Adding/Editing Policy Rules

Purpose: Add or edit policy rules by specifying gateways or gateway groups, interface objects or interface object groups, identity objects, services, content types, scheduling, and the appropriate action to take when policy violations occur. Also configure how Cloud Edge determines how security profiles are used with this policy rule.

Location: Policies > Policy Rules > Add / Edit

  1. Specify a rule name between 1 and 32 characters, consisting of letters, numbers, or underlines.
  2. Specify the Description.
  3. Enable or disable the rule.
  4. Configure Gateway Groups.
    • All Gateways: This rule applies to all registered gateways.
    • Selected Gateway Groups: Choose one or more gateway groups or selected gateways within one or more groups. Use the search box to narrow down the search results.

      • If you want to use interface objects as a source you must choose only a single Cloud Edge 50G2 gateway running Cloud Edge 6.0 or later.

      • Security profile settings in a policy rule are valid for Cloud Edge 50G2 gateways only. You can choose a single Cloud Edge 50G2 gateway or you can choose a gateway group that contains at least one Cloud Edge 50G2 gateway.

      For a matrix that describes this support, see Matrix: Policy Rules Settings by Gateway Model.

  5. Configure Interface Objects.

    Interface objects are physical and virtual interfaces (including wireless interfaces and VLANs) and Site–to–Site VPNs connections. You can create interface groups that contain one or more of the available interface objects.

    You can configure Interface Objects only if a single Cloud Edge 50G2 gateway running Cloud Edge 6.0 or later is chosen under Gateway Groups.

    • Any: This rule applies to all interface objects and interface groups available for the selected gateway groups.
    • Selected interface objects: Select which interface objects or interface groups to which the policy rule applies by moving selected objects from Select from to Select to.
  6. Configure Select From (previously known as source settings) under Identity Objects. See Policy Rules and IPv4/IPv6 Support and IP Address/FQDN Object Parameters.

    • Select Any for the policy rule to affect all identity objects, which includes all users and groups, IP addresses/FQDNs, MAC addresses, and geolocations.

    • Select Selected users / user groups for the policy rule to affect only specific users or groups.

    • Select Selected IP addresses/FQDNs for the policy rule to affect only specific IP addresses or specific FQDNs.

      Note:

      Using wildcard FQDNs as the source or destination is supported only in gateways running Cloud Edge 5.6 SP2 or later. Therefore, gateways running earlier versions ignore the wildcard FQDNs.

    • Select Selected MAC Addresses for the policy rule to affect only specific MAC addresses.

    • Select Selected geolocations for the policy rule to affect only specific geolocations or geolocation groups.

      Note:

      If you select Selected geolocations as the source for a policy rule, gateways older than version 5.5 SP2 will ignore this policy rule because earlier Cloud Edge versions do not support geolocation.

    • Select Selected device categories for the policy rule to affect only specific device categories.
  7. Configure Select To (previously known as destination settings) under Identity Objects. See Policy Rules and IPv4/IPv6 Support and IP Address/FQDN Object Parameters.

    • Select Any for the policy rule to affect all users and groups, addresses, and geolocations.

    • Select Selected IP addresses/FQDNs for the policy rule to affect only specific IP addresses or specific FQDNs.

      Note:

      Using wildcard FQDNs as the source or destination is supported only in gateways running Cloud Edge 5.6 SP2 or later. Therefore, gateways running earlier versions ignore the wildcard FQDNs.

    • Select Selected geolocations for the policy rule to affect only specific geolocations or geolocation groups.

      Note:

      If you select Selected geolocations as the destination for a policy rule, gateways older than version 5.5 SP2 will ignore this policy rule because earlier Cloud Edge versions do not support geolocation.

  8. Configure Services.

    • Select Any for the policy rule to include all services (default).

    • Select Selected services for the policy rule to include only specific services, then select the services to include.

  9. Configure Content Type.

    • Select Any for the rule to include all applications and URL categories.

      Note: You must select Any if you want to specify Bypass as the action to take when policy violations occur.

    • Select Selected content types for the rule to include only specific applications or URL categories, then under Applications and under URL categories select the applications or URL categories to include.

  10. Configure the Schedule.
    Option Description

    Always

    Includes all schedules. (Default)

    Schedule name

    Displays names of available schedule objects.

    Add New Schedule Object

    Access the Add/Edit schedule object creation dialog box.
  11. Select the Action.

    • Allow

    • Block

    • Bypass

      If the traffic matches the policy rule, allow the traffic while bypassing scanning.

    Note: You are unable to select Bypass if you selected Selected content types under Content Types.
  12. Select the desired option for each of the profiles listed in Security Profiles (IPS, Anti-Malware, Email Security, Web Reputation, HTTPS).
    • On: Turn on policy-specific settings
    • Off: Turn off policy-specific settings
    • Inherit: Inherit settings from the gateway's security profile (default)
    Important:

    The Security Profiles section is hidden if the action is Block or Bypass.

    The Security Profiles option is available only if you have selected at least one Cloud Edge 50G2 gateway running Cloud Edge 6.0 or later (either as a single gateway or as part of a selected group) in the Gateway Groups section.

  13. Click Save.
Parent topic: Policy Rules