Creating Company_A security policies
A security policy can include varying levels of security feature protection. This example only deals with web filtering. The following security policies use the custom security
strict and
relaxed profiles configured earlier. See
“Configuring common items”.
For these security policies, we assume that all protocols will be on their standard ports, such as port 80 for http traffic. If the ports are changed, such as using port 8080 for http traffic, you will have to create custom services for protocols with non-standard ports, and assign them different names.
The firewalls configured in this section are:
• internal to external — always deny all
• external to internal — always deny all
• internal to external — always allow all, security features - web filtering: strict
• internal to external — Lunch allow all, security features - web filtering:relaxed
Security policies allow packets to travel between the internal VLAN_100 interface to the external interface subject to the restrictions of the protection profile. Entering the policies in this order means the last one configured is at the top of the policy list, and will be checked first. This is important because the policies are arranged so if one does not apply the next is checked until the end of the list.
To configure Company_A security policies - web-based manager
1. Go to Policy > Policy.
2. Select Create New.
3. Enter the following information and select OK:
Source Interface/Zone | VLAN_100_int |
Source Address | CompanyA |
Destination Interface/Zone | VLAN_100_ext |
Destination Address | all |
Schedule | always |
Service | all |
Action | DENY |
This policy is a catch all for outgoing traffic to ensure that if it doesn’t match any of the other policies, it will not be allowed. This is standard procedure.
4. Select Create New.
5. Enter the following information and select OK:
Source Interface/Zone | VLAN_100_ext |
Source Address | all |
Destination Interface/Zone | VLAN_100_int |
Destination Address | CompanyA |
Schedule | always |
Service | all |
Action | DENY |
This policy is a catch all for incoming traffic to ensure that if it doesn’t match any of the other policies, it will not be allowed. This is standard procedure.
6. Select Create New.
7. Enter the following information and select OK:
Source Interface/Zone | VLAN_100_int |
Source Address | CompanyA |
Destination Interface/Zone | VLAN_100_ext |
Destination Address | all |
Schedule | always |
Service | all |
Action | ACCEPT |
Security Features | Enable |
| Web Filtering | strict |
This policy enforces strict scanning at all times, while allowing all traffic. It ensures company policies are met for network security.
8. Select Create New.
9. Enter the following information and select OK:
Source Interface/Zone | VLAN_100_int |
Source Address | CompanyA |
Destination Interface/Zone | VLAN_100_ext |
Destination Address | all |
Schedule | Lunch |
Service | all |
Action | ACCEPT |
Security Features | enable |
| Web Filtering | relaxed |
This policy provides relaxed protection during lunch hours — going from strict down to scan for protocol options and web filtering. AntiVirus and Email Filtering remain at strict for security — relaxing them would not provide employees additional access to the Internet and it would make the company vulnerable.
10. Verify that the policies entered appear in the list with the last policy (lunch) at the top, and the first policy (deny all) at the bottom. Otherwise traffic will not flow as expected.
To configure Company_A security policies - CLI
config vdom
edit Company_A
config firewall policy
edit 1
set srcintf VLAN_100_int
set dstintf VLAN_100_ext
set srcaddr all
set dstaddr all
set action accept
set schedule Lunch
set webfiltering relaxed
next
edit 3
set srcintf VLAN_100_int
set dstintf VLAN_100_ext
set srcaddr all
set dstaddr all
set action accept
set schedule BusinessDay
set service HTTP
set profile_status enable
set profile BusinessOnly
end