| Security Policy Add / Edit Security Policy |
To Create/Edit Security Policy. |
Sample Configuration | |
---|---|
Parameter | Mandatory | Default | Description |
---|---|---|---|
stickysession_id | No | Enter the session ID. confines to:
| |
Domains | Yes | Enter the domains the web server is responsible for as FQDN. Domains confines to:
According to the selected HTTPS certificate, some domains may be preselected. You can edit or delete these domains or add new ones.. | |
ListenPort | Yes | 80 if 'HTTPS' is disabled or 443 is 'HTTPS' is enabled. | Enter a port number on which the hosted web server can be reached externally, over the Internet. ListenPort confines to:
|
skipcookie | No | Disable | Select this to 'Skip Cookie Signing'. Cookie signing protects a web server against manipulated cookies. confines to:
|
Action | No | Drop | Specify action for the rule traffic. Action confines to:
|
HTTPSCertificate | No | Select the HTTPS certificate to be used for scanning. HTTPSCertificate confines to:
| |
skipform_missingtoken | No | Select this to accept unhardened form data. | Disable confines to:
|
skipav | No | Disable | Click this to skip 'Anti-Virus'. Anti-Virus is used to protect a web server against viruses. confines to:
|
skipbadclients | No | Disable | Select this to skip 'Block Clients with bad reputation'. Based on GeoIPClosed and RBLClosed information you can block clients which have a bad reputation according to their classification. confines to:
|
RewriteCookies | No | Enable | Select this option to have the device rewrite cookies of the returned webpages. RewriteCookies confines to:
|
RedirectHTTP | No | Disable | Click to redirect HTTP requests. RedirectHTTP confines to:
|
DSCPMarking | No | NULL | Select DSCP Marking to classify flow of packets based on Traffic Shaping policy. DSCPMarking confines to:
|
ScanSMTP | No | OFF | Enable/Disable scanning of SMTP traffic. ScanSMTP confines to:
|
SNat Policy | Yes | Masquerade | Select the NAT policy to be applied from the list of available NAT policies. SNat Policy confines to:
Applicable only when 'Rewrite source address' is Enabled.. |
HealthCheck | No | OFF | Click to enable health check for failover. HealthCheck confines to:
Applicable only if 'Load Balancing' is enabled.. |
Member | No | Select the user(s) or group(s) from the list of available options. Member confines to:
| |
IntrusionPrevention | No | NULL | Select IPS policy for the rule. IntrusionPrevention confines to:
|
ScanPOP3 | No | OFF | Enable/Disable scanning of POP3 traffic. ScanPOP3 confines to:
|
Internet Scheme | No | 0 | Select internet scheme to apply user based Application Filter Policy for the rule. Internet Scheme confines to:
|
Port | Yes | Specify the Port number on which the server health is monitored. Port confines to:
Applicable only if 'TCP Probe' Health Check Method is selected.. | |
ApplicationControl | No | NULL | Select Application Filter Policy for the rule. ApplicationControl confines to:
|
PrimaryGateway | No | Specify the Primary Gateway. PrimaryGateway confines to:
Applicable only in case of Multiple Gateways. | |
op | No | And | Select the operation among AND or OR for Path and Source. confines to:
|
Gateway Specific Nat | Yes | NULL | Specify 'gwwise_nat_object' Gateway Specific Nat confines to:
|
TrafficShappingPolicy | No | NULL | Select Traffic Shaping policy for the rule. TrafficShappingPolicy confines to:
|
LogTraffic | No | Disable | Enable traffic logging for the policy. LogTraffic confines to:
|
websocket_passthrough | No | Specify 'websocket_passthrough' confines to:
| |
ScanHTTP | No | OFF | Select to enable virus and spam scanning for HTTP protocol. ScanHTTP confines to:
|
ProtectedZone | Yes | Select the zone to which the Web Server rule applies. ProtectedZone confines to:
| |
WebCategoryBaseQoSPolicy | No | Select to limit bandwidth for the URLs categorized under the Web category. WebCategoryBaseQoSPolicy confines to:
| |
MinimumDestinationHBPermitted | No | NoRestriction | Select a minimum health status that a device must have to conform to this policy. MinimumDestinationHBPermitted confines to:
|
Gateway Name | Yes | NULL | Gateway Name Gateway Name confines to:
|
Interval | Yes | 60 | Specify the time interval in seconds after which the health will be monitored. Interval confines to:
