The different parts of the policy editing view

The tabs and options shown in the policy editing view depend on the type of policy you are editing.

Note: Only one administrator at a time can edit a policy. Save your changes and close the policy editing view when you are finished.

All policy editing views have by default the Resources pane on the left, the rule table on the right, and the policy toolbar at the top of the page. The available elements in the Resources pane can be used as matching criteria in different rule cells. There are tabs for the different rule types that are available for each type of policy.

Figure: Policy editing view (IPv4 Access tab)



1
Policy toolbar
2
Rule table
3
History for selected rule
4
Search tool

In the Inspection Policy Editing view, there are only two tabs: Exceptions and Inspection. Global Inspection rules are configured on the Inspection tab, and exceptions to global Inspection rules on the Exceptions tab.

Figure: Inspection Policy Editing view



1
Detailed Exceptions to the main Inspection rules
2
The main rules tree

The policy toolbar contains tools for managing the policy.

Figure: Policy toolbar



1
Preview the policy in read-only mode
2
Save
3
Save changes and install policy on engines
4
Undo or Redo
5
Show Inherited rules passed down from higher-level templates
6
Automatic validation finds rules that are clearly incorrect
7
A Snapshot is made at each policy installation to allow change tracking
8
Search tool for finding rules
9
Display the number of hits for each rule
10
Toggle between element names and IP addresses

Policy Editing view

Use this view to edit Firewall, IPS, Layer 2 Firewall, and Layer 2 Interface Policies.

Option Definition
Resources Use this pane to create and add elements to a policy.
Filter Opens a search field for the selected element list.
Up Navigates up one level in the navigation hierarchy. Not available at the top level of the navigation hierarchy.
New Opens the associated dialog box to create an element.
Tools
  • Show Deleted Elements — Shows elements that have been moved to the Trash.
  • Text Size — Changes the text size.
Option Definition
Policy Toolbar
Preview and Edit Changes between the preview (read-only) and editing views.
Save Saves the changes.
Save and Install Saves the changes and installs the policy on the target engine.
Note: This option is not available for Layer 2 Interface Policies.
Undo operation Undoes the last change made.
Redo operation Redoes the last change that was undone.
Inherited Rules Shows inherited rules passed down from higher-level templates.
Aborts the running rule counters query Cancels a rule counters query.

This option is only available when a rule counters query is running.

Tools
Validate Validates the rules in the policy. Opens the Validate Policy dialog box in which you can select which issues are checked in the rules.
Compare to Policy Snapshot Compares the policy with a previously created snapshot of the policy.
Search Rules When selected, the Search Rules is available below the rules table.
Save As Saves a copy of the policy as a new element.
Rule Counters Displays the number of hits for each rule.
Expand All If you have added Rule Sections or Sub-Policies, they are all expanded.
Collapse All If you have added Rule Sections or Sub-Policies, and they are expanded, they are all collapsed.
Text Size Changes the text size.
Target Engine Selector Selects the target engine for the Validate, Network Details, and Rule Counters actions.
Network Details Toggles between element names and IP addresses.
Option Definition
Ethernet tab (IPS, Layer 2 Firewall, and Layer 2 Interface Policies only)
ID

(Not editable)

Automatically assigned ID number that indicates the order of the rules in the policy. The rules are matched against traffic in the order of the ID numbers.
Logical Interface For IPS engines, Layer 2 Firewalls, and Layer 2 Physical Interfaces on Firewalls, traffic matches the rule based on which interface the traffic is picked up from. The same logical interface can be assigned to one or several interfaces as configured in the properties of the NGFW Engine. This cell accepts only Logical Interface elements.
Source Elements containing the MAC addresses that the rule matches. Both the Source and the Destination defined must match the source and destination of a packet for the packet to match the rule. The Source and Destination cells accept MAC Address elements.
Destination Elements containing the MAC addresses that the rule matches. Both the Source and the Destination defined must match the source and destination of a packet for the packet to match the rule. The Source and Destination cells accept MAC Address elements.
Service The Services match an Ethernet frame type. The Service cell accepts Ethernet Service elements.
Action Command for the engine to carry out when a connection matches the rule.
Logging The options for logging.
Comment An optional free-form comment for this rule. You can also add separate comment rows in between rules.
Rule Name Contains a rule tag and optionally a rule name.
  • Name (Optional) — Name or description for the rule. Displayed alongside the rule tag.
  • Tag (Not editable) — Automatically assigned unique identification for the rule. Works as a link between the log entries and the rule that has generated the log entries. The rule tag consists of two parts (for example, @20.1). The first part of the tag is permanent and belongs to only that rule. The second part changes when the rule is changed. The first part and the second part are separated by a period.
Hits

