources (both from within and from outside your organization). At the top of the page there are three links that let you see both or only one of the sections.

  • Outgoing access to the Internet - For all outgoing traffic rules. In this Rule Base you determine the policy to access the Internet outside your organization. Commonly the policy here is to allow the basic traffic, but you can block applications and URLs based on your company's discretion. In the Access Policy > Firewall Blade Control page you can configure the default policy to block applications and URLs. This page lets you add manual rules as exceptions to the default policy. You can also customize messages that are shown to users for specified websites when they are blocked or accepted by the Rule Base (see below). You can also use an Ask action for applications or URLs that lets the end user determine whether browsing is for work related purposes or not. For example, we recommend you add a rule that asks the users before browsing to uncategorized URLs. Such a rule can disrupt possible bot attacks.

  • Incoming, internal and VPN traffic - For all incoming, internal and VPN traffic rules. In this Rule Base, you determine the policy to access your organization's resources. All internal networks, wireless networks, and external VPN sites are considered part of your organization and traffic to them is inspected in this Rule Base. Commonly the policy here is to block traffic from outside your organization into it and allow traffic within your organization.

    In Standard mode, you can configure in various pages a more granular default policy:

    • Traffic from specific sources into your organization can be blocked or accepted by default. This configuration can be found in each specific sources' edit mode:

    • External VPN sites - Configure default access from/to VPN > Site to Site Blade Control page.

    • Remote Access VPN users - Configure default access from VPN > Remote Access Blade Control page.

    • Wireless networks - Configure default access for each wireless network from the Access tab in each wireless network's edit window in the Device > Wireless Network page.

    • DMZ network - Configure default access from the DMZ object's edit window in the Device > Local Network page.

      Note - DMZ is not supported in 1550 appliances.

  • Traffic to defined server objects as configured in each server's edit window in the Access Policy > Firewall Servers page.

    This page lets you add manual rules as exceptions to the default policy. In Strict mode, the default policy blocks everything and you configure access only through manual rules.

Within each section there are these sections:

  • Manual Rules - Rules that you manually create.

  • Auto Generated Rules - Rules that the system determines based on the initial Firewall Policy mode (Strict or Standard) as explained above. These rules are also influenced by other elements in the system. For example, when you add a server, a corresponding rule is added to the Incoming, internal and VPN traffic section.

These are the fields that manage the rules for the Firewall Access Policy.

Rule Base Field

Description

No.

Rule number in the Firewall Rule Base.

Source

IP address, network object, or user group that initiates the connection.

Destination

IP address or network object that is the target of the connection.

Application

Applications or web sites that are accepted or blocked. You can filter the list by common applications, categories, custom defined applications, URLs or groups. For more information, see Managing Applications & URLs.

This field is only shown in the Outgoing access to the Internet section.

Service

Type of network service that is accepted or blocked.

Action

Firewall action that is done when traffic matches the rule.

For outgoing traffic rules, you can use the Customize messages option to configure "Ask" or "Inform" actions in addition to the regular Block or Accept actions.

The messages shown can be set for these action types: Accept and Inform, Block and Inform, or Ask. Ask action lets the end user decide if this traffic is for work purposes or personal. See the Customize messages section below. Users are redirected to a portal that shows a message or question.

If a time range is set for the rule, a clock icon is shown.

Log

The tracking and logging action that is done when traffic matches the rule.

Comment /
Auto generated rule

Details shown immediately below the above fields for:

  • Comments you enter when you create a rule.
  • Rules that the system automatically generates. You can click the object name link in the comment to open its configuration tab.

The "Ask" action

The outgoing Rule Base gives the option to set an Ask action instead of just allow or block for browser based applications. There are several commonly used cases where this is helpful:

  • This action can be used for traffic that is normally not allowed in your organization, but you do want it to be available for work-related purposes. End users are asked if they need to browse for work-related purposes and can continue without requiring the administrator to make changes to the access policy for this single event. For example, traffic to Facebook is generally blocked but you want your HR department to be able to access it for work-related purposes.

  • This action for traffic to uncategorized URLs can also give security against malware that managed to be installed inside your organization. Such malware is blocked by the Ask action.

To create a new manually defined access rule:

  1. Click the arrow next to New. When the page shows both Rule Bases, click New in the appropriate table.

  2. Click one of the available positioning options for the rule: On Top, On Bottom,Above Selected, or Under Selected.

    The Add Rule window opens. It shows the rule fields in two ways:

    • A rule summary sentence with default values.

