Working With Policies

Policies are a collections of rules about common objects that together represent your security policy. You create and manage your security policy using the Policies List Page. The Policies List page identifies the policies that have been stored for a Screen. The Policies List page allows you to add a new policy or to edit, copy, rename, delete, and backup a particular policy to a local file; to restore a policy from a local file; and to initialize HA configurations.

You reach the Policies List page by choosing Manage Policies for the Select Task field on the Login Page before you click the login button or by clicking the Policies button on the administration GUI's navigation bar.

To See a List of Policies

Click the Policies button in the SunScreen banner.

The Policies List page appears.

Figure 5-1 Policies List Page

Editing Policies

You can edit any policy to which you have WRITE access except the currently active policy. This policy is READ ONLY copy of a policy that lets you view the rules currently in use by the firewall. The actual editable version of the currently active policy is avaiable through the list of polcies on this page.

When you installed SunScreen, a policy was created, named Initial, that contains enough information for you to start administering the Screen. You can work with this policy or create anothere and set it to be the currently active policy.

To Edit a Policy

Select the policy you want to edit by highlighting the policy in the Policy List page then clicking the Edit button.

The Policy Rules page appears (see following figure.)

---

Note -

The Edit (RO) button appears if the policy you chose can only be read in read-only mode (for example, the Currently Active policy in the first row, and the policy versions in the Version column). See the SunScreen Reference Manual for more information on policy types.

---

Figure 5-2 Policy Rules Page

To Unlock a Policy

A lock is automatically acquired and held by the first person (only) to change a policy. The lock is held per system: if someone acquires the lock, you cannot make changes to a policy.

The lock does not affect the buttons in the SunScreen banner. Anyone, at any time, can request a search, view the Documentation page and the Information page. If the Could not acquire the lock message appears (to indicate that someone has made changes to the policy):

• On the command line, type:

  % quit

• In the administration GUI:

1. Click the Cancel Changes button.

2. Click the Policies button in the SunScreen banner.

   You can try to edit the policy later

   ---

   Note -

   When you click the Save Changes button or log out, you give up the lock and others can work on the Screen. To forcefully clear the lock, type the following at the command line: # ssadm lock -c policy_name

   ---

To Add a New Policy

1. Click the Add New... button in the Policies List page.

   The Add New Policy dialog window appears.

   Figure 5-3 Add New Policy Dialog Window

   
   

2. Type the name of the new policy in the Add New Policy dialog window.

3. Click the OK button.

To Copy a Policy

1. Choose the policy you want to copy.

2. Click the Copy... button in the Policies List page.

   The Copy... dialog window appears.

   Figure 5-4 Copy... Dialog Window

   
   

3. Type the name of the new policy in the Copy... dialog window.

4. Click the OK button.

To Rename a Policy

1. Choose the policy you want to rename.

2. Click the Rename... button in the Policies List page.

   The Rename... dialog window appears.

   Figure 5-5 Rename Dialog Window

   
   

3. Type the name of the new policy in the Rename... dialog window.

4. Click the OK button.

To Delete a Policy

1. Choose the policy you want to delete.

2. Click the Delete button in the Policies List page.

   The Delete Policy dialog window appears.

   Figure 5-6 Delete Policy Dialog Window

   
   

3. Click the Yes button in the Delete Policy dialog window to delete the policy.

To Verify a Policy

---

Note -

Use Verify when you want to make sure that any changes you have made are stable.

---

Click the Verify Policy button above the Common Objects area.

Clicking the Verify Policy button verifies that all the rules are valid and should compile successfully when you activate this policy. The rules in the chosen policy file are verified for errors without activating the policy. Verifying a policy allows you to debug it without activating it.

You can activate the policy when verification has succeeded.

To Save Changes

Use save when you want to save your changes.

1. Click the Save Changes button to save all changes made for all objects and rules in the policy.

   An Activate Policy dialog window appears.

2. Choose Yes if you wish to activate the policy.

To Revert Changes

To revert a policy to the last saved version, click the Revert Changes button after making any change.

Changes made prior to clicking the Revert Changes button are not saved.

To Activate a Policy

Use Activate when you want the rules you see to be the ones the Screen uses to filter traffic.

1. Click and highlight the name of the policy in the Policies List page.

2. Click the Activate button in the Policies List page to activate the policy.

   The Verifying/Activating window with the activation status appears.

To Cancel Changes

Click the Cancel Changes button if you want to return to the previous saved version of a rule.

Changes made before clicking the Cancel Changes button are not saved.

To Back Up All Policies

Backing up your policies is useful, in case something should happen to the disk. You should back up your policies frequently. You also should back up the original policy after you install SunScreen. This makes it easier to restore earlier policies, if necessary. Backing up from the administration GUI backs up only the current versions of all the policies.

---

Caution -

The backup medium contains copies of the local identities (the encryption keys and certificates) and must be stored securely and disposed of properly to avoid compromising your security.

---

---

Note -

This procedure requires a browser that can be used to access Local files. You can use the HotJava Browser, Netscape, or Internet Explorer with Sun's Java plug-in and the identitydb.obj file (copied to the correct location). Please see "To Install the Java Plugin" on page 35

---

1. Click the Backup All... button on the Policies List page to back up the current version of the policies.

   The Select a backup file dialog window appears.

   Figure 5-7 Select a backup file Dialog Window

   
   

2. Type the path name of the directory in the Filter field and the name of the backup file in the Selection field.

To Restore All Policies

---

Note -

This procedure requires a browser that can be used to access Local files. You can use the HotJava Browser, Netscape, or Internet Explorer with Sun's Java plug-in and the identitydb.obj file (copied to the correct location).

---

The Restore operation causes all current policy information, including common objects, to be over-written by the new information from the backup file.

1. Click the Restore All... button.

2. The Select a backup file dialog window appears.

3. Type the pathname of the directory in the Filter field, and the file name for the saved logs in the Selection field.

4. Click the OK button.

---

Note -

Before you change the administration address (le0, qe0, hme0, and the like), the administration certificate, the local certificate, or the administration-group certificate, be sure that you understand how each one affects your ability to connect to the SunScreen.

If you change these items, you risk losing your connectivity from the Administration Station to the Screen. Reestablishing your connectivity is difficult, and requires that you log into the Screen directly or use an Administration Station that is still working. It also requires exchanging encryption information.

---