(Not editable)

Shows the number of connections that have matched the rule. This information is only shown if you have run a Rule Counter Analysis for the policy. The cell shows “N/A” if there is no information available about the rule.
Ethernet Insert Point (Before) and Ethernet Insert Point (After) Marks the positions where rules can be added.
Option Definition
IPv4 Access and IPv6 Access tabs
ID

(Not editable)

Automatically assigned ID number that indicates the order of the rules in the policy. The rules are matched against traffic in the order of the ID numbers.
Logical Interface For IPS engines, Layer 2 Firewalls, and Layer 2 Physical Interfaces on Firewalls, traffic matches the rule based on which interface the traffic is picked up from. The same logical interface can be assigned to one or several interfaces as configured in the properties of the NGFW Engine. This cell accepts only Logical Interface elements.
Source and Destination A set of matching criteria that defines the IP addresses and interfaces that the rule matches. Both the Source and the Destination defined must match the source and destination of a packet for the packet to match the rule. The Source and Destination cells accept any elements in the Network Elements category, as well as User and User Group elements.
Service A set of matching criteria that defines the service or application the rule matches. Services match a certain port, but they often also reference a Protocol for more advanced, application-layer inspection and traffic handling. The Service cell accepts Service and Service Group elements, URL Situations, Network Applications, and TLS matches.
Action Command for the engine to carry out when a connection matches the rule. Also allows you to set options for file filtering (IPv4 only, not supported on Virtual NGFW Engines), blacklisting, connection tracking, deep inspection, rate-based DoS protection, scan detection, user responses, and VPN connections (Firewalls Policy only).
Authentication

(Firewall Policy only, IPv4 only)

Defines whether the rule requires end users to authenticate, which end users the rule applies to when the rule requires authentication, and which authentication methods are valid for the rule.
QoS Class The QoS Class that the engine assigns to connections that match this rule. Used in traffic prioritization and bandwidth management. The QoS Class has effect only if you set up QoS Policies.
Logging The options for logging.
Time

The time period when the rule is applied. If this cell is left empty, the rule always applies.

Double-click the cell to edit. Enter the time in UTC time.

Comment An optional free-form comment for this rule. You can also add separate comment rows in between rules.
Rule Name Contains a rule tag and optionally a rule name.
  • Name (Optional) — Name or description for the rule. Displayed alongside the rule tag.
  • Tag (Not editable) — Automatically assigned unique identification for the rule. Works as a link between the log entries and the rule that has generated the log entries. The rule tag consists of two parts (for example, @20.1). The first part of the tag is permanent and belongs to only that rule. The second part changes when the rule is changed. The first part and the second part are separated by a period.
Source VPN

(Firewall Policy only)

Makes the rule match traffic based on whether it is coming from a specific VPN. If this cell is left empty, the rule matches both VPN and non-VPN traffic.
Hits

(Not editable)

Shows the number of connections that have matched the rule. This information is only shown if you have run a Rule Counter Analysis for the policy. The cell shows “N/A” if there is no information available about the rule.
Automatic Rules Insert Point Marks the position of automatic rules in the policy.
Insert Point Marks the positions where rules can be added.
Option Definition
Inspection tab (Not available in Layer 2 Interface Policies)
Inspection Policy Specifies the Inspection Policy. Click Select to select an element.
File Filtering Policy Specifies the File Filtering policy. Click Select to select an element.
Option Definition
IPv4 NAT and IPv6 NAT tabs (Firewall Policy only)
ID

