|
2
|
|
3
|
To edit an existing policy, click the pencil icon
 under Configure for it. To add a new policy, click Add New Policy. |
The App Control Policy Settings window displays.
|
4
|
|
5
|
Select a Policy Type from the pull-down list. Your selection here affects available options in the window. For information about available policy types, see Policy Type Reference .
|
|
6
|
Select a source and destination Address Group or Address Object from the Address pull-down lists. Only a single Address field is available for IPS Content, App Control Content, or CFS policy types.
|
|
7
|
Select the source or destination service from the Service pull-down lists. Some policy types do not provide a choice of service.
|
|
8
|
For Exclusion Address, optionally select an Address Group or Address Object from the pull-down list. This address is not affected by the policy.
|
|
9
|
For Match Object, select match objects to include and exclude from the drop-down menus. The menus contain the defined match objects that are applicable to the policy type.
|
|
10
|
For Action, select an action from the pull-down list. The list contains actions that are applicable to the policy type and the match object, and can include the predefined actions, plus any customized actions. For a log-only policy, select No Action.
|
|
11
|
For Users/Groups, select from the pull-down lists for both Included and Excluded. The selected users or groups under Excluded are not affected by the policy.
|
|
12
|
If the policy type is SMTP Client, select from the pull-down lists for MAIL FROM and RCPT TO, for both Included and Excluded. The selected users or groups under Excluded are not affected by the policy.
|
|
13
|
For Schedule, select from the pull-down list. The list provides a variety of schedules for the policy to be in effect.
|
|
14
|
Select Enable Flow Reporting to enable internal and external flow reporting based on data flows, connection related flows, non-connection related flows regarding applications, viruses, spyware, intrusions, and other information.
|
|
15
|
|
16
|
To record more details in the log, select Log individual object content.
|
|
17
|
If the policy type is IPS Content, select Log using IPS message format to display the category in the log entry as “Intrusion Prevention” rather than “Application Control,” and to use a prefix such as “IPS Detection Alert” in the log message rather than “Application Control Alert.” This is useful if you want to use log filters to search for IPS alerts.
|
|
18
|
If the policy type is App Control Content, select Log using App Control message format to display the category in the log entry as “Application Control,” and to use a prefix such as “Application Control Detection Alert” in the log message. This is useful if you want to use log filters to search for Application Control alerts.
|
|
19
|
If the policy type is CFS, select Log using CFS message format to display the category in the log entry as “Network Access,” and to use a log message such as “Web site access denied” in the log message rather than no prefix. This is useful if you want to use log filters to search for content filtering alerts.
|
|
20
|
For Log Redundancy Filter, you can either select Global Settings to use the global value set on the Firewall > App Rules page, or you can enter a number of seconds to delay between each log entry for this policy. The local setting overrides the global setting only for this policy; other policies are not affected.
|
|
21
|
For Connection Side, select from the pull-down list. The available choices depend on the policy type and can include Client Side, Server Side, or Both, referring to the side where the traffic originates. IPS Content, App Control Content, or CFS policy types do not provide this configuration option.
|
|
22
|
For Direction, click either Basic or Advanced and select a direction from the pull-down list. Basic allows you to select Incoming, Outgoing, or Both. Advanced allows you to select between zones, such as LAN to WAN. IPS Content, App Control Content, or CFS policy types do not provide this configuration option.
|
|
23
|
If the policy type is IPS Content, App Control Content, or CFS, select a zone from the Zone pull-down list. The policy is applied to this zone.
|
|
24
|
If the policy type is CFS, select an entry from the CFS Allow List pull-down list. The list contains any defined CFS Allow/Forbidden List type of match objects, and also provides None as a selection. The domains in the selected entry are not affected by the policy.
|
|
25
|
If the policy type is CFS, select an entry from the CFS Forbidden List pull-down list. The list contains any defined CFS Allow/Forbidden List type of match objects, and also provides None as a selection. The domains in the selected entry are denied access to matching content, instead of having the defined action applied.
|
|
26
|
If the policy type is CFS, select Enable Safe Search Enforcement to prevent safe search enforcement from being disabled on search engines such as Google, Yahoo, Bing, and others.
|
|
27
|
|
28
|
A description is automatically added in the Description field. Optionally change the description.
|
|
29
|
For Schedule, select one of the following radio buttons and set any associated fields:
|
|
•
|
Default – Use the default schedule configured for the Agent that manages this unit
|
|
•
|
Immediate – Activate this policy immediately
|
|
•
|
At – Select the exact time to activate this policy using the pull-down lists for the hour, minute, time zone, month, and year. If your GMS deployment includes Agents in different time zones, you can select among them in the time zone pull-down list. Select the date from the calendar.
|
|
30
|
At the unit level, you might need to refresh the Firewall > App Rules page to see your new policy in the list.