Professional Documents
Culture Documents
Chapter 8 - Security Policy
Chapter 8 - Security Policy
HCSA-NGFW 2022
1 Security Policy Basis
Contents
2 Object
• The policy can identify which flow between security zones or segments will be
permitted and which will be denied based on the policy rules.
www.hillstonenet.com
Basic Elements of Policy Rules
• Policy filtering conditions:
– Source Zone/Address - The source zone/address of the traffic.
– Destination Zone/Address – The destination zone/address of the traffic.
– Service – The service type of the traffic.
– *User
– *Application
• Action:
– Permit
– Deny
– WebAuth、
– Tunnel、From tunnel
– Portal Server
www.hillstonenet.com
Policy Filtering Condition and Action
Policy > Security Policy, Click『New』to create a policy
Eth0/1 trust Eth0/4 untrust
Internet
www.hillstonenet.com
Policy Position
• Policy > Security Policy edit of a policy rule and click 『Options』 to change the position of this policy
www.hillstonenet.com
Matching Sequence of Policy Rules
• The first flow packet matches policy rule
www.hillstonenet.com
Matching Sequence Example
According to below network topology, can the PC access to FTP server? Which policy
rule will be matched?
PC2
192.168.10.0/24 FTP
Server
.2 E0/1 E0/4 Internet
trust .1 untrust
PC3
.3
www.hillstonenet.com
Object
Object
• Object includes:
- Address Book
- Host Book
- Service Book
- APP Book
- Schedule
- AAA server 、 User and Role
- Track Object
www.hillstonenet.com
Configure Address Book (WebUI)
Object > Address Book, click 『New』
www.hillstonenet.com
Host Book
Object > Host Book, click 『New』, Regular expression is also supported.
www.hillstonenet.com
Service Book(WebUI)
Object > Service Book > Service
Is able to see the predefined services
www.hillstonenet.com
User-defined Service Group(WebUI)
www.hillstonenet.com
Application Book
• Object > APP Book > Application
You can view or edit the predefined applications, the predefined application will be updated online automatically.
www.hillstonenet.com
Apply Schedule to a Policy Rule
Click Security > Security Policy. Click 『New』 to create a policy rule which blocks the game
applications access from the trust zone to the untrust zone within specified schedule.
www.hillstonenet.com
Advanced Policy Configuration
Check / Move the Policy Position
Policy > Security Policy
To move a policy rule, in the policy rule configuration mode, use the following command:
move id {top | bottom | before id | after id}
22 www.hillstonenet.com
Policy Hit Count
• Statistic of policy usability, can be used to judge the validity of policy
www.hillstonenet.com
Policy Import/Export
• Only support DAT format
www.hillstonenet.com
Session Displayed in Policy
• Session detail can be checked in policy
www.hillstonenet.com
Stateful Inspection Technology(Session)
SG-6000# show session
Device: max 100000, alloc 32, deny session 0, free 99968, tunnel 0, alloc failed 0
================================================================
session: id 6, proto 6, flag a, flag1 20000, created 28309, life 1641, policy 2,app 93(HTTPS) flag 0x0,
auth_user_id 0, reverse_auth_user_id 0
flow0(19(ethernet0/7)/40200810): 1.1.1.20:56606->40.100.2.98:443
flow1(16(ethernet0/4)/200810): 40.100.2.98:443->200.0.0.10:56606
• Session is the state of connection between two parties on a firewall, one session is a connection between two
sides. The collection of multiple sessions on a firewall is called a session table
• Session created for the first packet, the following packets will try to search and match the existing session.
• Session inclues:
www.hillstonenet.com
Policy Configuration (CLI)
Configure Policy Rule (CLI)
• To enter the policy configuration mode, in global configuration mode, use the following command:
policy-global:
• After entering the policy configuration mode, to create a policy rule, use the following command:
•rule [id id] [top | before id | after id] [role {UNKNOWN | role-name} | user aaa-server-name
user-name | user-group aaa-server-name user-group-name] from src-addr to dst-addr service
service-name {permit | deny | tunnel tunnel-name | fromtunnel tunnel-name | webauth |
portal-server}
• id id - Specifies the ID of the policy rule. If not specified, the system will automatically assign an
ID to the policy rule.
• top | before id | after id - Specifies the location of the policy rule.
By default, the newly-created policy rule is located at the end of all the rules.
• from src-addr - Specifies the source address of the policy rule.
• to dst-addr - Specifies the destination address of the policy rule.
• service service-name - Specifies the service name of the policy rule.
- permit | deny | tunnel tunnel-name| fromtunnel tunnel-name | webauth aaa-server | portal-
server
- Specifies the action of the policy rule
www.hillstonenet.com
Configure Policy Rule (Cont.)
• show policy [id id] [from src-zone] [to dst-zone]
• id id – Shows the detailed information of the specified policy rule.
• from src-zone – Shows the detailed information of the policy rule whose source
security zone is the specified zone.
• to dst-zone – Shows the detailed information of the policy rule whose destination
security zone is the specified zone.
www.hillstonenet.com
Questions
1. What are the basic elements of a policy rule?
2. What actions does the policy rule support?
3. What is the matching sequence of policy rules?
4. What is the default policy for the interfaces within same security zone?
5. What is the supported file format for policy import?
www.hillstonenet.com
LAB
E0/1 FW1 E0/2
L3-trust L3-untrust
192.168,1.254/24 192.168.13.1/24
E0/2 E0/1
E0/3 L3-untrust L3-trust
PC1 L3-untrust 192.168.13.3/24 192.168.2.254/24
182.168.12.1/24
192.168.1.1
E0/1 E0/2
L3-untrust E0/3 FW3
L3-trust PC2
182.168.12.2/24 192.168.23.2/24 L3-untrust 192.168.2.21/24
192.168.23.3/24
X
FW2
www.hillstonenet.com
Thanks