Chapter 6 – Security Policy

HCSA-NGFW 2022
 1 Security Policy Basis
Contents
2 Object

3 Advanced Policy Configuration

4 Policy Configuration (CLI)

Security Policy Basis
Security Policy
• Security policy is the basic function of network security appliance.

• Policy is designed to control the traffic forwarding between security

zones/segments. By default, Hillstone devices will deny all traffic between security
zones/segments

• The policy can identify which flow between security zones or segments will be
permitted and which will be denied based on the policy rules.

www.hillstonenet.com
Basic Elements of Policy Rules
• Policy filtering conditions ：
– Source Zone/Address - The source zone/address of the traffic.
– Destination Zone/Address – The destination zone/address of the traffic.
– Service – The service type of the traffic.
– *User
– *Application

• Action ：
– Permit 、
– Deny 、
– WebAuth 、
– Tunnel 、 From tunnel 、
– Portal Server

www.hillstonenet.com
Policy Filtering Condition and Action
Policy > Security Policy, Click 『 New 』 to create a policy
Eth0/1 trust Eth0/4 untrust
Internet

PC User Web server

192.168.10.10 www.hillstonenet.com

www.hillstonenet.com
Policy Position
• Policy > Security Policy edit of a policy rule and click 『 Options 』 to change the position of this policy

www.hillstonenet.com
Matching Sequence of Policy Rules
• The first flow packet matches policy rule

• Matching sequence of policy rules ：

- When traffic flows into a Hillstone device, the device will query for policy rules in
the list by turns (from top to the bottom, not accord to policy ID), and processes the
traffic according to the first matched rule.

• The default policy rule denies all the traffic.

www.hillstonenet.com
Matching Sequence Example
According to below network topology, can the PC access to FTP server? Which policy rule will be
matched?
PC2
192.168.10.0/24 FTP
Server
.2 E0/1 E0/4 Internet
trust .1 untrust
PC3

.3

www.hillstonenet.com
Object
Object
• Object includes ：
- Address Book
- Host Book
- Service Book
- APP Book
- Schedule
- AAA server 、 User and Role
- Track Object

• We will introduce the Top 5 objects here.

www.hillstonenet.com
Configure Address Book (WebUI)
Object > Address Book, click 『 New 』

www.hillstonenet.com
Host Book
Object > Host Book, click 『 New 』 , Regular expression is also supported.

www.hillstonenet.com
Service Book （ WebUI ）
Object > Service Book > Service
Is able to see the predefined services

CLI ： show service predefined

www.hillstonenet.com
User-defined Service （ WebUI ）

www.hillstonenet.com
User-defined Service Group （ WebUI ）

www.hillstonenet.com
Application Book
• Object > APP Book > Application
You can view or edit the predefined applications, the predefined application will be updated online automatically.

CLI ： show application predefined

www.hillstonenet.com
Schedule
• Schedule includes: Days and Timeframe

• Schedule controls the effectiveness for

some functions, such as allows a policy
rule to take effect in a specified time,
controls the duration of the connection
between a PPPoE interface and Internet,
referenced by QoS etc.

• Must set correct system time

before using schedule

www.hillstonenet.com
Create a Schedule
Object > Schedule. Click 『 New 』 to create a schedule.

www.hillstonenet.com
Apply Schedule to a Policy Rule
Click Security > Security Policy. Click 『 New 』 to create a policy rule which blocks the game
applications access from the trust zone to the untrust zone within specified schedule.

www.hillstonenet.com
Advanced Policy Configuration
Check / Move the Policy Position
Policy > Security Policy

To move a policy rule, in the policy rule configuration mode, use the following command:
move id {top | bottom | before id | after id}

22 www.hillstonenet.com
Policy Hit Count
• Statistic of policy usability, can be used to judge the validity of policy

