Each Access Control Service belongs to a so-called trustzone. To enforce security policies across multiple F-Series Firewalls, the Control Center provides Access Control Service Trustzones as global objects (see also: Configuring Access Control Objects). This advanced feature allows all Access Control services within the same trustzone to share the same set of security policies. In addition, they share a signing key, so that a mutual trust relationship can be established.
In this article:
On stand-alone firewalls, configuration of the trustzone is located in the CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Access Control Service > Access Control Service Trustzones.
The Control Center provides Access Control Service Trustzones either within the Global Settings, Range Settings or the Cluster Settings.
The predefined Access Control Service Trustzones can be referenced by navigating to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Access Control Service > Access Control Service Settings > System Health-Validator > Trustzone.
The NextGen Control Center automatically links the trustzone to the appropriate global / range / cluster object.
Each trustzone contains three policy rulesets. There is a local machine policy ruleset that is used to determine a policy for a connecting machine if no user is currently logged in. As soon as user authentication is requested by the connecting client, the current user policy ruleset is used for policy matching.
If the connection attempt is mediated by an intermittent VPN service, the VPN policy ruleset is adopted.
Create an Access Control Server service within CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Access Control Service. Click Access Control Service Trustzone to open the configuration dialogue.
Identity Matching - Basic
The first step when processing a policy ruleset (either local machine, current user, or VPN) is to determine the client's identity.
Depending on the value of Basic Matching > Policy Matching, either all or one of the specified criteria must match to determine the client's identity. If the identity match fails, the next rule is considered.
|Access Control Service Trustzone > Rules > Identity Matching Basic > Basic Identity Matching|
|Policy Name||The name of the policy. This name is visible in the log file and in the access cache.|
|Deactivate Policy||Disables the configured policy.|
External effects that this policy rule is ignored for internal connection (connections to an IP address not defined in External IPs)
Each policy rule can be assigned with a date and time restriction. The date restriction consists of a Start Date and an End Date. Outside that time period, this policy rule will be ignored.
Click the respective icon to configure allowed and disallowed time intervals simultaneously.
Select Continue if mismatch to proceed with the health evaluation process within the policy ruleset of the next rule (default).
|Access Control Service Trustzone > Rules > Identity Matching Basic > Basic Matching|
Set this to All-of-following if all of the identity matching parameters (basic and advanced), except the empty ones, must match for a successful identity verification. If just one field does not match, the identity is not verified successfully within this policy rule and the health match process will proceed with the next policy rule in the policy ruleset.
Set this to One-of-following to let the identity verification succeed if just one field matches.
Empty fields will be ignored in both cases.
For the pattern to match, at least one user group must match at least one defined group pattern.
At least one user group must match at least one of these patterns for successful identity verification.
For example, MSAD groups must be entered as follows:
Net Bios Domain
A NetBIOS domain to match only users belonging to a specific domain.
User [Login Name]
|Username patterns consist of the login name (without leading DOMAIN\).|
|Networks||The user's peer address must be part of at least one of these networks.|
Allowed OS Versions
Allowed or explicitly denied client OS versions.
OS Versions must be one of the listed Microsoft Windows Versions.
Possible values for Policy on OS are:
|Hostnames||Enter hostnames here. Patterns may be used.|
Identity Matching - Advanced
|Access Control Service Trustzone > Rules > Identity Matching Advanced > Advanced Identity Matching|
|MAC Addresses||Patterns may be used.|
Microsoft Machine SIDs
A SID is a globally unique machine identifier generated by Microsoft operating systems. It is visualized in the Access Control Server’s access cache. Patterns may be used.
|Access Control Service Trustzone > Rules > Identity Matching Advanced > Certificate Conditions|
The X.509 subject of the client's authentication certificate must match at least one of these patterns. For example: CN=name-*, O=my-company.
The subject of the issuer of the client's certificate must match at least one of these patterns. For example: CN=name-*, O=my-company.
The subject alternative name of the client's authentication certificate must match at least one of these patterns. For example: IP:10.0.10.*.
Required Health State - Basic
After successful verification of the client’s identity, this configuration entity is used for determining the client’s health state. Some of the parameters provide the following options:
- Not required
The result of the health evaluation does not depend on this parameter.
If a Required parameter does not match, the user is notified and manual action is required. In addition, the client's health state changes to Probation.
