Chapter 8 – Security Policy

HCSA-NGFW 2022
 1 Security Policy Basis
Contents
2 Object

3 Advanced Policy Configuration

4 Policy Configuration (CLI)

Security Policy Basis
Security Policy
• Security policy is the basic function of network security appliance.

• Policy is designed to control the traffic forwarding between security zones/segments.

By default, Hillstone devices will deny all traffic between security zones/segments

• The policy can identify which flow between security zones or segments will be
permitted and which will be denied based on the policy rules.

www.hillstonenet.com
Basic Elements of Policy Rules
• Policy filtering conditions：
– Source Zone/Address - The source zone/address of the traffic.
– Destination Zone/Address – The destination zone/address of the traffic.
– Service – The service type of the traffic.
– *User
– *Application

• Action：
– Permit
– Deny
– WebAuth、
– Tunnel、From tunnel
– Portal Server

www.hillstonenet.com
Policy Filtering Condition and Action
Policy > Security Policy, Click『New』to create a policy
Eth0/1 trust Eth0/4 untrust
Internet

PC User Web server

192.168.10.10 www.hillstonenet.com

www.hillstonenet.com
Policy Position
• Policy > Security Policy edit of a policy rule and click 『Options』 to change the position of this policy

www.hillstonenet.com
Matching Sequence of Policy Rules
• The first flow packet matches policy rule

• Matching sequence of policy rules：

- When traffic flows into a Hillstone device, the device will query for
policy rules in the list by turns (from top to the bottom, not accord to
policy ID), and processes the traffic according to the first matched
rule.

• The default policy rule denies all the traffic.

www.hillstonenet.com
Matching Sequence Example
According to below network topology, can the PC access to FTP server? Which policy
rule will be matched?
PC2
192.168.10.0/24 FTP
Server
.2 E0/1 E0/4 Internet
trust .1 untrust
PC3

.3

www.hillstonenet.com
Object
Object
• Object includes：
- Address Book
- Host Book
- Service Book
- APP Book
- Schedule
- AAA server 、 User and Role
- Track Object

• We will introduce the Top 5 objects here.

www.hillstonenet.com
Configure Address Book (WebUI)
Object > Address Book, click 『New』

www.hillstonenet.com
Host Book
Object > Host Book, click 『New』, Regular expression is also supported.

www.hillstonenet.com
Service Book（WebUI）
Object > Service Book > Service
Is able to see the predefined services

CLI：show service predefined

www.hillstonenet.com
User-defined Service（WebUI）

www.hillstonenet.com
User-defined Service Group（WebUI）

www.hillstonenet.com
Application Book
• Object > APP Book > Application
You can view or edit the predefined applications, the predefined application will be updated online automatically.

CLI：show application predefined

www.hillstonenet.com
Schedule
• Schedule includes: Days and
Timeframe

• Schedule controls the

effectiveness for some functions,
such as allows a policy rule to take
effect in a specified time, controls
the duration of the connection
between a PPPoE interface and
Internet, referenced by QoS etc.

• Must set correct system

time before using
schedule
www.hillstonenet.com
Create a Schedule
Object > Schedule. Click 『New』 to create a schedule.

www.hillstonenet.com
Apply Schedule to a Policy Rule
Click Security > Security Policy. Click 『New』 to create a policy rule which blocks the game
applications access from the trust zone to the untrust zone within specified schedule.

www.hillstonenet.com
Advanced Policy Configuration
Check / Move the Policy Position
Policy > Security Policy

To move a policy rule, in the policy rule configuration mode, use the following command:
move id {top | bottom | before id | after id}

22 www.hillstonenet.com
Policy Hit Count
• Statistic of policy usability, can be used to judge the validity of policy

