Edit the Access policy

The Access policy defines which connections are allowed.

By default, the Access policy contains one rule for testing connectivity that allows HTTP, HTTPS, and ping traffic from all interfaces that belong to the internal zone to any destination. Log entries related to this traffic are stored on the NGFW Engine.

You can edit this rule and add other rules. By default, the NGFW Engine blocks all connections that have not been specifically allowed in the Access policy.

Table 1. Default rule in the Access policy
Name Source Destination Service Logging Action
Connectivity Testing Internal Zone ANY HTTP, HTTPS, Ping Stored Allow

Steps

  1. Browse to NGFW > Policy > Access or NGFW > Policy > NAT.
  2. Add a rule in one of the following ways:
    • Click Add First Rule.
    • Click a rule, select > New, then select Rule Before or Rule After.
  3. Configure the settings, then click Save.
  4. Publish the changes.

Example

Fields marked with an asterisk in the user interface are mandatory.

Table 2. Access Policy
Option Definition
Source and Destination A set of matching criteria that defines the IP addresses and interfaces that the rule matches.
  • Type part of the name of an element or browse through the drop-down list to select an element.
  • Click Set to ANY to match any element.
Service A set of matching criteria that matches traffic based on the Network Application, or protocol and port.
  • Type part of the name of an element or browse through the drop-down list to select an element.
  • Click Set to ANY to match any element.
Logging Defines logging options for the rule.
  • Logging — When selected, enables logging for the rule.
  • Log Level — Defines the log level for matching connections.
    • None — Does not create any log entry
    • Transient — Creates a log entry that is shown on the Logs tab, but is not stored.
    • Stored — Creates a log entry that is stored on the NGFW Engine.
    • Essential — Creates a log entry that is shown on the Logs tab and saved for further use.
    • Alert — Triggers an alert with the severity that you define.
    • Automatic — This option is not supported in the Access policy.
  • SeverityWhen the Log Level is set to Alert, defines the severity of the alert.
  • Advanced Options — Allows you to define advanced logging options.
Authentication
Action Command for the engine to carry out when a connection matches the rule.
  • Allow — Allows connections that match the rule.
  • Discard — Discards connections that match the rule.
  • Continue — Sets default options for traffic matching. The options are used for later rules that match the same criteria unless the later rules override the options.
  • Refuse — Refuses connections that match the rule.
  • Jump — The rule processing jumps to a Sub-Policy to continue processing rules.
  • Use VPN — Connections that match the rule are sent into the specified VPN.
  • DecryptionThis option is not yet supported.
  • Advanced Options — Allows you to define advanced action options.
Table 3. Advanced Logging options
Option Definition
Log Level Defines the log level for matching connections.
Severity When the Log Level is set to Alert, defines the severity of the alert.
Connection Closing Specifies how log entries are created when connections are closed.
  • None — No log entries are created.
  • Normal — Both connection opening and closing are logged, but no information about the volume of traffic is collected.
  • Accounting — Both connection opening and closing are logged and information about the volume of traffic is collected.
Log Compression

When enabled, generated entries are not logged and shown separately when the limits defined in the Max Log Rate or Max Burst Size are reached. Instead, the NGFW Engine creates a single log entry that contains information about the total number of the generated log entries. After the single log entry is created, logging returns to normal and all generated entries are logged and shown separately.

Log compression settings in access rules override the default log compression settings defined for the interface and the default log compression settings defined for the NGFW Engine.

  • NOT SET — Settings inherited from earlier access rules with the Continue action are used.
  • No Compression — Log compression is disabled.
  • Access — Only logs generated by access rules are compressed.
  • Inspection — Logs generated by both access rules and inspection rules are compressed.

When log compression is enabled, the following additional options are available:

