Configure policy settings for the NGFW Engine

Policy settings specify which policies the NGFW Engine uses, as well as settings for element-based NAT, alias translation, and automatic rules.

Steps

  1. Browse to NGFW > Properties > Policies.
  2. Configure the settings, then click Save.
  3. Publish the changes.

Example

Fields marked with an asterisk in the user interface are mandatory.

Table 1. NGFW Engine Properties - Policies
Option Definition
Layer3 Policy The selected Layer 3 Policy for the NGFW Engine. We recommend that you do not change this setting.
Inspection Policy The selected Inspection Policy for the NGFW Engine.
File Filtering Policy This option is not yet supported.
NAT Definition When selected, enables options for element-based NAT.
Alias Resolving

Click to add the first row.

Click > New Row Before or > New Row After to add a row.

  • Alias — The Alias element. Type part of the name of an element or browse through the drop-down list to select an element.
  • Alias Value — The translated value of the Alias element. Type part of the name of an element or browse through the drop-down list to select an element.
Automatic Rules Settings When selected, enables options for automatic rules.
Table 2. NGFW Engine Properties - Policies - NAT Definition
Option Definition
NAT Element Array Click > Add to add definitions for element-based NAT.
NAT Type Select the translation type.
  • Static — Static network address translation is used. For each original address there is a single, predefined translated address.
  • Dynamic — Dynamic network address translation is used. Dynamic NAT uses ports to track connections using the same IP address.
NAT Address Private The element that represents the private IP address. Type part of the name of an element or browse through the drop-down list to select an element.
NAT Address Public

Select the source of the public IP address.

  • NAT Default — The default address is used as the public IP Address.
  • IP Address — Enter an IP address.
  • NAT Interface Addr — Click , then select an interface.
  • ElementType part of the name of an element or browse through the drop-down list to select an element.
NAT Port Filter To limit NAT only to traffic that goes to selected destination ports, select a Service or Service Group element to act as a port filter. The Service or Service Group element includes the destination port information (a single destination port or a range of ports). Type part of the name of an element or browse through the drop-down list to select an element.
NAT Default Enabled The NGFW Engine uses the default NAT address as the public IP address if there is not a more specific NAT definition that matches the traffic. When you select this option, a NAT rule is generated at the end of the NAT rules in the policy. If no NAT rule matches the traffic, no NAT is applied unless you enable the Default NAT Address.
Table 3. NGFW Engine Properties - Policies - Automatic Rules Settings
Option Definition
Logging When selected, enables the logging options.
Log Level The log level for traffic that matches automatic rules.
  • None — Does not create any log entry
  • Transient — Creates a log entry that is shown on the Logs tab, but is not stored.
  • Stored — Creates a log entry that is stored on the NGFW Engine.
  • Essential — Creates a log entry that is shown on the Logs tab and saved for further use.
  • Alert — Triggers an alert with the severity that you define.
  • Automatic — This option is not supported in the Access policy.
Severity When the Log Level is set to Alert, defines the severity of the alert.
Connection Closing Specifies how log entries are created when connections are closed.
  • None — No log entries are created.
  • Normal — Both connection opening and closing are logged, but no information about the volume of traffic is collected.
  • Accounting — Both connection opening and closing are logged and information about the volume of traffic is collected.
Log User Defines whether information about users is included in the log data.
  • Off — Information about users is not included in the log data.
  • Default — Information about users is included in the log data if information about the user is cached for the connection. Otherwise, only the IP address associated with the user at the time the log is created is included in the log data. Access control by user must be enabled.
  • Enforced — Information about users is always included in the log data if information about the user is available in the user database. If information about the user is not cached for the connection, the NGFW Engine resolves the user information from the IP address. Access control by user must be enabled.
Log URL Category Defines whether information about URL categorization is included in the log data.
  • Off — URL categories are not included in the log data.
  • Default — URL categories are included in the log data for matching traffic when URL Categories are used as matching criteria in the rule.
  • Enforced — URL categories are always included in the log data if the URL category can be identified.