SG-6000# show policy hit-count

Most hit policy rules:
====================================================================
No. Id Name Src-zone Dst-zone Src-addr Dst-addr Service Applica~ Action Hit-count
--------------------------------------------------------------------------------------------------------------------
1 2 vpn trust untrust vpn branch1 Any PERMIT 1053
2 3 office trust untrust prov .. dmz Any PERMIT 579
3 4 untrust trust dmz Any Any PERMIT 0
4 1 Any Any Any Any Any PERMIT 1012
5 dft Any Any 0 www.hillstonenet.com
====================================================================
Policy Redundancy Check

www.hillstonenet.com
Policy Import/Export
• Only support DAT format

www.hillstonenet.com
Session Displayed in Policy
• Session detail can be checked in policy

www.hillstonenet.com
Stateful Inspection Technology（Session）
SG-6000# show session
Device: max 100000, alloc 32, deny session 0, free 99968, tunnel 0, alloc failed 0
================================================================
session: id 6, proto 6, flag a, flag1 20000, created 28309, life 1641, policy 2,app 93(HTTPS) flag 0x0,
auth_user_id 0, reverse_auth_user_id 0
flow0(19(ethernet0/7)/40200810): 1.1.1.20:56606->40.100.2.98:443
flow1(16(ethernet0/4)/200810): 40.100.2.98:443->200.0.0.10:56606

• Session is the state of connection between two parties on a firewall, one session is a connection between two
sides. The collection of multiple sessions on a firewall is called a session table

• Session created for the first packet, the following packets will try to search and match the existing session.

• Session inclues：

Source address、Source port、Destination address、Destination port、Protocol、Application、User

www.hillstonenet.com
Policy Configuration (CLI)
Configure Policy Rule （CLI）
• To enter the policy configuration mode, in global configuration mode, use the following command:
policy-global：
• After entering the policy configuration mode, to create a policy rule, use the following command:
•rule [id id] [top | before id | after id] [role {UNKNOWN | role-name} | user aaa-server-name
user-name | user-group aaa-server-name user-group-name] from src-addr to dst-addr service
service-name {permit | deny | tunnel tunnel-name | fromtunnel tunnel-name | webauth |
portal-server}

• id id - Specifies the ID of the policy rule. If not specified, the system will automatically assign an
ID to the policy rule.
• top | before id | after id - Specifies the location of the policy rule.
By default, the newly-created policy rule is located at the end of all the rules.
• from src-addr - Specifies the source address of the policy rule.
• to dst-addr - Specifies the destination address of the policy rule.
• service service-name - Specifies the service name of the policy rule.
- permit | deny | tunnel tunnel-name| fromtunnel tunnel-name | webauth aaa-server | portal-
server
- Specifies the action of the policy rule

www.hillstonenet.com
Configure Policy Rule (Cont.)
• show policy [id id] [from src-zone] [to dst-zone]
• id id – Shows the detailed information of the specified policy rule.
• from src-zone – Shows the detailed information of the policy rule whose source
security zone is the specified zone.
• to dst-zone – Shows the detailed information of the policy rule whose destination
security zone is the specified zone.

• Another way to configure policy rule:

rule from any to any from-zone trust to-zone untrust service any permit

www.hillstonenet.com
Questions
1. What are the basic elements of a policy rule？
2. What actions does the policy rule support?
3. What is the matching sequence of policy rules?
4. What is the default policy for the interfaces within same security zone?
5. What is the supported file format for policy import？

www.hillstonenet.com
 LAB
E0/1 FW1 E0/2
L3-trust L3-untrust
192.168,1.254/24 192.168.13.1/24
E0/2 E0/1
E0/3 L3-untrust L3-trust
PC1 L3-untrust 192.168.13.3/24 192.168.2.254/24
182.168.12.1/24
192.168.1.1

E0/1 E0/2
L3-untrust E0/3 FW3
L3-trust PC2
182.168.12.2/24 192.168.23.2/24 L3-untrust 192.168.2.21/24
192.168.23.3/24
X
FW2

• PC1 can ping PC2

• PC2 can RDP access PC1
• Log verify

www.hillstonenet.com
Thanks