|
Zone | No | Select the destination zone(s) for the Rule. Zone confines to:
| |
stickysession_status | No | Select this option to ensure that each session will be bound to one web server. confines to:
| |
Service | No | Select Service/Service Groups to which the rule is to be applied. Service confines to:
| |
skipform | No | Disable | Click to skip 'Form Hardening'. Form hardening protects against web form rewriting. confines to:
|
WebFilter | No | NULL | Select Web Filter Policy for the rule. WebFilter confines to:
|
skip_threats_filter_categories | No | Disable | Select various parameters that you want to skip in section 'Skip these categories', options available are 'Protocol Violations', 'Protocol Anomalies', 'Request Limits', 'HTTP Policy', 'Bad Robots', 'Generic Attacks', 'SQL Injection Attacks', 'XSS Attacks', 'Tight Security', 'Trojans' and 'Outbound'. confines to:
|
skiphtmlrewrite | No | Disable | If selected, no data matching the defined exception settings will be modified by the WAF engine. confines to:
|
MappedPort | Yes | Specify mapped port number on the destination network to which the public port number is mapped. MappedPort confines to:
| |
EnableSandstorm | No | OFF | Select to enable sandstorm analysis. EnableSandstorm confines to:
|
ScanHTTPS | No | OFF | Select to enable virus and spam scanning for HTTPS protocol. ScanHTTPS confines to:
|
hot_standby | No | Select this option if you want to send all requests to the first selected web server, and use the other web servers only as a backup. confines to:
| |
BlockDestinationReqWithNOHB | No | OFF | Enable/Disable to require the sending of heartbeats. BlockDestinationReqWithNOHB confines to:
|
ShowCaptivePortal | No | OFF | Select to accept traffic from unknown users. Captive portal page is displayed to the user where the user can login to access the Internet. ShowCaptivePortal confines to:
|
Status | No | ON | Enable/Disable the policy. Status confines to:
|
Network | No | Specify Exception Host/Network Address to which rule is not to be applied. Network confines to:
| |
OutboundAddress | No | NULL | Select the NAT Policy to be applied. OutboundAddress confines to:
Applicable only if Override default NAT policy for specific gateway is set as 'ON'.. |
backend | Yes | Select the web servers which are to be used for the specified path. confines to:
| |
Retries | No | 3 | Specify the number of tries to probe the health of the server, after which the server will be declared unreachable. Retries confines to:
|
denied_networks | No | Select or add the denied networks that should be blocked on your hosted web server. confines to:
| |
HTTPS | Yes | Disable | Click to enable or disable scanning of HTTPS traffic. HTTPS confines to:
|
ScanPOP3S | No | OFF | Enable/Disable scanning of POP3S traffic. ScanPOP3S confines to:
|
Schedule | No | NULL | Select Schedule for the Rule. Schedule confines to:
|
ApplicationBaseQoSPolicy | No | Select to limit the bandwidth for the applications categorized under the Application Category. ApplicationBaseQoSPolicy confines to:
| |
Description | No | Specify description for the Security Policy. | |
Network | No | Select the allowed destination network(s). Network confines to:
| |
ExternalPort | Yes | Specify public port number for which you want to configure port forwarding. ExternalPort confines to:
| |
ProtectedServer | Yes | Select from the available options on which the Web Server is to be hosted. ProtectedServer confines to:
| |
RewriteHTML | No | Disable | Select this option to have the device rewrite links of the returned webpages in order for the links to stay valid. RewriteHTML confines to:
|
Name | No | Specify a name for the Security Policy when inserting after and before policy. Name confines to:
| |
IPFamily | No | IPv4 | Select the Internet Protocol version. IPFamily confines to:
|
skipurl | No | Disable | Select this to skip 'Static URL Hardening'. Static URL Hardening protects against URL rewriting. confines to:
|
ProbeMethod | Yes | Select the probe method to check the health of the server from the available options. ProbeMethod confines to:
| |
PolicyType | Yes | Select the type of policy. PolicyType confines to:
| |
Backup Gateway | No | NULL | Specify Backup Gateway. Backup Gateway confines to:
|
