Purpose: Add or edit policy rules by specifying gateways or gateway groups, interface objects or interface object groups, identity objects, services, content types, scheduling, and the appropriate action to take when policy violations occur. Also configure how Cloud Edge determines how security profiles are used with this policy rule.
Location: Policies > Policy Rules > Add / Edit
If you want to use interface objects as a source you must choose only a single Cloud Edge 50G2 gateway running Cloud Edge 6.0 or later.
Security profile settings in a policy rule are valid for Cloud Edge 50G2 gateways only. You can choose a single Cloud Edge 50G2 gateway or you can choose a gateway group that contains at least one Cloud Edge 50G2 gateway.
For a matrix that describes this support, see Matrix: Policy Rules Settings by Gateway Model.
Interface objects are physical and virtual interfaces (including wireless interfaces and VLANs) and Site–to–Site VPNs connections. You can create interface groups that contain one or more of the available interface objects.
You can configure Interface Objects only if a single Cloud Edge 50G2 gateway running Cloud Edge 6.0 or later is chosen under Gateway Groups.
Select Any for the policy rule to affect all identity objects, which includes all users and groups, IP addresses/FQDNs, MAC addresses, and geolocations.
Select Selected users / user groups for the policy rule to affect only specific users or groups.
Select Selected IP addresses/FQDNs for the policy rule to affect only specific IP addresses or specific FQDNs.
Using wildcard FQDNs as the source or destination is supported only in gateways running Cloud Edge 5.6 SP2 or later. Therefore, gateways running earlier versions ignore the wildcard FQDNs.
Select Selected MAC Addresses for the policy rule to affect only specific MAC addresses.
Select Selected geolocations for the policy rule to affect only specific geolocations or geolocation groups.
If you select Selected geolocations as the source for a policy rule, gateways older than version 5.5 SP2 will ignore this policy rule because earlier Cloud Edge versions do not support geolocation.
Select Any for the policy rule to affect all users and groups, addresses, and geolocations.
Select Selected IP addresses/FQDNs for the policy rule to affect only specific IP addresses or specific FQDNs.
Using wildcard FQDNs as the source or destination is supported only in gateways running Cloud Edge 5.6 SP2 or later. Therefore, gateways running earlier versions ignore the wildcard FQDNs.
Select Selected geolocations for the policy rule to affect only specific geolocations or geolocation groups.
If you select Selected geolocations as the destination for a policy rule, gateways older than version 5.5 SP2 will ignore this policy rule because earlier Cloud Edge versions do not support geolocation.
Select Any for the policy rule to include all services (default).
Select Selected services for the policy rule to include only specific services, then select the services to include.
Select Any for the rule to include all applications and URL categories.
Select Selected content types for the rule to include only specific applications or URL categories, then under Applications and under URL categories select the applications or URL categories to include.
Option | Description |
---|---|
Always |
Includes all schedules. (Default) |
Schedule name |
Displays names of available schedule objects. |
Add New Schedule Object |
Access the Add/Edit schedule object creation dialog box. |
Allow
Block
Bypass
If the traffic matches the policy rule, allow the traffic while bypassing scanning.
The Security Profiles section is hidden if the action is Block or Bypass.
The Security Profiles option is available only if you have selected at least one Cloud Edge 50G2 gateway running Cloud Edge 6.0 or later (either as a single gateway or as part of a selected group) in the Gateway Groups section.