Set Up a Basic Security Policy
Now that you have defined some zones and attached them to interfaces, you are ready to begin creating your Security Policy. The firewall will not allow any traffic to flow from one zone to another unless there is a Security policy rule to allow it. When a packet enters a firewall interface, the firewall matches the attributes in the packet against the Security policy rules to determine whether to block or allow the session based on attributes such as the source and destination security zone, the source and destination IP address, the application, user, and the service. The firewall evaluates incoming traffic against the security policy rulebase from left to right and from top to bottom and then takes the action specified in the first security rule that matches (for example, whether to allow, deny, or drop the packet). This means that you must order the rules in your security policy rulebase so that more specific rules are at the top of the rulebase and more general rules are at the bottom to ensure that the firewall is enforcing policy as expected.
The following workflow shows how to set up a very basic Internet gateway security policy that enables access to the network infrastructure, to data center applications, and to the Internet. This will enable you to get the firewall up and running so that you can verify that you have successfully configured the firewall. This policy is not comprehensive enough to protect your network. After you verify that you have successfully configured the firewall and integrated it into your network, proceed to Policy to learn how to create a Best Practice Internet Gateway Security Policy that will safely enable application access while protecting your network from attack.
Define Basic Security Policy Rules
(Optional) Delete the default security policy rule. By default, the firewall includes a security rule named rule1 that allows all traffic from Trust zone to Untrust zone. You can either delete the rule or modify the rule to reflect your zone naming conventions.
Create the File Blocking profiles you will need to prevent upload/download of malicious files and for drive-by download protection. Configure a File Blocking profile for general use. You will attach this profile to most of your security profiles to block files known to carry threats or that have no real business use for upload/download. Configure a File Blocking profile for risky traffic. You will attach this profile to security policy rules that allow general web access to prevent users from unknowingly downloading malicious files from the Internet.
Allow access to your network infrastructure resources. Select Policies > Security and click Add. Enter a descriptive Name for the rule in the General tab. In the Source tab, set the Source Zone to Users. In the Destination tab, set the Destination Zone to IT Infrastructure. As a best practice, consider using address objects in the Destination Address field to enable access to specific servers or groups of servers only, particularly for services such as DNS and SMTP that are commonly exploited. By restricting users to specific destination server addresses you can prevent data exfiltration and command and control traffic from establishing communication through techniques such as DNS tunneling. In the Applications tab, Add the applications that correspond to the network services you want to safely enable. For example, select dns, ntp, ocsp, ping, smtp. In the Service/URL Category tab, keep the Service set to application-default. In the Actions tab, set the Action Setting to Allow. Select Profiles as the Profile Type. Select the default profiles for Antivirus and URL Filtering and the strict profiles for Vulnerability Protection and Anti-Spyware and select the File Blocking profile you configured for general traffic. Verify that Log at Session End is enabled. Only traffic that matches a security rule will be logged. Click OK.
Enable access to general Internet applications. This is a temporary rule that allows you to gather information about the traffic on your network. After you have more insight into what applications your users need access to, you can make informed decisions about what applications to allow and create more granular application-based rules for each user group. Select Policies > Security and click Add. Enter a descriptive Name for the rule in the General tab. In the Source tab, set the Source Zone to Users. In the Destination tab, set the Destination Zone to Internet. In the Applications tab, Add an Application Filter and enter a Name. To safely enable access to legitimate web-based applications, set the Category in the application filter to general-internet and then click OK. To enable access to encrypted sites, Add the ssl application. In the Service/URL Category tab, keep the Service set to application-default. In the Actions tab, set the Action Setting to Allow. Select Profiles as the Profile Type. Select the default profiles for Antivirus and URL Filtering and the strict profiles for Vulnerability Protection and Anti-Spyware and select the File Blocking strict profile you configured for risky traffic. Verify that Log at Session End is enabled. Only traffic that matches a security rule will be logged. Click OK.
Enable access to data center applications. Select Policies > Security and click Add. Enter a descriptive Name for the rule in the General tab. In the Source tab, set the Source Zone to Users. In the Destination tab, set the Destination Zone to Data Center Applications. In the Applications tab, Add the applications that correspond to the network services you want to safely enable. For example, select activesync, imap, kerberos, ldap, ms-exchange, and ms-lync. In the Service/URL Category tab, keep the Service set to application-default. In the Actions tab, set the Action Setting to Allow. Select Profiles as the Profile Type. Select the default profiles for Antivirus and URL Filtering and the strict profiles for Vulnerability Protection and Anti-Spyware and select the File Blocking profile you configured for general traffic. Verify that Log at Session End is enabled. Only traffic that matches a security rule will be logged. Click OK.
Save your policies to the running configuration on the firewall. Click Commit.
To verify that you have set up your basic policies effectively, test whether your security policy rules are being evaluated and determine which security policy rule applies to a traffic flow. To verify the policy rule that matches a flow, use the following CLI command: test security-policy-match source < IP_address > destination < IP_address > destination port < port_number > application < application_name > protocol < protocol_number > The output displays the best rule that matches the source and destination IP address specified in the CLI command. For example, to verify the policy rule that will be applied for a client in the user zone with the IP address 10.35.14.150 when it sends a DNS query to the DNS server in the data center: test security-policy-match source 10.35.14.150 destination 10.43.2.2 application dns protocol 53 "Network Infrastructure" { from Users; source any; source-region none; to Data_Center; destination any; destination-region none; user any; category any; application/service dns/any/any/any; action allow; icmp-unreachable: no terminal yes; }

Related Documentation