The content you are looking for has been archived. View related content below.
Not all policy rules look the same. You may have encountered a rulebase where the rules are color-coded, modified, or even disabled. Why do some policy rules look so different from others?
Let’s discuss differences in rulebases, and your ability to manipulate the ruleset.
I'm going to walk through part of a security policy under the tab Policies > Security. When you look at this example rulebase, you'll immediately see some differences between the rules. Some are completely greyed out (rule 36), some are in yellow (rules 31, 37 and 38), some are blue (rule 32) and some are white/grey.
Also notice the different options available to you at the bottom of the rulebase (Add, Delete, Clone, Override, Revert, Enable, Disable and Move).
Let's discuss user-defined local rules first. These are the ones that are configured on the firewall locally, not pushed down from Panorama. These rules are white/grey and the objects in the rules are active (as in not greyed out). Rules 32 to 36 are local rules in the example above. Rule 32 is blue because I already selected it in this example. You'll notice some options become available at the bottom for the selected rule: 'Delete', 'Clone', 'Enable', 'Disable' and 'Move'.
Note: Without selecting any rule, the only option available to us is to Add a new rule!
Let's continue by disabling rule 32. When I click the Disable button you'll notice that all the objects in the rule will become greyed out. This also means that the other greyed out rule (rule 36) is a rule that was disabled previously.
You can manipulate several rules at once. Select rule 32 (1), using the ctrl key (cmd key on Mac) you can also select rule 36 at the same time (2) and click Enable to re-enable them together (3).
Another option is to clone the selected rules. With rules 32 and 36 still selected hit the Clone button. The clone window will pop up allowing you some options on where to put the rules you would like to clone.
Notice that a copy or clone was created of the selected rules and they're placed at the location you specified in the clone menu (after rule 32 in this example).
Going back to the first screenshot you noticed a couple of yellow rules (rule 31 for example). Select it and notice the available options. You cannot disable/enable or delete this rule. That's because this rule was pushed down onto the firewall from Panorama and it's a 'read-only' rule. You will see this when you open the rule.
Note: It is possible to clone a Read-Only rule. This will create a local copy on the firewall. One that you can disable/enable and delete.
For traffic that doesn’t match any user-defined rules, the default rules apply. The default rules—displayed at the bottom of the security rulebase—are predefined to allow all intrazone traffic (within the same zone) and deny all interzone traffic (between different zones). Although these rules are part of the pre-defined configuration and are read-only by default, you can override them by clicking the Override button at the bottom of the rulebase. You can change a limited number of settings, including the tags, action (allow or deny), log settings, and security profiles.
All of the mentioned actions are also possible in the other policies (QoS, Decryption, NAT, etc...).
Please share your ideas or experience on how you've managed your rulebase!
Thank you for taking time to read this blog. Don't forget to hit the Like (thumbs up) button and to Subscribe to the LIVEcommunity Blog area.
As always, we welcome all questions, comments and feedback in the comments section below.
Kiwi out!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
| Subject | Likes |
|---|---|
| 8 Likes | |
| 3 Likes | |
| 2 Likes | |
| 2 Likes | |
| 2 Likes |
