General Information on Security Policy

The Security Policy provides a quick and easy way for administrators to set "blanket" policies for the Firewall. Most of the checkboxes displayed in this window provide a fast path to selecting certain Predefined Services that will apply to all network traffic received by the firewall. Two exceptions to this are the Transparent Proxy checkboxes which simply act to enable or disable Transparent Telnet and Transparent FTP.

In the case of any checkbox that pertains to a Predefined Service, when a box is checked and the adminstrator either clicks on "OK", a Connection Configuration gets set up and queued for the next time the Connection Rules get regenerated and activated. These Security Policy Services generate connection rules that have 0.0.0.0 as both the source and destination addresses (meaning that these rules apply to any traffic datagrams). Note that these rules get placed at the top of the active Connection Rules file.

Note: Anytime you click on a checkbox that pertains to a Predefined Service, and you click on "OK", you must activate these changes via the Connection Activation window. You do not need to activate after changing either of the Transparent Proxy checkboxes as these two do not pertain to Predefined Services.

Further Information

Using the Configuration Client to Define a Security Policy

Permit DNS queries

Click on this checkbox to allow Domain Name Service resolution requests and replies. This will set up the Predefined Service called "Permit DNS Queries" in your Connection Rules with a Source and Destination address of 0.0.0.0. To understand better what this Service is composed of, you can go to the Navigation Tree and click on Traffic Control/Connection Templates/Services and open the "Permit DNS Queries" Service.

Note:that if you change the value of this checkbox, you must save it (by pressing "OK") and then Activate it via the "Connection Activation" window.


Permit DNS zone transfers

Click on this checkbox to allow Domain Name Service data files to be transferred from nameserver to nameserver. This will set up the Predefined Service called "Permit DNS zone Transfers" in your Connection Rules with a Source and Destination address of 0.0.0.0. To understand better what this Service is composed of, you can go to the Navigation Tree and click on Traffic Control/Connection Templates/Services and open the "Permit DNS zone transfers" Service.

Note:that if you change the value of this checkbox, you must save it (by pressing "OK") and then Activate it via the "Connection Activation" window.


Deny broadcast message to non-secure interfaces

Click on this checkbox to deny broadcast messages from being received at the non-secure port. This will set up the Predefined Service called "Deny NonSecure Broadcasts" in your Connection Rules with a Source and Destination address of 0.0.0.0. If your firewall's non-secure inteface is connected to the Internet, this service can be benenficial with respect to reducing the amount of logging on the firewall. To understand better what this Service is composed of, you can go to the Navigation Tree and click on Traffic Control/Connection Templates/Services and open the "Deny NonSecure Broadcasts" Service.

Note:that if you change the value of this checkbox, you must save it (by pressing "OK") and then Activate it via the "Connection Activation" window.


Deny Socks to non-secure adapters

Click on this checkbox to disallow Socks traffic to come into the Firewall from the non-secure network. This will set up the Predefined Service called "Deny NonSecure Socks" in your Connection Rules with a Source and Destination address of 0.0.0.0. To understand better what this Service is composed of, you can go to the Navigation Tree and click on Traffic Control/Connection Templates/Services and open the "Deny NonSecure Socks" Service.

Note:that if you change the value of this checkbox, you must save it (by pressing "OK") and then Activate it via the "Connection Activation" window.


Shutdown secure interface (panic)

The purpose of this item is for security emergencies. Click on this checkbox to disallow all traffic to and from the Firewall over the secure interfaces. This will set up the Predefined Service called "Deny All Secure" in your Connection Rules with a Source and Destination address of 0.0.0.0. To understand better what this Service is composed of, you can go to the Navigation Tree and click on Traffic Control/Connection Templates/Services and open the "Deny All Secure" Service.

Note:that if you change the value of this checkbox, you must save it (by pressing "OK") and then Activate it via the "Connection Activation" window.


Test IP Routing (debug only)

The purpose of this item is for debugging. Click on this checkbox to allow all traffic to and from the Firewall over any interface. This will set up the Predefined Service called "Permit All" in your Connection Rules with a Source and Destination address of 0.0.0.0. To understand better what this Service is composed of, you can go to the Navigation Tree and click on Traffic Control/Connection Templates/Services and open the "Permit All" Service.

Note:that if you change the value of this checkbox, you must save it (by pressing "OK") and then Activate it via the "Connection Activation" window.

Warning: Use of this Service can open your Firewall up to security exposures. Use this service with extreme caution.


Enable Telnet

Click on this checkbox to allow Transparent Proxy Telnets. Note that if you change the value of this checkbox, you do not need to Activate it via the "Connection Activation" window. You only need to save it by pressing "OK" in order for the change to take place.

Enable FTP

Click on this checkbox to allow Transparent Proxy FTPs. Note that if you change the value of this checkbox, you do not need to Activate it via the "Connection Activation" window. You only need to save it by pressing "OK" in order for the change to take place.

OK

Press the "OK" button to save changes and close the window.

Cancel

Press the "Cancel" button to close the window without saving any changes.