SonicOS/X 7 About SonicOS and SonicOSX

Technical Documentation>  Features Specific to SonicOSX>  About Unified Policies in SonicOSX
Table of Contents

About Unified Policies in SonicOSX

SonicOSX 7 introduces a new, redesigned unified policy configuration workflow combining Layer 2 to Layer 7 policy enforcement for security policies and optimizing the workflow for other policy types. This unified policy workflow gathers many security settings into one place, which were previously configured on different pages of the SonicOSX management interface. The benefits of this new approach also include improved reporting, auditing and logging, better diagnostics, monitoring and debugging, and faster loading and searching of rules and objects in the management interface.

All rules are manually created by administrators, there are no automatic or system-added rules.

Priority characteristics of rules:

  • Rules are applied in the order of priority, as shown by the rule order in the policy table.
  • Rules are created at a certain priority.
  • No automatic priority of rules.

A policy is defined by a group of rules that are applied to do a certain job. SonicOSX provides six policy types based on their characteristics, of which four are introduced in SonicOSX 7 and the others are improved and enhanced over previous implementations.

The following new policy types consolidate and reorganize policy configuration for improved logic and efficiency:

  • Security Policy

    Security Policy configuration unifies elements that were configured independently in previous versions of SonicOS. A Security Policy consists of one or more rules that apply security services to traffic. Each security rule merges the following security settings:

    • Access Rules
    • App Rules
    • App Control
    • Content Filter
    • Botnet Filter
    • Geo-IP Filter
    • Intrusion Detection and Prevention
    • Anti-Virus
    • Anti-Spyware

    Adding a security rule, first screen

    Adding a security rule, second screen

  • Decryption Policy

    In SonicOSX, DPI-SSLand DPI-SSH settings are converted into decryption rules that define which SSL/TLS traffic should be decrypted. DPI-SSL and DPI-SSH settings are only configurable within decryption rules. You have granular control over what needs to be decrypted and how.

    Adding a decryption rule, first screen

    Adding a decryption rule, second screen

  • DoS Policy

    DoS rules define which traffic can cause Denial of Service and how to protect the system from such attacks. DoS rule configuration provides a unified workflow that includes connection limiting settings and all the settings to protect against Flood attacks (UDP/TCP-syn/ICMP floods), Smurf attacks, LAND (Local Area Network Denial) attacks and other denial of service attacks. These settings are no longer configured from various pages of the management interface as in versions prior to 7.0.

    Adding a DoS rule

  • Endpoint Policy

    Endpoint rules provide client security settings that apply to traffic on the specified zone. These rules combine settings for the zone, inclusion and exclusion addresses, and an enforcement profile that controls grace period and bypass settings for guest users. At least one client security service must be licensed before endpoint rules can be configured.

    Adding an Endpoint rule

The following two policy types are carried forward from earlier versions of SonicOS with minor enhancements:

  • NAT Policy

    NAT rules define which traffic needs to be translated and how.

  • Route Policy

    Routing rules define how traffic should be routed.

Traffic is defined by match criteria. Each policy type has its own set of match criteria. Each rule defines the specific criteria to match, and defines an associated action. Actions are defined in an Action Profile. Some policy types do not need an action profile, such as Decryption Policy.

In summary, a policy is a set of rules and each rule is defined by match criteria and has an action and/or action profile.

The SonicOSX unified policy redesign provides additional enhancements, including:

  • Enhanced rules and policy processing engine for Security, NAT, Route, Decryption, DoS, and Endpoint policies:

    SonicOSX Rules and Policies left nav

  • SonicOSX policy rules can scale up to 8KB (8192 bytes) in size to accommodate the additional configuration data.
  • Rule configuration is intuitive with a simplified view, even with all the merged settings.
  • Relevant objects and action profiles for individual components are selected within the workflow.
  • Policy cloning is available.
  • In-cell editing capability can be used from within the policies table.
  • Shadow policy views allow analysis for Security, NAT, Route, Decryption, and DoS policy sets.
  • Simplified and advanced policy views for policy management:
    • Policy grid column customizations for simple and advanced use cases
    • Rule grouping
  • Rule statistics:
    • Used vs unused rules
    • Active vs inactive rules
    • Hit counts and bandwidth consumption