End-of-Life (EoL)

Creating and Managing Policies

Select the
Policies
Security
page to add, and modify, and manage security policies:
Task
Description
Add
To add a new policy rule, do one of the following:
  • Click
    Add
    at the bottom of the page.
  • Select a rule on which to base the new rule and click
    Clone Rule
    or select a rule by clicking the white space of the rule and select
    Clone Rule
    at the bottom of the page (a rule that is selected in the web interface displays with a yellow background). The copied rule, “rulen” is inserted below the selected rule, where n is the next available integer that makes the rule name unique. For details on cloning, see Move or Clone a Policy Rule.
Modify
To modify a rule, click the rule.
If the rule is pushed from Panorama, the rule is read-only on the firewall and cannot be edited locally.
Override
and
Revert
actions pertain only to the default rules that are displayed at the bottom of the Security rulebase. These predefined rules—allow all intrazone traffic and deny all interzone traffic—instruct the firewall on how to handle traffic that does not match any other rule in the rulebase. Because they are part of the predefined configuration, you must
Override
them in order to edit select policy settings. If you are using Panorama, you can also
Override
the default rules, and then push them to firewalls in a Device Group or Shared context. You can also
Revert
the default rules, which restores the predefined settings or the settings pushed from Panorama. For details, see Overriding or Reverting a Security Policy Rule.
Move
Rules are evaluated top down and as enumerated on the
Policies
page. To change the order in which the rules are evaluated against network traffic, select a rule and click
Move Up
,
Move Down
,
Move Top
, or
Move Bottom
. For details, see Move or Clone a Policy Rule.
Delete
Select a rule and click
Delete
to remove the existing rule.
Enable/Disable
To disable a rule, select the rule and click
Disable
. To enable a rule that is disabled, select the rule and click
Enable
.
View Unused rules
To identify rules that have not been used since the last time the firewall was restarted, select
Highlight Unused Rules
. You can then decide whether to disable the rule or delete it. Rules not currently in use are displayed with a dotted yellow background.
Each firewall maintains a flag for the rules that have a match. Because the flag is reset when a dataplane reset occurs on a reboot or a restart, monitor this list periodically to determine whether the rule has had a match since the last check before you delete or disable it.
Show/Hide columns
To show or hide the columns that display in the
Policies
pages, select this option next to the column name to toggle the display of each column.
Apply filters
To apply a filter to the list, select from the
Filter Rules
drop-down. To add a value to define a filter, click the drop-down for the item and choose
Filter
.
The default rules are not part of rulebase filtering and always show up in the list of filtered rules.
To view the network sessions that were logged as matches against the policy, click the drop-down for the rule name and choose
Log Viewer
.
To display the current value by clicking the drop-down for the entry and choosing
Value
. You can also edit, filter, or remove certain items directly from the column menu. For example, to view addresses included in an address group, hold your mouse over the object in the
Address
column, click the drop-down and select
Value
. This allows you to quickly view the members and the corresponding IP addresses for the address group without having to navigate to the
Object
tab.
To find objects used within a policy based on their name or IP address, use the filter option. After you apply the filter, you will see only the items that match the filter. The filter also works with embedded objects. Example: when you filter on 10.1.4.8, only the policy that contains that address is displayed:
Preview rules (
Panorama only
)
Use
Preview Rules
to view a list of the rules before you push the rules to the managed firewalls. Within each rulebase, the hierarchy of rules is visually demarcated for each device group (and managed firewall) to make it easier to scan through a large numbers of rules.

Recommended For You