Composition of a Security Policy

Matching Conditions

The matching conditions of a security policy describe traffic characteristics to filter the traffic that meets the conditions. A security policy includes the following matching conditions:

• User who sends the traffic. In the Agile Controller SSO scenario, the user access mode and terminal type can also be specified as matching conditions.
• Source and destination of traffic, including the source and destination security zones, source and destination IP addresses, source and destination regions, and source and destination VLANs. A region is a geographic region mapped by an IP address.
• Services, applications, or categories of URLs to be accessed.
• Time range.

Each preceding matching condition is optional in a security policy. Configured matching conditions are in AND relationship. That is, traffic is considered to match a security policy only when it matches all conditions of the security policy. If multiple values are configured in a matching condition, the values are in the OR relationship. That is, traffic matches the condition as long as it matches any value.

Specific matching conditions in a security policy can accurately describe traffic. You can use only the 5-tuple (source and destination IP addresses, source and destination ports, and protocol) as matching conditions. To configure security policies more accurately, you add matching conditions such as the application and user.

Actions

A security policy has two basic actions: permit and deny, that is, allow or forbid traffic to pass through.

• If the action is permit, you can perform further content security check on the traffic that matches the policy. The content security check functions of Huawei firewalls include antivirus, intrusion prevention system (IPS), URL filtering, file blocking, data filtering, application behavior control, mail filtering, APT defense, and DNS filtering. Each content security check has its own application scenarios and actions. The result of all content security checks determines how the firewall processes traffic.
• If the action is deny, you can choose to send feedback packets to a server or client to quickly terminate sessions and reduce system resource consumption.

Matching conditions such as users, terminals, time ranges, addresses, regions, services, applications, and URL categories, and various profiles required for content security check exist as objects on the firewall. You can create an object and reference it in multiple security policies.

Policy Identifiers

To facilitate management, the following security policy identifiers are provided:

• Name: uniquely identifies a security policy. Specifying a name, for example, a name indicating the purpose, for each security policy can improve maintenance efficiency.
• Description: records information about a security policy. For example, you can record the number of the application process that triggers the security policy in this field. In this way, you can quickly understand the background of the security policy during routine audit, for example, when the security policy is introduced, who submits the application, and validity period of the security policy.
• Policy group: Multiple security policies with the same purpose can be added to a policy group to simplify management. You can move, enable, or disable a policy group.
• Label: You can add multiple labels to a security policy to filter policies with the same characteristics. For example, you can add labels such as high-risk application and company application based on the type of applications to which a security policy applies. You are advised to set labels with a fixed prefix, for example, SP_, and use different colors to differentiate actions. This makes labels easy to understand.