Home > Articles

  • Print
  • + Share This
This chapter is from the book

Verifying and Installing a Security Policy

None of your hard work in defining the security policy would be of any use if you didn’t push it out to the enforcement points. This approach also has the benefit of allowing you to make all your changes at once, making them active in one action, and letting you revert to a previous configuration if necessary.

If you want to check your policy for correctness, you can also verify it without having to install. The act of installing also forces verification before the actual push. Verifying a policy checks for errors such as conflicting rules, shown in Table 3.4, and contradicting NAT rules (for example, a single static NAT for several hosts).

Table 3.4 Two Rules That Will Cause a Verification Failure

Source

Destination

Service

Action

Track

Install On

Time

Any

Any

HTTP

Drop

None

Policy Targets

Any

Any

Host1

HTTP

Accept

None

Policy Targets

Any


Here, the second rule can never be reached because all HTTP traffic is denied in the first rule. Verification will fail with Rule 1 Conflicts with Rule 2 for services http.

The actual installation of the policy is done through the Policy, Install menu option. You then are prompted to specify which gateways receive the policy. By default, all are selected. After you click OK, the policy is verified and sent to the gateways. If there are any problems, you will receive an error telling you what the problem is.

To only verify the policy, select Policy, Verify. This will run the verification stage and give you a report on any errors.

To remove the policy from the enforcement point, select Policy, Uninstall. This removes the policy, placing the firewall in a state in which it is open to the world, but will not pass packets.

  • + Share This
  • 🔖 Save To Your Account

Related Resources

There are currently no related titles. Please check back later.