Access Policy

SMP supports two types of Access Policy:

  • Legacy – Existing Access Policy

  • NextGen – New Access Policy with additional new features (see below)

NoteNextGen Access Policy is supported only in appliances running version R80.20.30 and higher. For older versions, use Legacy Policy.

In the WebUI > Access Policy tab, you can navigate between Legacy and NextGen. The rule tables differ according to which features/values are available.

When a Legacy gateway pulls a NextGen policy, the policy is ignored and not applied.

When a NextGen gateway pulls a Legacy policy, the policy is applied.

Legacy Policy

On the Access Policy page, you can create firewall rules on the SMP for a specified plan or gateway. These rules set policy for:

  • Outgoing access to the internet

  • Incoming, internal and VPN traffic

Pre local rules are fetched before the local manual rules (created in the local settings of the Firewall Software Blades). A local administrator cannot create manual rules to override pre local rules configured by the SMP administrator.

Post local rules are fetched after the local manual rules. The SMP administrator gives recommended policy, but the local administrator can override it by creating manual rules.

Note- The gateway local administrator can edit only the manual rules. Pre/post local rules are locked.

Pre/post local rules are managed by Cloud Services. When you turn off Cloud Services, the pre/post local rules are deleted.

There is no repository for network objects and services. They are created and deleted with the rule.

To create new pre or post local rules:

  1. Go to Home > Plans.

  2. Click the plan name.

    The Edit page opens.

  3. Click Security Software Blades > Access Policy.

  4. Select Manage in SMP.

  5. In the applicable rule table, click New.

    The Edit Firewall Rule window opens.

  6. Configure these fields:

    • Source

    • Destination

    • Service

    • Action

    • Log

  7. Optional - Enter the Description.

  8. To enable the rule, click Enabled.

  9. Click Finish.

Note - If you clear Manage in SMP and click Save, all pre/post local rules are deleted. To undo changes, click Revert.

To edit a rule:

  1. Click the rule number or click the Edit icon.

    The Edit Firewall Rule window opens.

  2. Edit the applicable fields.

  3. Click Finish.

To enable/disable a rule:

In the Edit Firewall Rule window, select or clear the Enabled checkbox.

To delete a rule:

  1. Click the checkbox next to the rule number.

  2. Click Delete.

To change the rule order in the table:

Drag and drop the rule or rule number up or down.

To override the settings set by a plan:

  1. Go to Home > Gateways.

  2. Click the gateway name.

    The Edit page opens.

  3. Click Security Software Blades > Access Policy.

  4. If the Access Policy settings are locked, click Unlock from plan.

NextGen

You can configure the NextGen Access Policy just like you configure the Legacy Policy. There are differences in the rule tables according to the values available/selected.

These are the NextGen new features:

  • New Zone values - Supports all zone options for destination on both incoming and outgoing rules.

    • Blocked_hosts

    • Blocked_infected_hosts

  • Application – Relevant only for outgoing rules.

    • Any

    • Custom URL

    • Known application (or category)

      When you select Predefined, you can select only one application or category

  • Domain name in source and destination

  • With the exception of GEO Location, Updatable Objects in source and destination are supported only in appliances with version R80.20.35 and higher.

  • GEO Location under Updatable Objects - Geolocation is a list of countries and continents. You can select geolocation for source or destination

  • IPv6 support

    • For single IP address, you can specify IPv6 or an IPv4 value.

    • IPv6 network

    • IPv6 address range