Policy Rules

Defining New Rules

Policy Rules are ordered; that is, they are executed in the order in which they are listed. You can define them in the order in which you want them to take effect or you can reorder your policy rules after you have defined them.

To Create a Packet Filtering Rule

1. Type the following to add a new rule at the end of a policy with the following attributes:

   • ping as the service

     • * as the Source Address

     • * as the Destination Address

     • SKIP Version 2 as the encryption with Encryption Details:

     • From Encryptor is cert-1

     • To Encryptor is cert-2

     • Key Algorithm is DES-CBC

     • Data Algorithm is RC2-40

     • MAC algorithm is MD5

     • NONE for the compression (This is the only possible value at present.)

   • ALLOW as the Action and Action Details:

   • NONE for the compression (This is the only possible value at present.)

     edit> add Rule ping * * ALLOW SKIP_VERSION_2 cert-1 cert-2 DES-CBC RC2-40 MD5 NONE LOG SUMMARY

     ---

     Note -

     All other options assume default values unless specified (for example, SNMP is off).

     ---

2. Type the following to add a new rule at a particular position, for example, at the beginning of the policy:

   edit> insert Rule 1 ping * * ALLOW SKIP_VERSION_2 cert-1 cert-2 DES-CBC RC2-40 MD5 NONE LOG SUMMARY

To Reorder the Rules

1. Type the following to produce an ordered list of rules for the policy:

   edit> list rule

   An ordered list of policy rules is displayed, as shown in this example.

   1 "www" "*" "*" ALLOW 2 "finger" "*" "*" ALLOW 3 "ftp" "*" "localhost" USER "admin" ALLOW LOG DETAIL PROXY_FTP FTP_GET FTP_CHDIR FTP_RENAME FTP_DELETE  4 "daytime" "localhost "*" ALLOW 5 "telnet" "*" "*" ALLOW 6 "echo" "localhost" "*" ALLOW

2. Type the following to move a policy rule to a new position:

   edit> move rule 4 5

To Delete a Rule

1. Type the following to delete the policy rule 5:

   edit> del rule 5

2. Type the following to list the edited ordered list of policy rules:

   edit> list rule

   The new list of policy rules is displayed.

   1 "www" "*" "*" ALLOW 2 "finger" "*" "*" ALLOW 3 "ftp" "*" "localhost" USER "admin" ALLOW LOG DETAIL PROXY_FTP FTP_GET FTP_CHDIR FTP_RENAME FTP_DELETE  4 "daytime" "localhost "*" ALLOW 5 "telnet" "*" "*" ALLOW 6 "echo" "localhost" "*" ALLOW

To Edit Any Part of a Rule

You can edit a component or the components of a policy rule by using the following procedure. The example shows how to modify the action.

1. Type the following to list all the rules in the policy:

   edit> list rule

   An ordered list of policy rules is displayed.

   1 "www" "*" "*" ALLOW 2 "finger" "*" "*" ALLOW 3 "ftp-proxy" "*" "localhost" USER "admin" ALLOW LOG_DETAIL PROXY_FTP  FTP_GET FTP_CHDIR FTP_RENAME FTP_DELETE  4 "daytime" "localhost "*" ALLOW 5 "telnet" "*" "*" ALLOW 6 "echo" "localhost" "*" ALLOW

2. Type the following to change the action of policy rule 5 from ALLOW to DENY by inserting a new policy rule with the action changed:

   edit> replace rule 5 telnet * * DENY LOG DETAIL

3. Type the following to remove the policy rule with the old action.

   • For local administration:

     edit> del rule 5

4. Type the following to list the rules for the policy, for example:

   edit> list rule

   The list of policy rules is displayed, showing the rule with the new values replaces the old rule.

   1 "www" "*" "*" ALLOW 2 "finger" "*" "*" ALLOW 3 "ftp-proxy" "*" "localhost" USER "admin" ALLOW LOG DETAIL PROXY_FTP FTP_GET FTP_CHDIR FTP_RENAME FTP_DELETE  4 "daytime" "localhost" "*" ALLOW 5 "telnet" "*" "*" DENY 6 "echo" "localhost" "*" ALLOW

   To have the changes take effect, you must activate the policy whose rules you edited.

To Add an Access Rule for GUI Local Administration

Type the following to add an administrative access rule for local administration:

edit> add accesslocal USER admin3 PERMISSION ALL

To Edit an Access Rule for GUI Local Administration

1. Type the following to list the administrative access rules for local administration:

   edit> list AccessLocal

   By default, an Admin User is created during installation.

   The following approximates the output that is displayed:

   1 USER "admin" PERMISSION ALL 2 USER "admin3" PERMISSION ALL

2. Type the following to replace an administrative access rule with a new value for a particular user for local administration:

   edit> replace AccessLocal 2 USER "admin3" PERMISSION STATUS

To Delete an Access Rule for GUI Local Administration

Do not delete all the administrative access rules.

Type the following to delete the administrative access rule for local administration:

edit> del AccessLocal 2

Where 2 is the number, in the ordered rules, that you want to delete.

To Add an Access Rule for Remote Administration

Type the following to add an administrative access rule for remote administration:

edit> add accessremote USER admin3 * SKIP_VERSION_2 admin-group DES-CBC DES-CBC MD5 NONE

This administrative access rule allows the access level ALL for the admin 3 user at a remote Administration Station on the Internet to use the GUI and command line to administer the Screen.

To Edit an Access Rule for Remote Administration

Make a note of the encryption parameters if you change them because they have to match the encryption parameters on the remote Administration Station.

1. Type the following to list the administrative access rules for remote administration, for example:

   edit> list accessremote

   The following approximates the output that is displayed:

   1 USER "admin" "*" SKIP_VERSION_2 "admin-group" "DES-CBC" "DES- CBC" "NONE" "NONE" PERMISSION ALL 2 USER "admin3" "*" SKIP_VERSION_2 "admin-group" "DES-CBC" "DES- CBC" "NONE" "NONE" PERMISSION ALL

2. Type the following to replace an administrative access rule with the value or values for a particular user for remote administration with a new value, for example, STATUS, for the access level:

   edit> replace accessremote USER admin3 * SKIP_VERSION_2 admin- group DES-CBC DES-CBC NONE NONE PERMISSION STATUS

   This administrative access rule changes the access level for admin3 at a remote Administration Station on the Internet to STATUS.

To Delete an Access Rule for Remote Administration

Do not delete all the administrative access rules.

Type the following to delete an administrative access rule for remote administration:

edit> del accessremote 2

Where 2 is the number, in the ordered rules, that you want to delete.