How to Schedule Policy Actions

Printer Friendly Page

Overview

Policies can be set to perform configured actions on session traffic at scheduled times and days.

 

Steps

  1. On the WebGUI, go to Objects > Schedules then click Add. Choose daily, weekly or non-recurring. To select multiple days during the week, choose weekly, day of week, start time, end time, then add.
    schedule1.PNG

    On the CLI:
    > configure
    # set schedule schedule-block-youtube recurring daily 09:00-18:00

  2. On the WebGUI go to Policies > Security > Security Policy Rule >  Schedule > Actions.
    schedule2.PNG

    On the CLI:
    > config
    # set rulebase security rules block-youtube from L3-Trust to L3-Untrust source any destination any application youtube schedule schedule-block-youtube service any log-end yes action deny

  3. Continue adding each day until the list is complete.
  4. Commit the change.

Note: Sessions begun before the scheduled start time are not affected by the policy if session rematch is not enabled (Device > Setup > Session) AND a manual commit is made.

Commit MUST be ran manually via “commit force” from the CLI, or by adding/modifying something in the policy in order to have the option to commit via the WebGUI.

 

See Also

How to Create a Schedule that Spans Two Days

 

owner: panagent

Comments

In the order of operation on a security ruleset from left-to-right flow, is the schedule section is evaluated first before evaluating other section in the ruleset ?

@RamBista1,

The rulebase is evaluated from Top to bottom. 

Each rule is handled one at a time. 

If the rule matches completely, then the flow stops and that rule is used. 

 

Please explain your question more if this does not provide you the answer you are looking for.

@RamBista1 security policy is evaluated top to botom. if a security policy has a schedule set, the policy will not be considered when it is 'out of schedule' and evaluation will continue to the next policy below until a new match is found

I am leaning towards @reaper answer because I was thinking that the right-most section 'schedule' will be the first to be evaluated when the packet flow is flowing from left to right direction within the sec-rule-set. Thanks @reaper