Edit the Access policy
The Access policy defines which connections are allowed.
By default, the Access policy contains one rule for testing connectivity that allows HTTP, HTTPS, and ping traffic from all interfaces that belong to the internal zone to any destination. Log entries related to this traffic are stored on the NGFW Engine.
You can edit this rule and add other rules. By default, the NGFW Engine blocks all connections that have not been specifically allowed in the Access policy.
Name | Source | Destination | Service | Logging | Action |
---|---|---|---|---|---|
Connectivity Testing | Internal Zone | ANY | HTTP, HTTPS, Ping | Stored | Allow |
Steps
- Browse to or .
-
Add a rule in one of the following ways:
- Click Add First Rule.
- Click a rule, select Rule Before or Rule After. , then select
- Configure the settings, then click Save.
- Publish the changes.
Example
Fields marked with an asterisk in the user interface are mandatory.
Option | Definition |
---|---|
Source and Destination | A set of matching criteria that defines the IP addresses and interfaces that the rule matches.
|
Service | A set of matching criteria that matches traffic based on the Network Application, or protocol and port.
|
Logging | Defines logging options for the rule.
|
Authentication | |
Action | Command for the engine to carry out when a connection matches the rule.
|
Option | Definition |
---|---|
Log Level | Defines the log level for matching connections. |
Severity | When the Log Level is set to Alert, defines the severity of the alert. |
Connection Closing | Specifies how log entries are created when connections are closed.
|
Log Compression |
When enabled, generated entries are not logged and shown separately when the limits defined in the Max Log Rate or Max Burst Size are reached. Instead, the NGFW Engine creates a single log entry that contains information about the total number of the generated log entries. After the single log entry is created, logging returns to normal and all generated entries are logged and shown separately. Log compression settings in access rules override the default log compression settings defined for the interface and the default log compression settings defined for the NGFW Engine.
When log compression is enabled, the following additional options are available:
|
Log User | Defines whether information about users is included in the log data.
|
Log Application | Defines whether information about Application detection is included in the log data.
|
Log URL Category | Defines whether information about URL categorization is included in the log data.
|
Option | Definition |
---|---|
Decryption | This option is not yet supported. |
Deep Inspection | Selects traffic that matches this rule for checking against the Inspection Policy.
|
File Filtering | This option is not yet supported. |
Conntrack Mode |
|
Idle Timeout |
The timeout (in seconds) after which inactive connections are closed. This timeout concerns only idle connections. Connections are not cut because of timeouts while the hosts are still communicating. If you enter a timeout, this value overrides the setting defined in the NGFW Engine properties. |
Sync Connections | This option is not yet supported. |
TCP MSS | When selected, TCP MSS is enforced. Headers are not included in the maximum segment size (MSS) value; MSS concerns only the payload of the packet. Usually, network
equipment sends packets at the Ethernet-standard maximum transmission unit (MTU) size of 1500 (including both payload and headers).
|
Forward Traffic To | |
Forced Next Hop Destination |
When enabled, allows you define a forced next hop in the routing for traffic that matches the rule.
|
Zone |
When Forced Next Hop Destination is Nexthop Zone Select the Zone element through which traffic is routed before being sent to its destination. The traffic is sent out through the interface that is associated with the selected Zone element. Note: The Zone element must be used on only one interface.
|
IPv4 Address |
When Forced Next Hop Destination is IP Address Enter the IP address to which traffic is routed. If the rule matches both IPv4 and IPv6 addresses, you can enter both an IPv4 and an IPv6 address. |
IPv6 Address | |
Bypass NAT | When selected, NAT is not applied to connections that match the rule. |