Some policy profiles come with preconfigured default rules. You can either customize the default profiles by adding or modifying policies, or create new profiles with explicit policies. Explicit policies have precedence over predefined ones. The matching algorithm works as follows: All policies (explicit and default) apply top down. That means the first policy in the list that matches applies. Policies below the first match will not apply. First, the explicit policies are searched for matches. If there is an explicit rule that matches, this explicit rule will be used. Otherwise, the default rules are searched, and if there is a rule that matches, this rule will be used. For general information on the different types of profiles, see Policy Profiles. Policy profiles can be applied to forwarding rules, for example, instead of introducing firewall objects (for general information, see Firewall Objects).
Policy Profiles - Configuration Functions
On the Firewall Control Center, the policy profiles configuration window offers the following functions, depending on the policy type:
Shared Policy Profiles – Displays the policy profiles in the upper window that contain default and/or explicit policies. Selecting a profile shows the policies under the corresponding tab in the lower window, where you can create and modify the policy entries. To create a new policy profile, click the green plus icon () in the top-right corner of the window. To remove a profile from the list, click the delete icon ().
Default / Explicit Policy Profile – The tabs in the lower window show all policies that are available by default or that have been explicitly created for a selected profile, depending on the policy type. Click the plus icon () at the top right of the lower window to create a new policy for a selected profile. Double-click an entry, or use the pen icon (), to edit the settings. This icon also becomes visible in the top-right corner for in-place editing when hovering over a field. To remove a policy, click the delete icon ().
To select applications, use the application filtering search bar.
References – Shows profile-specific dependencies, such as type, range, cluster, and firewall unit a selected policy object refers to.
On the CloudGen Firewall, you can access the policies via the forwarding rule set. To view the profiles configured for an instance, go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules. Depending on the configuration level of the policies you want to use, you can select global profiles or profiles that have been created on a specific range or cluster by expanding the selection menu on the top-right of the rules window.
Configuring Policy Profiles
You can either edit a policy profile and make your adjustments to the associated policies, or create explicit profiles with custom policies.
Before You Begin
When configuring policies on a CloudGen Firewall, enable policy profiles in the forwarding firewall rule set to switch from the application rule set to policies to be used in rules.
On the CloudGen Firewall, go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.
In the left menu, expand Settings and select Setup. The Ruleset Setup window opens.
From the Application Control drop-down list, select Policy Profiles.
Click OK.
Customizing Policy Profiles
Edit a policy profile on the Firewall Control Center, or make your adjustments to the default policies according to the settings described in the individual steps for each profile type under the section Create Policy Profiles and Policies below.
On the Control Center, go to CONFIGURATION > Configuration Tree > Multi-Range > Global Settings > Global Firewall Objects.
Click Lock.
In the left menu, expand Policy Profiles and select the profile type you want to configure. The policy profile configuration window opens.
Select the profile you want to customize. If any policies are associated with a selected profile, they appear in the corresponding tab in the lower window. You can also select and customize a default policy in the lower window.
Edit the policy entries and configure the settings as described in the individual steps for each profile type.
Click OK.
Click Send Changes and Activate.
Creating Policy Profiles and Policies
Create new profiles and add explicit policies to match individual requirements. See the following articles for instructions on how to create and configure policy profiles:
Applying Policies to Access Rules
The policy profiles listed under Policies / Shared Profiles can be selected when defining policy handling in forwarding rules. To enable policy profiles in an access rule, expand the Policies drop-down menu in the configuration and select how the rule should process traffic associated with the rule.
Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.
Create or edit the rule you wish to apply the profile to.
In the rule configuration window, expand the Policies drop-down menu and select one of the following options:
All Policy Profiles – Enable all policy profiles for the rule.
Policy Profiles (No SD-WAN Policies) – Enable all policy profiles except SD-WAN policies.
None – Do not use policy profiles.
When creating an access rule, you can also specify the connection method. For detailed information on the NAT Mode parameter, see How to Create SD-WAN Policies. For general information on forwarding rules, see instructions on how to create rules under Access Rules.