As mentioned above, a firewall controls traffic through rules, which are called security policies. Security policies are a basic concept and core function of firewalls. Firewalls provide security management and control capabilities through security policies.
As shown in Figure 1-4, a security policy consists of matching conditions, an action, and a content security profile. You can perform content security detection functions, such as antivirus and intrusion prevention, for allowed traffic.
Figure 1-4 Security policy composition and web UI
Each preceding matching condition is optional in a security policy. Configured matching conditions are bitwise ANDed. That is, traffic is considered to match a security policy only when it matches all conditions in the security policy. If multiple values are configured in a matching condition, the values are bitwise ORed. That is, traffic matches the condition as long as it matches any value.
More specific matching conditions in a security policy will more accurately filter the traffic. You can use only the 5-tuple (source and destination IP addresses, source and destination ports, and protocol) as matching conditions. To configure security policies more accurately, you add more matching conditions, such as application and user identification.
Firewall-based security policies and local security policies
The traffic passing through a firewall, traffic sent by a firewall, and traffic received by a firewall are controlled by security policies. As shown in Figure 1-5, an intranet PC needs to log in to and manage the firewall through Telnet and access the Internet through the firewall. In this case, you need to configure security policies for the two types of traffic.
Figure 1-5 Firewall-based security policy and local security policy
Table 1-1 Configurations of the firewall-based security policy and local security policy
Firewall-based security policy | Allow PC to access Internet | trust | untrust | 10.1.1.2/24 | any | any | permit |
Local security policy | Allow PC to telnet firewall | trust | local | 10.1.1.2/24 | 10.1.1.1/24 | telnet | permit |
In particular, this section will describe local security policies, that is, security policies related to the local zone. In the preceding example, the PC in the Trust zone logs in to the firewall and configures a security policy for the Trust zone to access the local network. If the firewall proactively accesses objects in other security zones, for example, when the firewall reports logs to a log server or connects to a security center to update signature databases, you need to configure security policies from the local zone to other security zones. To identify to which zones the firewall and external networks belong, note that the firewall itself is in the local zone. Adding an interface to a security zone indicates that only the network connected to the interface belongs to this security zone.
Default security policy and security policy list
The firewall has a default security policy named default, which blocks all interzone traffic by default. The default policy is always at the end of a policy list and cannot be deleted.
By default, security policies created by users are displayed from top to bottom in ascending order by creation time, and the newest security policy is prior to the default security policy. After receiving traffic, the firewall matches the traffic against security policies from top to bottom. Once a security policy is matched successfully, the firewall stops matching and processes the traffic according to the action specified in the security policy. If none of the manually created security policies is matched, the default security policy is used.
Therefore, the order for listing security policies determines whether policies are matched against as expected. After a security policy is created, you need to manually adjust its position in the list.
The IP address of a server within the enterprise network is 10.1.1.1. Users in the office area on the network segment 10.2.1.0/24 are allowed to access the server. The security policy policy1 is configured. After running for a period of time, two temporary office PCs (10.2.1.1 and 10.2.1.2) are forbidden to access the server.
The newly configured security zone policy policy2 is located below policy1. Because the address range of policy1 contains the address range of policy2, policy2 cannot be matched.
1 | policy1 | 10.2.1.0/24 | 10.1.1.1 | Permit |
2 | policy2 | 10.2.1.1 10.2.1.2 | 10.1.1.1 | Deny |
3 | default | any | any | Deny |
You need to manually move policy2 prior to policy1. After the adjustment, the security policies are as follows:
1 | policy2 | 10.2.1.1 10.2.1.2 | 10.1.1.1 | Deny |
2 | policy1 | 10.2.1.0/24 | 10.1.1.1 | Permit |
3 | default | any | any | Deny |
Therefore, when configuring a security policy, ensure the specific-before-general sequence for security policies. If a new security policy is added, pay attention to the relationship between the new security policy and existing ones. If the sequence is not as expected, adjust it.
For details about how to configure security policies, see Huawei Firewall Security Policy Essentials.