Security Policy

To configure Security Policy rules, the service or service group that the policy applies to must first be defined. If it is not, you can define the service or service group and then create one or more rules for it.

The following procedure describes how to add, modify, reset to defaults, or delete Security Policy rules for firewalls running SonicOS. Paginated navigation and sorting by column header is supported on the Security Policy screen. In the Security Policy table, you can click the column header to use for sorting. An arrow is displayed to the right of the selected column header. You can click the arrow to reverse the sorting order of the entries in the table.

By hovering your mouse over icons on the Security Policy page, you can display information about criteria, such as an Source Port or Service.

IPv6 is supported for Security Policy. Search for IPv6 Security Policies in the Security Policy Search section. A list of results displays in a table.

From there you can click the Configure icon for the Security Policy you want to edit. The IPv6 configuration for Security Policy is almost identical to IPv4.

To configure a Security Policy

1. Navigate to POLICY | Rules and Policies > Security Policy. The Security Policy page displays. The POLICY | Rules and Policies > Security Policy page enables you to select multiple configuration screens for your security policies.

2. From the bottom of the Security Policy table, click +Add (Top or Bottom). The Adding Rule dialog displays.

3. Or, under the Configure column, click the Edit icon for the source and destination zones or interfaces for which you are configuring a rule. The Editing Rule page for that zone/interface pair displays.

   

   

4. In the top view, enter or edit the policy Name and any identifying Tags you would like to enter to help sort your policies.
5. Enter a Description of the policy and its intent.

6. Select an Action, whether to Allow, Deny, or Discard access.

   If a policy has a “No-Edit” policy action, the Action settings are not editable.

7. Specify the IP version in Type, IPv4 or IPv6.

8. Set your Security Policy's Priority.

   Higher numbers indicate lower priority. The lowest priority rule is the final/default rule applied to matching traffic (traffic matching the defined attributes) when no higher priority rules apply. Lower priority rules should be more general than rules with higher priorities.
   If a higher priority rule does not match all the attributes, then the next rule is evaluated to see if it applies, all the way down the list of rules. Rules with more specific matching attributes need to be set at a higher priority or else a more general rule could match before that specific rule is evaluated.
   

9. Specify when the rule is applied by selecting a schedule or Schedule Group from the Schedule drop-down menu. If the rule is always applied, select Always On. If the schedule does not exist, refer to Configuring Schedules.
10. Click Enable to activate the policy schedule and enable logging.
11. In the Source/Destination view, select the Source and Destination zones, and network address objects, and port/services for each from the drop-down menus.
• There are no default zones. Any is supported for both zone fields.
12. For the Port/Services object in the Port/Services drop-down menus, if the service does not exist, refer to Configuring Service Objects.
13. Under Users, specify if this rule applies to all users or to an individual user or group in the Include drop-down menu. You can exclude users as well using the Exclude drop-down menu.

14. Under GEO Country, indicate a (From/To) Country from the drop-down menu.

15. To validate the rule you have set up, click Validate and verify your settings before proceeding. You can click through the tabs to see details on duplicate firewalls, and any firewalls shadowed by this rule.

    

16. Click Add or Save, and continue with App/URL/Custom Match and Action Profile.