  • Max Log Rate — The maximum sustained number of log entries per second. The default value is 100 log entries per second.
  • Max Burst Size — The maximum number of log entries in a single burst. The default value is 1000 log entries.
Log User Defines whether information about users is included in the log data.
  • Off — Information about users is not included in the log data.
  • Default — Information about users is included in the log data if information about the user is cached for the connection. Otherwise, only the IP address associated with the user at the time the log is created is included in the log data. Access control by user must be enabled.
  • Enforced — Information about users is always included in the log data if information about the user is available in the user database. If information about the user is not cached for the connection, the NGFW Engine resolves the user information from the IP address. Access control by user must be enabled.
Log Application Defines whether information about Application detection is included in the log data.
  • Off — Information about Application detection is not included in the log data.
  • Default — Information about Application detection is included in the log data if the information is available without additional inspection.
  • Enforced — Information about Application detection is always included in the log data if the Application can be identified.
Log URL Category Defines whether information about URL categorization is included in the log data.
  • Off — URL categories are not included in the log data.
  • Default — URL categories are included in the log data for matching traffic when URL Categories are used as matching criteria in the rule.
  • Enforced — URL categories are always included in the log data if the URL category can be identified.
Table 4. Advanced Action options
Option Definition
Decryption This option is not yet supported.
Deep Inspection Selects traffic that matches this rule for checking against the Inspection Policy.
  • On — The feature is enabled.
  • Off — The feature is disabled.
File Filtering This option is not yet supported.
Conntrack Mode
  • Off — The feature is disabled.
  • Default — The settings defined in the NGFW Engine properties are used.
  • Loose — Reply packets are allowed as part of the allowed connection without an explicit Access rule. The NGFW Engine allows some connection patterns and address translation operations that are not allowed in Normal mode.
  • Normal — Reply packets are allowed as part of the allowed connection without an explicit Access rule. The NGFW Engine drops ICMP error messages related to connections that are not currently active in connection tracking (unless explicitly allowed by a rule in the policy). A valid, complete TCP handshake is required for TCP traffic. The NGFW Engine checks the traffic direction and the port parameters of UDP traffic. If the Service cell in the rule contains a Service that uses a Protocol Agent, the NGFW Engine also validates TCP and UDP traffic on the application layer. If a protocol violation occurs, the packet that violates the protocol is dropped.
  • Strict — Reply packets are allowed as part of the allowed connection without an explicit Access rule. The NGFW Engine allows only TCP traffic that strictly adheres to the TCP standard as defined in RFC 793. The NGFW Engine also checks the sequence numbers of the packets in pre-connection establishment states and for RST and FIN packets, and drops packets that are out of sequence. If the Service cell in the rule contains a Service that uses a Protocol Agent, the NGFW Engine also validates the traffic on the application layer. If a protocol violation occurs, the packet that violates the protocol is dropped.
Idle Timeout

The timeout (in seconds) after which inactive connections are closed. This timeout concerns only idle connections. Connections are not cut because of timeouts while the hosts are still communicating.

If you enter a timeout, this value overrides the setting defined in the NGFW Engine properties.

Sync Connections This option is not yet supported.
TCP MSS When selected, TCP MSS is enforced. Headers are not included in the maximum segment size (MSS) value; MSS concerns only the payload of the packet. Usually, network equipment sends packets at the Ethernet-standard maximum transmission unit (MTU) size of 1500 (including both payload and headers).
  • Min — If a TCP packet has an MSS value smaller than the minimum you set here, the packet is dropped. The smaller the data content is, the less efficient the communications become due to the fixed-size headers. Limiting the minimum size can help alleviate certain types of network attacks. Typically, the value you enter is not larger than the default minimum TCP Maximum Segment Size (536).
  • Max — If a TCP packet has an MSS value larger than the maximum, the NGFW Engine overwrites the packet’s MSS with the maximum value you set here. Setting the maximum MSS size might be necessary to prevent fragmentation. Typically, the value you enter is lower than the standard Ethernet MTU (1500), taking the packet headers that are added to the MSS into account.
Forward Traffic To
Forced Next Hop Destination

When enabled, allows you define a forced next hop in the routing for traffic that matches the rule.

  • NOT SET — Settings inherited from earlier access rules with the Continue action are used.
  • Nexthop Zone — Traffic is routed through the specified zone before being sent to its destination.
  • IP Address — Traffic is routed through the specified IP address before being sent to its destination.
Zone

When Forced Next Hop Destination is Nexthop Zone

Select the Zone element through which traffic is routed before being sent to its destination. The traffic is sent out through the interface that is associated with the selected Zone element.

Note: The Zone element must be used on only one interface.
IPv4 Address

When Forced Next Hop Destination is IP Address

Enter the IP address to which traffic is routed. If the rule matches both IPv4 and IPv6 addresses, you can enter both an IPv4 and an IPv6 address.

IPv6 Address
Bypass NAT When selected, NAT is not applied to connections that match the rule.