    • A table with the rule base fields in a table.

  3. Click the links in the rule summary or the table cells to select network objects or options that fill out the rule base fields. See the descriptions above.

    Note - The Application field is relevant only for outgoing rules.

    In the Source field, you can optionally select between entering a manual IP address (network), a network object, or user group (to configure a user based policy, make sure the User Awareness blade is activated). Users can be defined locally on the appliance or externally in an Active Directory. For more details, see the Access Policy > User Awareness Blade Control page.

  4. In the Write a comment field, enter optional text that describes the rule. This is shown as a comment below the rule in the Access Policy.

  5. To limit the rule to a certain time range, select Apply only during this time and select the start and end times.

  6. In outgoing rules, to limit the download traffic rate, select Limit download traffic of applications to and enter the Kpbs rate.

  7. In outgoing rules, to limit the upload traffic rate, select Limit upload traffic of applications to and enter the Kpbs rate.

  8. In incoming rules, to match only for encrypted VPN traffic, select Match only for encrypted traffic.

  9. Click Apply.

    The rule is added to the outgoing or incoming section of the Access Policy.

To clone a rule:

Clone a rule to add a rule that is almost the same as the one that already exists.

  1. Select a rule and click Clone.

  2. Edit the fields as necessary.

  3. Click Apply.

To edit a rule:

Note - For Access Policy rules, you can only edit the tracking options for automatically generated rules.

  1. Select a rule and click Edit.

  2. Edit the fields as necessary.

  3. Click Apply.

To delete a rule:

  1. Select a rule and click Delete.

  2. Click Yes in the confirmation message.

To enable or disable a rule:

  • To disable a manually defined rule that you have added to the rule base, select the rule and click Disable.

  • To enable a manually defined rule that you previously disabled, select the rule and click Enable.

To change the rule order:

  1. Select the rule to move.

  2. Drag and drop it to the necessary position.

    Note - You can only change the order of manually defined rules.

Customize messages

You can customize messages to let the Security Gateway communicate with users. This helps users understand that some websites are against the company's security policy. It also tells users about the changing Internet policy for websites and applications. When you configure such messages, the user's Internet browser shows the messages in a new window when traffic is matched on a rule using one of the message related actions.

These are the Action options and their related notifications:

Rule Base action

Notifications

Accept and Inform

Shows an informative message to users. Users can continue to the application or cancel the request.

Block and Inform

Shows a message to users and blocks the application request.

Ask

Shows a message to users and asks them if they want to continue with the request or not. See above for more details.

To customize messages:

  1. Click Customize messages in the Outgoing access to the Internet section.

  2. Configure the options in each of these tabs:

    • Accept and Inform

    • Block and Inform

    • Ask

  3. Configure the applicable fields for each of the notifications:

    • Title - Keep the default or enter a different title.

    • Subject - Keep the default or enter a different subject.

    • Body - Keep the default or enter different body text. You can click Optional keywords for a list of keywords that you can add in the body text to give the user more information.

    • Ignore text (only for Ask) - This is the confirmation message for the Ask user message. Keep the default text or enter different text

    • User must enter a reason (only for Ask) - Select this checkbox if users must enter an explanation for their activity. The user message contains a text box for entering the reason.

    • Fallback action - Select an alternative action (Block or Accept) for when the notification cannot be shown in the browser or application that caused the notification, most notably in non-web applications. If it is determined that the notification cannot be shown in the browser or application, the behavior is:

      • If the Fallback action is Accept - The user can access the website or application.

      • If the Fallback action is Block - The Security Gateway tries to show the notification in the application that caused the notification. If it cannot, the website or application is blocked, and the user does not see a notification.

    • Frequency - You can set the number of times that users get notifications for accessing applications that are not permitted by the policy. The options are:

      • Once a day

      • Once a week

      • Once a month

        For example, in a rule that contains in the Application - Social Networking category, if you select Once a day as the frequency, a user who accesses Facebook multiple times get one notification.

    • Redirect the user to URL - You can redirect the user to an external portal, not on the gateway. In the URL field, enter the URL for the external portal. The specified URL can be an external system. It gets authentications credentials from the user, such as a user name or password. It sends this information to the gateway. Only applicable for the Block and Inform notification.

  4. Click the Customize tab to customize a logo for all portals shown by the appliance (Hotspot and captive portal used by User Awareness). Click Upload, browse to the logo file and click Apply. If necessary, you can revert to the default logo by clicking Use Default.

  5. Click Apply.