No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

eSight V300R009C00 Operation Guide 10

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Policy Principle

Policy Principle

A policy is a rule configuration mode that defines traffic matching conditions and traffic processing actions.

Security Policy

The security policy controls traffic forwarding and performs integrated detection over the traffic content.

The integrated check inspects the content carried over the traffic based on the conditions defined in the referenced profiles and implements appropriate actions based on the check result. When traffic passes through an NGFW, traffic is processed based on security policies shown in Figure 12-31. If all policies are not met, the NGFW denies the traffic by default.

Figure 12-31 Traffic detection by security policy
  • Security policy conditions in Note 1 include: source security zone, destination security zone, source IP address/region, destination IP address/region, user/security groups, service (source port, destination port, and protocol type), application and schedule.
  • Profiles in Note 2 include: antivirus, intrusion protection switching (IPS), uniform resource locator (URL) filtering, file filtering, data filtering, application behavior control, email filtering, and APT defense profiles.

NAT Policy

NAT translates the address in the IPv4 packet header into another address. Generally, NAT is used to translate private addresses in IPv4 headers to public addresses, so that users in a private network can use a few public addresses to access the Internet. In this manner, NAT resolves public IPv4 address shortage.

The basic NAT working principle is as follows: When a host in a LAN sends packets to a host on the public network over an NGFW, the NGFW translates the source IP address and port number in the packets into a public IP address and the corresponding port number. When a host in the public network sends packets to a host in a LAN over an NGFW, the NGFW translates the destination IP address and port number in the packets into a private IP address and the corresponding port number.

NOTE:

If the NAT address pool has sufficient public network addresses, only the addresses but not port numbers need to be translated.

Figure 12-32 shows the NAT working process of translating IP addresses and port numbers.

Figure 12-32 NAT working process

Host 192.168.1.2:1025 in a LAN sends an IP packet (dst IP=3.3.3.3,dst port=80;src IP=192.168.1.2,src port=1025) to host 3.3.3.3:80 on the public network. When the packet passes through the NGFW, the NGFW translates the source IP address and port number in the packet into a public IP address and the corresponding port number. As a result, the IP packet (dst IP=3.3.3.3,dst port=80;src IP=1.1.1.2,src port=2048) sent to the public network does not carry any LAN IP addresses. When web server sends a response IP packet (dst IP=1.1.1.2,dst port=2048;src IP=3.3.3.3,src port=80) to the NGFW, the NGFW translates the destination IP address and port number in the packet into a private IP address and the corresponding port number. As a result, the packet forwarded to the LAN contains the following information: dst IP=192.168.1.2,dst port=1025;src IP=3.3.3.3,src port=80.

Traffic Policy

Traffic policy is a feature that enables an NGFW to measure and control traffic based on parameters specified in the traffic policy. A traffic policy is based on the source security zone or inbound interface, destination security zone or outbound interface, source address or region, destination address or region, user or security group, application, service, schedule, DSCP value, and traffic profile.

Figure 12-33 shows the traffic policy process.

Figure 12-33 Traffic policy process

The traffic policy provides functions, such as bandwidth assurance, bandwidth limitation, and maximum number of connections, to improve bandwidth utilization and prevent bandwidth resources from being exhausted.

  • Bandwidth assurance

    When a link is busy, an NGFW can ensure the availability of sufficient bandwidth for key services transmitted over the link.

  • Bandwidth limitation

    A limit can be set on the amount of bandwidth that non-key services are allowed to use.

  • Connection limit (concurrent connection limit and new connection limit)

    The maximum number of service connections can be set to ensure efficient use of session resources and prevent a specific service from overusing bandwidth resources.

By configuring traffic policies on the NGFW, you can properly allocate bandwidth resources and improve network performance.

Authentication Policy

An authentication policy helps you identify data flows on which authentication exemption or redirected authentication is implemented. The NGFW identifies the users to be exempted from authentication based on their IP-MAC mappings. The NGFW pushes authentication web pages to users on whom redirected authentication is implemented. The authentication policy does not take effect when Single Sign-On (SSO) or user-initiated authentication is implemented.

  • Redirected authentication: When a user accesses HTTP service and the access data flow matches an authentication policy, the NGFW pushes an authentication page to the user.
  • User-initiated authentication: To access non-HTTP services, a user needs to proactively access the authentication page for authentication. If the user accesses non-HTTP service without being authenticated, access traffic will be blocked by the NGFW if matching the authentication policy.
  • Authentication exemption: When a user's access traffic matches the authentication exemption policy, the user can access network resources without entering the user name and password. The NGFW identifies users based their IP/MAC address bindings.
  • SSO: The login of SSO users is not under the control of authentication policies. However, user-specific policy control can be implemented only when user service traffic matches an authentication policy.
NOTE:

The following types of traffic do not trigger authentication even if they match the specified authentication policy:

  • Traffic destined for or originated by the NGFW
  • DHCP, BGP, OSPF, and LDP packets
  • The corresponding DNS packet of an HTTP service data flow that triggers authentication is not controlled by the specified authentication policy. After the user is authenticated and logs in, the DNS packet is controlled by the authentication policy.
  • Policy contents

    An authentication policy is a set of authentication rules that determine whether to implement authentication on a data flow.

    An authentication rule consists of conditions and an action. Conditions used by an NGFW to match packets are as follows:

    • Source zone
    • Destination zone
    • Source address/region
    • Destination address/region

      An action indicates how an NGFW processes packets. Possible actions are as follows:

    • Portal authentication

      Portal authentication is implemented on data flows that meet conditions.

    • SMS authentication

      SMS authentication is implemented on data flows that meet conditions. Users need to enter the SMS verification code.

    • Authentication exemption

      Authentication exemption is implemented on data flows that meet conditions. The NGFW identifies user identities by other means. This action applies to the following scenarios:

      • For top executives, having to be authenticated to obtain network access is undesirable. However, top executives have access to confidential data and therefore need higher information security than common users. You can bidirectionally bind top executives and IP or MAC addresses and configure the NGFW not to implement authentication on the data flows of top executives when they access network resources using the specified IP or MAC addresses. The NGFW identifies IP addresses in data flows based on the mappings between users and IP or MAC addresses.
      • In an AD/TSM/RADIUS SSO scenario, the NGFW has obtained user information from another authentication system and therefore exempts SSO users from authentication.
    • No authentication

      No authentication is implemented on data flows that meet conditions. This action applies to the following scenarios:

      • Data flows, such as data flows between intranets do not need to be authenticated by the NGFW either.
      • In an AD/TSM/RADIUS SSO scenario, an NGFW does not implement authentication on the data flows between users and the authentication server.
  • Matching sequence

    The NGFW matches packets with multiple authentication rules from top to bottom. If the attributes of a packet match all the conditions of an authentication rule, the rule is successfully matched, and the NGFW does not match the packet with other rules. If no rule is matched, the NGFW applies the default authentication policy to the packet.

    The NGFW has a default authentication policy with all matching conditions set to any and the action set to No authentication.

Translation
Download
Updated: 2019-09-07

Document ID: EDOC1100011877

Views: 311354

Downloads: 635

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next