SG-6000# show policy hit-count

Most hit policy rules:
===================================================================
=No. Id Name Src-zone Dst-zone Src-addr Dst-addr Service Applica~ Action Hit-count
-------------------------------------------------------------------------------------------------------------------
-
1 2 vpn trust untrust vpn branch1 Any PERMIT 1053
2 3 office trust untrust prov .. dmz Any PERMIT 579
3 4 untrust trust dmz Any Any PERMIT 0
4 1 Any Any Any Any Any PERMIT 1012www.hillstonenet.com
5 dft Any Any 0
Policy Redundancy Check

www.hillstonenet.com
Policy Import/Export
• Only support DAT format

www.hillstonenet.com
Session Displayed in Policy
• Session detail can be checked in policy

www.hillstonenet.com
Stateful Inspection Technology （ Session ）
SG-6000# show session
Device: max 100000, alloc 32, deny session 0, free 99968, tunnel 0, alloc failed 0
================================================================
session: id 6, proto 6, flag a, flag1 20000, created 28309, life 1641, policy 2,app 93(HTTPS) flag 0x0,
auth_user_id 0, reverse_auth_user_id 0
flow0(19(ethernet0/7)/40200810): 1.1.1.20:56606->40.100.2.98:443
flow1(16(ethernet0/4)/200810): 40.100.2.98:443->200.0.0.10:56606

• Session is the state of connection between two parties on a firewall, one session is a connection between two sides. The
collection of multiple sessions on a firewall is called a session table

• Session created for the first packet, the following packets will try to search and match the existing session.

• Session includes ：

Source address 、 Source port 、 Destination address 、 Destination port 、 Protocol 、 Application 、 User

www.hillstonenet.com
Policy Configuration (CLI)
Configure Policy Rule （ CLI ）
• To enter the policy configuration mode, in global configuration mode, use the following command:
policy-global ：
• After entering the policy configuration mode, to create a policy rule, use the following command:
•rule [id id] [top | before id | after id] [role {UNKNOWN | role-name} | user aaa-server-name user-name | user-
group aaa-server-name user-group-name] from src-addr to dst-addr service service-name {permit | deny | tunnel
tunnel-name | fromtunnel tunnel-name | webauth | portal-server}

• id id - Specifies the ID of the policy rule. If not specified, the system will automatically assign an ID to the policy
rule.
• top | before id | after id - Specifies the location of the policy rule.
By default, the newly-created policy rule is located at the end of all the rules.
• from src-addr - Specifies the source address of the policy rule.
• to dst-addr - Specifies the destination address of the policy rule.
• service service-name - Specifies the service name of the policy rule.
- permit | deny | tunnel tunnel-name| fromtunnel tunnel-name | webauth aaa-server | portal-server
- Specifies the action of the policy rule

www.hillstonenet.com
Configure Policy Rule (Cont.)
• show policy [id id] [from src-zone] [to dst-zone]
• id id – Shows the detailed information of the specified policy rule.
• from src-zone – Shows the detailed information of the policy rule whose source security zone is the
specified zone.
• to dst-zone – Shows the detailed information of the policy rule whose destination security zone is
the specified zone.

• Another way to configure policy rule:

rule from any to any from-zone trust to-zone untrust service any permit

www.hillstonenet.com
Questions
1. What are the basic elements of a policy rule ？
• Policy filtering conditions ： ,,, Action ：

2. What actions does the policy rule support?

Permit 、 Deny WebAuth 、 Tunnel 、 From tunnel 、 Portal Server

1. What is the matching sequence of policy rules?

de cima para baixo, não de acordo com a ID da política) e processará o tráfego de acordo com a primeira regra correspondente.

2. What is the default policy for the interfaces within same security zone?
A política foi projetada para controlar o encaminhamento de tráfego entre zonas/segmentos de segurança. Por padrão, os dispositivos Hillstone negarão todo o tráfego entre
zonas/segmentos de segurança

3. What is the supported file format for policy import ？

• Suporta apenas o formato DAT

www.hillstonenet.com
Thanks