(Not editable)

Automatically assigned ID number that indicates the order of the rules in the policy. The rules are matched against traffic in the order of the ID numbers.
Source and Destination A set of matching criteria that defines the IP addresses and interfaces that the rule matches. Both the Source and the Destination defined must match the source and destination of a packet for the packet to match the rule. The Source and Destination cells accept any elements in the Network Elements category, as well as User and User Group elements.
Service A set of matching criteria that defines the service or application the rule matches. Services match a certain port, but they often also reference a Protocol for more advanced, application-layer inspection and traffic handling. The Service cell accepts Service and Service Group elements, URL Situations, Network Applications, and TLS matches.
NAT Specifies the translation type and options for the translation operation.
Used on Specifies the NGFW Engine to which the rule applies.
Comment An optional free-form comment for this rule. You can also add separate comment rows in between rules.
Rule Name Contains a rule tag and optionally a rule name.
  • Name (Optional) — Name or description for the rule. Displayed alongside the rule tag.
  • Tag (Not editable) — Automatically assigned unique identification for the rule. Works as a link between the log entries and the rule that has generated the log entries. The rule tag consists of two parts (for example, @20.1). The first part of the tag is permanent and belongs to only that rule. The second part changes when the rule is changed. The first part and the second part are separated by a period.
Hits

(Not editable)

Shows the number of connections that have matched the rule. This information is only shown if you have run a Rule Counter Analysis for the policy. The cell shows “N/A” if there is no information available about the rule.
NAT Insert Point Marks the positions where rules can be added.
Option Definition
Search Rules pane
Options
  • Match All Columns — Searches rules that match all defined criteria.
  • Match Any Columns — Searches rules that match any defined criterion.
  • Do not Match ANY — Does not find rules that have ANY in a cell that is used as a search criterion.
  • Show Only Matching Rules — Shows only rules that match the search criteria in the rule table.
Next Moves to the next search result.
Previous Moves to the previous search result.
Clear Clears the search fields.
Option Definition
Info pane — Use this pane to view more information about the selected rule.
General tab
  • Name — The name of the rule.
  • Rule Tag — The rule's tag.
  • Comment — Comment in the rule.
Rule Info tab Shows the matching criteria and options for the rule.
History tab
  • Creator — Shows the administrator who created the rule.
  • Created — Shows the time when the rule was created.
  • Modifier — Shows the administrator who modified the rule.
  • Modified — Shows the time when the rule was modified.
  • Audit History — Opens the Logs view and displays the audit log data for traffic that matches the rule.
Table 1. Drill-Down pane
Option Definition
Properties Opens the Rule Properties dialog box.
Disable Rule and Enable Rule If the rule is enabled, temporarily disables the rule without deleting. If the rule is disabled, enables the rule.
Lock Rule Prevents edits until the rule is explicitly unlocked.

Inspection Policy Editing view

Use this view to edit an Inspection Policy element.

Option Definition
Resources Use this pane to create and add elements to a policy.
Filter Opens a search field for the selected element list.
Up Navigates up one level in the navigation hierarchy. Not available at the top level of the navigation hierarchy.
New Opens the associated dialog box to create an element.
Tools
  • Show Deleted Elements — Shows elements that have been moved to the Trash.
  • Text Size — Changes the text size.
Option Definition
Policy Toolbar
Save Saves the changes.
Undo operation Undoes the last change made.
Redo operation Redoes the last change that was undone.
Inherited Rules Shows inherited rules passed down from higher-level templates.
Tools
Validate Validates the rules in the policy. Opens the Validate Policy dialog box in which you can select which issues are checked in the rules.
Compare to Policy Snapshot Compares the policy with a previously created snapshot of the policy.
Search Rules When selected, the Search Rules is available below the rules table.
Save As Saves a copy of the policy as a new element.
Expand All If you have added Rule Sections or Sub-Policies, they are all expanded.
Collapse All If you have added Rule Sections or Sub-Policies, and they are expanded, they are all collapsed.
Text Size Changes the text size.
Show Only Overrides When selected, only rules that override the default settings are shown.
Target Engine Selector Selects the target engine for the Validate, Network Details, and Rule Counters actions.
Network Details Toggles between element names and IP addresses.
Option Definition
Exceptions tab
ID

