Configuring Access rules

Access rules filter traffic by defining matching criteria and an action that is applied to packets that match all criteria defined in the rule.

IPv4 Access rules are configured on the IPv4 Access tab, and IPv6 Access rules are configured on the IPv6 Access tab inside the following elements:
  • Firewall Policy
  • IPS Policy
  • Layer 2 Firewall Policy
  • Layer 2 Interface Policy
  • Template Policy
  • Sub-Policy
You can create new Access rules in the Policy Editing View. You can also create IPS and Layer 2 Firewall Access rules in the Logs view. Use one or more selected log entries to create these rules (only available for IPS and Layer 2 Firewall IPv6 Access rules, not for Firewall IPv6 Access rules).

Before starting to build policies, make sure that you understand the network element types available and how you can use them efficiently to define the resources that you want to protect and control.

Configuring Firewall Access rules

Figure: Newly inserted Firewall IPv4 Access Rule - Main cells



1
Mandatory cells for matching traffic
2
Engine applies this Action when it finds a match

This illustration shows an Access rule that has been inserted into the policy. The matching cells are set to <None> and the action is set to Discard. These settings prevent the rule from having any affecting in case a new rule is added to the policy accidentally. It is not necessary to edit all cells in each rule. However, the mandatory cells for traffic matching (Source, Destination, and Protocol) must be set to some value other than <None> for the rule to be valid. The Source VPN cell is also matched against traffic in the inspection process, but it can be left empty to match all traffic. The other editable cells specify further conditions and options, such as logging.

The following illustration shows the types of elements that you can use in IPv4 and IPv6 Access rules.

Figure: Elements in Firewall Access rules



Configuring IPS and Layer 2 Firewall Access rules

Figure: Newly inserted IPS or Layer 2 Firewall Access Rule - Main cells



1
Mandatory cells for matching traffic
2
Engine applies this Action when it finds a match

This illustration shows an Access rule that has been inserted into the policy. The matching cells are set to <None> to prevent the rule from affecting traffic in case a new rule is added to the policy accidentally. It is not necessary to edit all cells in each rule, but the mandatory cells for traffic matching (Source, Destination, and Service) must be set to some value other than <None> for the rule to be valid. The Logical Interface cell is also matched against traffic, but it is not mandatory to change its value if you want the rule to apply regardless of the interface. The other editable cells specify further conditions and options for handling connections that match the cells that are used for traffic matching.

The following illustration shows the types of elements that you can use in IPv4 and IPv6 Access rules.

Figure: Elements in IPS and Layer 2 Firewall Access rules