Use Device Groups to Push Policy Rules

Create device groups and assign the appropriate firewalls to each device group: see Add a Device Group.
In this example, create device groups named DG_BranchAndRegional and DG_DataCenter.
When configuring the DG_BranchAndRegional device group, you must assign a
Master
firewall. This is the only firewall in the device group that gathers user and group mapping information for policy evaluation.
Create a shared pre-rule to allow DNS and SNMP services.
Create a shared application group for the DNS and SNMP services.
Select
Objects
Application Group
and click
Add
.
Enter a
Name
and select the
Shared
check box to create a shared application group object.
Click
Add
, type
DNS
, and select
dns
from the list. Repeat for SNMP and select
snmp
,
snmp-trap
.
Click
OK
to create the application group.
Create the shared rule.
Select the
Policies
tab and, in the
Device Group
drop-down, select
Shared
.
Select the
Security
Pre-Rules
rulebase.
Click
Add
and enter a
Name
for the security rule.
In the
Source
and
Destination
tabs for the rule, click
Add
and enter a
Source Zone
and a
Destination Zone
for the traffic.
In the
Applications
tab, click
Add
, type the name of the applications group object you just created, and select it from the drop-down.
In the
Actions
tab, set the
Action
to
Allow
, and click
OK
.
Define the corporate acceptable use policy for all offices. In this example, create a shared rule that restricts access to some URL categories and denies access to peer-to-peer traffic that is of risk level 3, 4, or 5.
Select the
Policies
tab and, in the
Device Group
drop-down, select
Shared
.
Select
Security
Pre-Rules
and click
Add
.
In the
General
tab, enter a
Name
for the security rule.
In the
Source
and
Destination
tabs, click
Add
and select
any
for the traffic
Source Zone
and
Destination Zone
.
In the
Application
tab, define the application filter:
Click
Add
and click
New Application Filter
in the footer of the drop-down.
Enter a
Name
, and select the
Shared
check box.
In the Risk column, select levels
3
,
4
, and
5
.
In the Technology column, select
peer-to-peer
.
Click
OK
to save the new filter.
In the
Service/URL Category
tab, URL Category section, click
Add
and select the categories you want to block (for example,
streaming-media
,
dating
, and
online-personal-storage
).
You can also attach the default URL Filtering profile—In the
Actions
tab, Profile Setting section, select the
Profile Type
option
Profiles
, and select the
URL Filtering
option
default
.
Click
OK
to save the security pre-rule.
Allow Facebook for all users in the Marketing group in the regional offices only.
Enabling a security rule based on user and group has the following prerequisite tasks:
Set up User-ID on the firewalls.
Enable User-ID for each zone that contains the users you want to identify.
Define a master firewall for the DG_BranchAndRegional device group (see step 1).
Select the
Policies
tab and, in the
Device Group
drop-down, select DG_BranchAndRegional.
Select the
Security
Pre-Rules
rulebase.
Click
Add
and enter a
Name
for the security rule.
In the
Source
tab,
Add
the Source Zone that contains the Marketing group users.
In the
Destination
tab,
Add
the Destination Zone.
In the
User
tab,
Add
the Marketing user group to the Source User list.
In the
Application
tab, click
Add
, type
Facebook
, and then select it from the drop-down.
In the
Action
tab, set the
Action
to
Allow
.
In the
Target
tab, select the regional office firewalls and click
OK
.
Allow access to the Amazon cloud application for the specified hosts/servers in the data center.
Create an address object for the servers/hosts in the data center that need access to the Amazon cloud application.
Select
Objects
Addresses
and, in the
Device Group
drop-down, select DG_DataCenter.
Click
Add
and enter a
Name
for the address object.
Select the
Type
, and specify an IP address and netmask (
IP Netmask
), range of IP addresses (
IP Range
), or
FQDN
.
Click
OK
to save the object.
Create a security rule that allows access to the Amazon cloud application.
Select
Policies
Security
Pre-Rules
and, in the
Device Group
drop-down, select DG_DataCenter.
Click
Add
and enter a
Name
for the security rule.
Select the
Source
tab,
Add
the Source Zone for the data center, and
Add
the address object (Source Address) you just defined.
Select the
Destination
tab and
Add
the Destination Zone.
Select the
Application
tab, click
Add
, type
amazon
, and select the Amazon applications from the list.
Select the
Action
tab and set the
Action
to
Allow
.
Click
OK
to save the rule.
To enable logging for all internet-bound traffic on your network, create a rule that matches trust zone to untrust zone.
Select the
Policies
tab and, in the
Device Group
drop-down, select
Shared
.
Select the
Security
Pre-Rules
rulebase.
Click
Add
and enter a
Name
for the security rule.
In the
Source
and
Destination
tabs for the rule,
Add
trust_zone
as the Source Zone and
untrust_zone
as the Destination Zone.
In the
Action
tab, set the
Action
to
Deny
, set the
Log Setting
to
Log at Session end
, and click
OK
.