Link Search Menu Expand Document

Security Policies Template

Use this page to set up security policies, also known aszone-based firewalls.

CAUTION:If segmentation is enabled, do not use the Security Policies Template. Instead, configure Security Policies from the Routing Segmentation (VRF) tab.

  • Zones are created on the Orchestrator and applied to anInterface.

  • By default, traffic is allowed between interfaces labeled with the same zone. Any traffic between interfaces with different zones is dropped. Users can create exception rules (Security Policies) to allow traffic between interfaces with different zones.

  • When you create an interface, it is assignedDefaultzone.

  • If you create a new zone and assign that to an interface, all traffic between that interface and rest of the interfaces (which are still in theDefaultzone) are dropped. This implies that zone creation and assignment to interfaces should be performed during a planned network maintenance.

  • You can also assign a zone label to anOverlay. On a new system, all overlays are assigned theDefaultzone.

  • Traffic between an Interface and an Overlay follows the same rules as traffic between Interfaces or two Overlays; traffic is allowed between zones with the same label and any traffic between different zones is dropped. Users can create Security Policies to allow traffic between different zones.

Implicit Drop Logging

隐式记录允许您配置的小鬼licit zone-based firewall drop logging levels. Implicit zone-based firewall drop is for inter-zone traffic by default. For example, if all the zone_x to zone_y traffic is the defaultDeny All(all the red cells from matrix), the traffic will be dropped by the zone-based firewall engine.

Select one of the following levels for the Implicit Drop Logging from the list:None,Emergency,Alert,Critical,Error,Warning,Notice,Info, orDebug.

NOTE:The default logging level isAlert.

Template

Complete the following steps to create a Security Policies Template:

  1. Create zone names inConfiguration > Overlays & Security > Security > Firewall Zones.

  2. Create security policies to define exceptions.

    To edit or add a rule, select the desired square in the matrix, and when the Edit Rules pop-up appears, make the desired changes.

  3. Select the edit icon in the Match Criteria column and the Match Criteria pop-up appears. Make the desired changes.

  4. You can selectMore Optionsto customize your rules. Select the check box next to the specific match criteria and select your desired changes from the list.

  5. ClickSave.

Wildcard-based Prefix Matching

  • When using a range or a wildcard, the IPv4 address must be specified in the 4-octet format, separated by the dot notation. For example,A.B.C.D.

  • Range is specified using a dash. For example,128-129.

  • Wildcard is specified as an asterisk (*).

  • Range and Wildcard can both be used in the same address, but an octet can only contain one or the other. For example,10.136-137.*.64-95.

  • A wildcard can only be used to define an entire octet. For example,10.13 *。* .64点- 95is not supported. The correct way to specify this range is10.130-139.*.64-94.

  • The same rules apply to IPv6 addressing.

  • CIDR notation and (Range or Wildcard) are mutually exclusive in the same address. For example, use either192.168.0.0/24or192.168.0.1-127.

  • These prefix-matching rules only apply to the following policies: Router, QoS, Optimization, NAT, Security, and ACLs.

Back to top

© Copyright 2022 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go toAruba EULA.

Baidu