Local Security Policy and Interface-Specific Access Control

As a type of security products, firewalls are designed to determine which service traffic is allowed to pass through. The service traffic includes the traffic sent from firewalls and the traffic accessing firewalls. In security policies for such traffic, the source or destination security zone is Local (representing the firewalls themselves). Therefore, the security policies are also called local security policies.

As shown in Figure 2-2, the ping traffic from the management terminal to the interface address of the firewall is the traffic accessing the firewall. The ping traffic from the firewall to the server is the traffic sent from the firewall. The security policies configured to permit such traffic are local security policies (101 and 102 in Table 2-4). Table 2-4 also provides a security policy (103) for the ping traffic from the management terminal to the server.

Figure 2-2 Local security policies — ping traffic

To use ping to locate network problems, you need to configure corresponding security policies on the firewall to permit ping traffic.

interface GigabitEthernet 0/0/1
 ip address 10.1.1.1 255.255.255.0
 service-manage enable                //Enable the interface access control function.
 service-manage ping permit           //Ping to the interface is allowed.

By default, the access control function is enabled on the out-of-band management interface of the firewall, and access to the firewall through HTTP, HTTPS, ping, SSH, Telnet, NETCONF, and SNMP is allowed. The access control function is also enabled on other interfaces, but no protocol is specified.

The interface-specific access control function takes precedence over security policies. For example, if the access control function is enabled on a firewall interface and ping to the interface is not allowed, the firewall cannot be accessed even if security policy 101 is configured. If the ping function is enabled on the interface, the firewall can be accessed without security policy 101. Therefore, to access a firewall through the preceding protocols, you can use either of the following methods:

• Interface-specific access control: Enable the interface-specific access control function and allow firewall access through a specified protocol.
• Security policy: Disable the interface-specific access control function and configure a security policy to permit the traffic of the specified protocol.

In addition, to ping GE 0/0/2 of the firewall from the management terminal, you also need to enable the access control function on GE 0/0/1 because traffic enters the firewall through GE 0/0/1.