HostedAddress | Yes | Specify the address of the hosted server to which the rule applies. HostedAddress confines to:
| |
auth_profile | No | Select the Authentication Policy. Select Create new to create a new Authentication Policy. confines to:
| |
ScanIMAP | No | OFF | Enable/Disable scanning of IMAP traffic. ScanIMAP confines to:
|
SecurityHeartbeat | No | OFF | Enable/Disable to require the sending of heartbeats. SecurityHeartbeat confines to:
|
ScanFTP | No | OFF | Enable/Disable scanning of FTP traffic. ScanFTP confines to:
|
MinimumHeartbeatPermitted | No | NoRestriction | Select a minimum health status that a device must have to conform to this policy. MinimumHeartbeatPermitted confines to:
|
Internet Scheme | No | 0 | Select internet scheme to apply user based Web Filter Policy for the rule. Internet Scheme confines to:
|
ReflexiveRule | No | OFF | Enable to automatically create a reflexive rule for the protected host. ReflexiveRule confines to:
|
Name | Yes | Specify a name to identify the Security Policy. Name confines to:
| |
ScanIMAPS | No | OFF | Enable/Disable scanning of IMAPS traffic. ScanIMAPS confines to:
|
PassHostHeader | No | Disable | When you select this option, the host header as requested by the client will be preserved and forwarded along with the web request to the web server. Whether passing the host header is necessary in your environment depends on the configuration of your web server. PassHostHeader confines to:
|
path | Yes | Enter the path for which you want to create the site path route. Example: /products/. confines to:
| |
MatchIdentity | No | OFF | Enable to check whether the specified user/user group from the selected zone is allowed to access the selected service or not. MatchIdentity confines to:
|
ForwardPorts | No | OFF | Click slider to enable/disable the service of port forwarding. ForwardPorts confines to:
|
RewriteSourceAddress | No | OFF | Enable to apply NAT Policy. RewriteSourceAddress confines to:
|
Authentication | No | Select the Authentication Policy. Select Create new to create a new Authentication Policy. Authentication confines to:
| |
Protocol | No | TCP | Select the protocol TCP or UDP that you want the forwarded packets to use. Protocol confines to:
|
Zone | No | Select the source zone(s) allowed to the user. Zone confines to:
| |
CompressionSupport | No | Disable | Select this to not send content in compressed form to client on request. CompressionSupport confines to:
|
DataAccounting | No | OFF | Select to exclude user's network traffic from data accounting. DataAccounting confines to:
This option is available only if the parameter 'Match rule-based on user identity' is enabled.. |
ScanSMTPS | No | OFF | Enable/Disable scanning of SMTPS traffic. ScanSMTPS confines to:
|
source | No | Specify the source networks where the client request comes from and which are to be exempted from the selected check(s). confines to:
| |
HostedAddress | Yes | Select the interface of the hosted server to which the rule applies. It is the public IP address through which Internet users access the internal server/host. HostedAddress confines to:
| |
Network | No | Select the allowed source network(s). Network confines to:
| |
Timeout | Yes | 2 | Specify the time interval in seconds within which the server must respond. Timeout confines to:
|
Operation | Status | Message |
---|---|---|
Edit Security Policy | 200 | |
Edit Security Policy | 202 | |
Edit Security Policy | 500 | |
Edit Security Policy | 502 | |
Edit Security Policy | 505 | |
Edit Security Policy | 541 | |
Edit Security Policy | 542 | |
Edit Security Policy | 543 | |
Edit Security Policy | 544 | |
Edit Security Policy | 545 | |
Edit Security Policy | 546 | |
Edit Security Policy | 547 | |
Edit Security Policy | 548 | |
Edit Security Policy | 549 | |
Edit Security Policy | 550 | |
Edit Security Policy | 551 | |
Edit Security Policy | 552 | |
Security Policy Add | 200 | |
Security Policy Add | 500 | |
Security Policy Add | 502 | |
Security Policy Add | 505 | |
Security Policy Add | 541 | |
Security Policy Add | 542 | |
Security Policy Add | 543 | |
Security Policy Add | 544 | |
Security Policy Add | 545 | |
Security Policy Add | 546 | |
Security Policy Add | 547 | |
Security Policy Add | 548 | |
Security Policy Add | 549 | |
Security Policy Add | 550 | |
Security Policy Add | 551 |