(Not editable)

Automatically assigned ID number that indicates the order of the rules in the policy. The rules are matched against traffic in the order of the ID numbers.
Situation Defines the patterns of traffic that the rule matches. In addition to individual Situation elements, this cell can contain Situation Type and Situation Tag elements, which are shown as branches in the Situations tree and allow adding the whole branch of Situations at once to a rule.
Severity Limits the rule to matching Situations that have a severity value within a range you define. This is most useful with rules that include Situation Tags in the Situation cell.
Logical Interface

(IPS and Layer 2 Firewall only)

Traffic matches the rule based on which interface the traffic is picked up from. The same logical interface can be assigned to one or several interfaces as configured in the properties of the NGFW Engine. This cell accepts only Logical Interface elements.
Source and Destination A set of matching criteria that defines the IP addresses and interfaces that the rule matches. Both the Source and the Destination defined must match the source and destination of a packet for the packet to match the rule. The Source and Destination cells accept any elements in the Network Elements category, as well as User and User Group elements.
Protocol Limits the Protocols that the rule matches. The protocol is set for traffic in the Access rules in the Service cell of the rule that allows the traffic.
Action Command for the engine to carry out when a connection matches the rule. The action-specific Action Options define settings for connection termination, and user responses. The Continue action can be used to set options for the Exceptions.
Logging The options for logging.
Time

The time period when the rule is applied. If this cell is left empty, the rule always applies.

Double-click the cell to edit. Enter the time in UTC time.

Comment An optional free-form comment for this rule. You can also add separate comment rows in between rules.
Rule Name Contains a rule tag and optionally a rule name.
  • Name (Optional) — Name or description for the rule. Displayed alongside the rule tag.
  • Tag (Not editable) — Automatically assigned unique identification for the rule. Works as a link between the log entries and the rule that has generated the log entries. The rule tag consists of two parts (for example, @20.1). The first part of the tag is permanent and belongs to only that rule. The second part changes when the rule is changed. The first part and the second part are separated by a period.
Option Definition
Inspection tab
Name The name of the Situation or Situation Category.
Action Command for the engine to carry out when a connection matches the rule.
Logging The options for logging.
Comment

(Optional)

A comment for your own reference.
Overrides Shows the number of overrides to the default settings.
Tag

(Not editable)

Shows the rule tag.
Option Definition
Info pane — Use this pane to view more information about the selected rule.
General tab
  • Name — The name of the rule.
  • Rule Tag — The rule's tag.
  • Comment — Comment in the rule.
Elements tab Shows information about the elements that are of the selected Situation Type.
  • Name — The name of the Situation Type.
  • Context — The Situation's context.
  • Severity — The Situation's severity.
  • Type — The Situation's type.
  • Last Update — The number of the dynamic update package in which the Situation element was last updated.
  • Category — The Situation's Category.
  • Comment — A comment for the Situation.
History tab
  • Creator — Shows the administrator who created the rule.
  • Created — Shows the time when the rule was created.
  • Modifier — Shows the administrator who modified the rule.
  • Modified — Shows the time when the rule was modified.
  • Audit History — Opens the Logs view and displays the audit log data for traffic that matches the rule.
Tags tab
  • Name — The name of the Tag element.
  • Comment — A comment for the Tag.
  • Type — The type of the Tag.
Table 2. Drill-Down pane
Option Definition
Properties Opens the Properties dialog box for the selected element.
Where Used Searches for references to the selected element.