Creating IP Policies
An IP policy has the following basic properties:
• Allow or Deny Action
An IP policy either allows a particular type of traffic or it denies it. The action Deny is
equivalent to the action Drop in IP rules.
• Source/Destination Interface/Network Filter
This filter identifies the traffic of interest in the same way that an IP rule filter does.
• Geolocation
This filter identifies a specific predefined region or an administrator defined Geolocation Filter
object which identifies a group of specific countries. The default value for geolocation is
Everywhere (no place is excluded).
• Service
This identifies the type of protocol for the policy. When using an IP policy with certain
options, only services that have the Protocol property set can be used. These are listed below.
• Policy Options
The traffic identified by the filter is subject to one or more of possible options. These are:
i. Logging - This is enabled or disabled.
ii. Anti-Virus - An Anti-Virus policy can be selected. This requires a Service object with the
Protocol property set.
iii. Web Content Filtering - To enable this, a Web Profile object must be created and
associated with the policy. In addition, a Service object must be used that has the
Protocol property set to HTTP.
A Web Profile object can have one or more URL Filter objects defined as children objects.
Each URL Filter can specify a URL or set of URLs (wildcarding is allowed) that are on a
blacklist or whitelist.
iv. Application Control - Application control is enabled directly on an IP Policy. Any type of
Service object can be used with this.
v. File Control - This can block or allow specific filetypes. Is is enabled by creating a new File
Control Profile object and associating it with the IP Policy object. File control is only
applicable to the HTTP, SMTP, POP3 and FTP protocols and requires using Service object
with the Protocol property correctly set to the targeted protocol.
vi. Advanced Actions - It is possible to specify the Reject action for denied connections (no
acknowledgment is sent to the source host).
Some IP Policy Options Require a Service with Protocol Set
As mentioned above, certain IP policy options can be used only if associated Service object that
has its Protocol property set to the correct profile. This property indicates to NetDefendOS if an
ALG is to be used. Any newly created, custom services must have the protocol set if they are to
be used with those options.
Chapter 3: Fundamentals
246
To Next Page
Loading...
