NGFW policy mode 6.2.1
NGFW policy-based mode allows applications and URL categories to be used directly in security policies, without requiring web filter or application control profiles.
In policy-based mode:
- Central NAT is always enabled.
- Pre-match rules are defined separately from security policies, and define broader rules, such as SSL inspection and user authentication.
Security policies work with firewall (or consolidated) policies to inspect traffic. To allow traffic from a specific user or user group, both firewall and security policies must be configured. Traffic will match the firewall policy first. If the traffic is allowed, packets are sent to the IPS engine for application, URL category, user, and user group match, and then, if enabled, UTM inspection (antivirus, IPS, DLP, and email filter) is performed.
Firewall policies are used to pre-match traffic before sending the packets to the IPS engine.
- There is no schedule or action options; traffic matching the policy is always redirected to the IPS engine.
- SSL Inspection, formerly configured in the VDOM settings, is configured in a firewall policy.
- Users and user groups that require authentication must be configured in a firewall policy.
Security policies work with firewall policies to inspect traffic.
- Applications and URL categories can be configured directly in the policy.
- Users and user groups that require authentication must also be configured in a security policy.
- The available actions are Accept or Deny.
- The Service option can be used to enforce the standard port for the selected applications. See NGFW policy mode application default service 6.2.1 for details.
- UTM inspection is configured in a security policy.
To configure policies for Facebook and Gmail access is the CLI:
- Configure a firewall policy:
config firewall consolidated policy edit 1 set name "Policy-1" set uuid b740d418-8ed3-51e9-5a7b-114e99ab6370 set srcintf "port18" set dstintf "port17" set srcaddr4 "all" set dstaddr4 "all" set service "ALL" set ssl-ssh-profile "new-deep-inspection" set groups "Dev" "HR" "QA" "SYS" next end
- Configure security policies:
config firewall security-policy edit 2 set uuid 364594a2-8ef1-51e9-86f9-32db9c2634b6 set name "allow-QA-Facebook" set srcintf "port18" set dstintf "port17" set srcaddr4 "all" set dstaddr4 "all" set action accept set schedule "always" set application 15832 set groups "Dev" "QA" next edit 4 set uuid a2035210-8ef1-51e9-8b28-5a87b2cabcfa set name "allow-QA-Email" set srcintf "port18" set dstintf "port17" set srcaddr4 "all" set dstaddr4 "all" set action accept set schedule "always" set url-category 23 set groups "QA" next end
Logs
In the application control and web filter logs, securityid
maps to the security policy ID.
Application control log:
date=2019-06-17 time=16:35:47 logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="vd1" eventtime=1560814547702405829 tz="-0700" appid=15832 user="Jack" group="QA" srcip=10.1.100.102 dstip=157.240.3.29 srcport=56572 dstport=443 srcintf="port18" srcintfrole="undefined" dstintf="port17" dstintfrole="undefined" proto=6 service="P2P" direction="incoming" policyid=1 sessionid=42445 appcat="Social.Media" app="Facebook" action="pass" hostname="external-sea1-1.xx.fbcdn.net" incidentserialno=1419629662 url="/" securityid=2 msg="Social.Media: Facebook," apprisk="medium" scertcname="*.facebook.com" scertissuer="DigiCert SHA2 High Assurance Server CA"
Web filter log:
date=2019-06-17 time=16:42:41 logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="vd1" eventtime=1560814961418114836 tz="-0700" policyid=4 sessionid=43201 user="Jack" group="QA" srcip=10.1.100.102 srcport=56668 srcintf="port18" srcintfrole="undefined" dstip=172.217.3.165 dstport=443 dstintf="port17" dstintfrole="undefined" proto=6 service="HTTPS" hostname="mail.google.com" action="passthrough" reqtype="direct" url="/" sentbyte=709 rcvdbyte=0 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=23 catdesc="Web-based Email" securityid=4
Traffic logs:
date=2019-06-17 time=16:35:53 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vd1" eventtime=1560814553778525154 tz="-0700" srcip=10.1.100.102 srcport=56572 srcintf="port18" srcintfrole="undefined" dstip=157.240.3.29 dstport=443 dstintf="port17" dstintfrole="undefined" poluuid="b740d418-8ed3-51e9-5a7b-114e99ab6370" sessionid=42445 proto=6 action="server-rst" user="Jack" group="QA" policyid=1 policytype="consolidated" centralnatid=1 service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=56572 duration=6 sentbyte=276 rcvdbyte=745 sentpkt=5 rcvdpkt=11 appid=15832 app="Facebook" appcat="Social.Media" apprisk="medium" utmaction="allow" countapp=1 utmref=65531-294 2: date=2019-06-17 time=16:47:45 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vd1" eventtime=1560815265058557636 tz="-0700" srcip=10.1.100.102 srcport=56668 srcintf="port18" srcintfrole="undefined" dstip=172.217.3.165 dstport=443 dstintf="port17" dstintfrole="undefined" poluuid="b740d418-8ed3-51e9-5a7b-114e99ab6370" sessionid=43201 proto=6 action="timeout" user="Jack" group="QA" policyid=1 policytype="consolidated" centralnatid=1 service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=56668 duration=303 sentbyte=406 rcvdbyte=384 sentpkt=4 rcvdpkt=4 appcat="unscanned" utmaction="allow" countweb=1 utmref=65531-3486