Creating and Deploying Smart Policies: Example

In this procedure, you will create four firewall policies, one for each of the policy goals listed below.

Usage scenario: Endpoints are comprised of desktop computers and laptops. All are running the CPM Firewall. Desktops have a single, wired, LAN. The laptops have both a LAN and W-LAN. The laptops, being mobile, often travel to different corporate offices (London and New York). In addition, they are used outside the corporate network (Airport.)

Create one firewall policy for each of the following cases:

  • Policy 1: Prevent wireless FTP connections in London

  • Policy 2: Allow wired and wireless FTP connections in New York

  • Policy 3: Allow wired FTP connections in London and New York

  • Policy 4: Prevent all but HTTPS connections in unknown locations (wireless)

When targeting specific IP addresses in a firewall policy, be sure that the IP address ranges specified are mutually exclusive: that the same IP address is not included in related policies.

  • London = 10.10.0.0–10.10.255.255

  • New York = 192.168.0.0–192.168.255.255

  • Unknown = Not London or New York

Creating a Policy for Each Case

About this task

The steps for creating the first policy are provided below. Repeat steps 3 and 4, modifying as needed, to create the remaining three policies.

Procedure

  1. From the console menu, click Endpoint Protection on the bottom left pane.
  2. From the upper left navigation pane, go to Core Protection Module > Configuration > Common Firewall Settings > New Policy Task.... The Firewall Policy Settings Wizard appears.
  3. Click the Add button, and in the window that appears, give the policy a name that will make its function clear when it appears in the Policy List, for example, No FTP over W-LAN in London. The Firewall Policy Configuration screen opens.
  4. Configure the following settings. See Firewall Policy Configuration for configuration details.
    1. Select Firewall Enabled.
    2. Select Security Level = High to block all traffic to all ports.
    3. Select Apply to a Range of IP Addresses and enter the IP address range for London, From: 10.10.0.0 To: 10.10.255.255.
    4. From the Exception Rules, enable FTP-Data and FTP.

    • If, in fact, you have a location that includes multiple ranges, create a parallel firewall policy for each range (differentiate the name by adding a number).

    • If you are using a subnet to represent the location, enter the subnet IP in both the From: and To: fields.

    Note: Subnet notations such as 172.16.0.0/16 and 172.16 are not supported.
  5. Click Save. The Firewall Policy List becomes active.

Creating Tasks for Different Locations

About this task

In this procedure, you will create different Tasks and include in them different combinations of the policies created above. The combinations you select for a Task are important, as they determine the policies a given endpoint will have available to use.

Procedure

  1. In the Firewall Policy Settings Wizard screen, do the following:
    1. Be sure the policies are ordered correctly, that is, put the policy with an IP address range above the one for all IP addresses.
    2. Select both London policies (Policies 1 and 3).
    3. For New York, use Policies 2 and 3.
    4. For Unknown, use Policies 1, 2, and 4.
  2. Click the Create Firewall Policy Task... button at the top of the screen. The Policy Deployment Description appears.
  3. In the Name field, give the Task descriptive name, such as Firewall policy to prevent FTP over WLAN at London office.
  4. Below Description, edit the text to provide, for example, the rationale for the policy to other console operators.
  5. Use the default settings in the Actions sections.
  6. Click OK to close the windows. At the prompt, type your private key password and click OK. The Task Description window appears.
  7. Below Actions, click the hyperlink to open the Take Action window.
  8. Click Applicable Computers or whichever option will include all endpoints with the firewall installed.
  9. Click the Execution tab to make it active. Remove any Constraints that you do not want to apply (such as a Start and End date), and in the Behavior section, make sure only the following option is enabled: Reapply this action... whenever it becomes relevant again.
  10. Click OK. At the prompt, type your private key password and click OK.
  11. In the Action | Summary window that opens, monitor the "Status" and "Count" of the Action to confirm that it is "Running" and then "Completed."