Notifies the client as well, but tries to automatically execute the necessary actions to fulfill the health requirements. During this period, the client's health state changes to Probation.
|Access Control Service Trustzone > Rules > Required Health State Basic > Service Settings|
Personal Firewall On
Antivirus Scanner On
Antispyware Scanner On
|Access Control Service Trustzone > Rules > Required Health State Basic > Miscellaneous|
|Registry Check Rules|
Select a registry check object. To be healthy, the client’s registry entries must match those of the selected registry check object.
|Access Control Service Trustzone > Rules > Required Health State Basic|
|Antivirus||Enable or disable the Antivirus settings parameters. For the parameter description, see the next list. Default: not selected.|
|Antispyware||Enable or disable the Antispyware settings parameters. For the parameter description, see the next list. Default: not selected.|
|Access Control Service Trustzone > Rules > Required Health State Basic > Antivirus|
|AV Real Time Protection|
Last AV Scan Not Older Than
|Last AV Scan Action|
|AV Engine Required|
AV Patterns Not Older Than (h)
|AV Engine/Pattern Action|
Choose one or more out of this list of Virus Scanner vendors in order to enforce a specific Virus Scanner product to be installed on the client. Virus Scanner products not listed here are ignored in the health validation process. This option is helpful especially to exclude certain Virus Scanner products from the health validation process. The list of available Virus Scanner vendors is created dynamically.
|Access Control Service Trustzone > Rules > Required Health State Basic > Antispyware|
AS Real Time Protection
|Last AS Scan Action|
Last AS Scan Not Older Than
|AS Engine Required|
AS Pattern Definitions Required
AS Patterns Not Older Than (h)
AV Engine/Pattern Action
Choose one or multiple entries from the list of Spyware Scanner vendors in order to enforce specific Spyware Scanner vendor products to be installed on the client. Spyware Scanner products not listed here are ignored during the health validation process. This setting is helpful especially for excluding certain Spyware Scanner products from the health validation process.
Required Health State > Advanced Health State
Select New from the context menu to create a new entry. The configuration dialog provides the following entries:
|Access Control Service Trustzone > Rules > Required Health State > Advanced > Allowed Health Suite Versions|
Specify a name.
|Major Release||The client's health suite major release version number must match Major Release.|
|Minor Release||The client's health suite minor release version number must match Minor Release.|
Service Pack Number
|The Service Pack Number must match the service pack number of the client's health suite.|
|Policy on OS|
It is also possible to include a validation of the currently installed Microsoft hotfixes on the client computer:
- Right-click into the Required Security Updates field
- Click New..., then enter the ID of the Microsoft hotfix. For example: KB936929.
|Access Control Service Trustzone > Rules > Policy Assignments > Attributes|
Personal Firewall Settings
Message of the Day
Select one of the created Welcome Message objects. If the client does not already have this message, it will be advised to get the message from the remediation server.
|Access Control Service Trustzone > Rules > Policy Assignments > Exceptions|
Software Update Required
User Authentication Required
|Access Control Service Trustzone > Rules > Policy Assignments > Radius Attributes|
Healthy Attribute Assignments
|RADIUS attribute assignments passed to a RADIUS server as key-and-value pairs if the client meets the health requirements.|
Unhealthy Attribute Assignments
RADIUS attribute assignments passed to a RADIUS server as key-and-value pairs if the client does not meet the health requirements.
If no policy rule matched the identity for a client, or at least one matched but the Continue Match parameter was set on that/those policy rule(s), the client's state will be untrusted and it will be assigned the No Rule Exception attributes.
|Access Control Service Trustzone > Settings > Identity|
Health Passport Signing Key
The RSA key for digital passport signing.
Health Passport Verification Key
The RSA public key for verifying a digital passport signature.
|Client Shutdown Passphrase|
If a passphrase is set here, the Access Control service will lock the Advanced Settings locally on the clients unless the local user enters the correct passphrase. In addition, the client can only be terminated on the workstation after the passphrase has been entered.
|Access Control Service Trustzone > Settings > No Rule Exception|
|Bitmap||Select one of the Picture objects. The client will then be advised to get the respective bitmap from the remediation server.|
Limited Access Ruleset Name
For more information on these two parameters, see Limit Access.
Limited Access Message
|Access Control Service Trustzone > Settings > Limited Access Defaults|
Client Emergency Quarantine Time (s)
If the Access Control Server is not reachable anymore for the client, it switches automatically to the Unhealthy restricted state.
Quarantine Ruleset Name
|Select one of the Personal Firewall Rules objects. The client will be advised to get the respective bitmap from the remediation server.|
|Select one of the Welcome Messages objects. The client will be advised to get the respective bitmap from the remediation server.|
Health Validation Mode
The Health Validation Mode parameter can also be configured on the client via the following registry key:
The Client Emergency Quarantine Time (s) parameter can also be configured on the client using the following registry key:
|Value||[Default: 3600000 ( = 1 hour in milliseconds)]|
|Access Control Service Trustzone > Settings > Radius Attribute Assignments|
With this feature, it is possible to send additional attributes to the switch, depending on the health state of the client. VLAN Change attributes are already hardcoded.
|Healthy||For a description of these two parameters, see the radatt.|
This view provides information concerning the supported Virus Scanner and Spyware Scanner vendors and versions.
The Support Chart is automatically downloaded from the Barracuda Networks update service and distributed to Barracuda NextGen Admin upon connecting. Thus, the Support Chart reflects the current capabilities of the Access Control service.