Chapter 7. Policies
7.0. Introduction
Policies are a fundamental building block of implementing a security configuration in ScreenOS. Policies are used by the stateful firewall/Network Address Translation (NAT) engine, the Content Security engine, authentication, and Quality of Service (QoS) configuration, and for building policy-based IP Security (IPSec) virtual private networks (VPNs).
ScreenOS policies contain various elements that help categorize a packet and take several actions on it. ScreenOS policy elements include zones, source and destination address objects, and services. Actions on a packet can include permit, tunnel (IPSec encrypt), deny, reject, authenticate, log, count, schedule, apply QoS, and perform deep inspection, web filtering, and antispam functions. A multitude of actions can be taken on a single policy.
Address Objects
Address objects are a key component of ScreenOS policies. An address object can define a single host or a classless inter-domain routing (CIDR) network address block that “resides” in a zone. An example of an address object that defines a single host, a workstation named Orion, in the Trust zone is as follows:
Internal_fw-> set address Trust Orion 192.168.4.10/32 "Orion Wkstn"The address object Orion can, thus, be referenced in any ScreenOS policy. The string Orion Wkstn is an optional description of the address object.
Here is an example of an address object that defines a CIDR network address block, 192.168.3.16/29, in the DMZ zone:
Internal_fw-> ...
Get ScreenOS Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
