Security Policy for Anti-virus blocks or allows all

cancel
Showing results for 
Search instead for 
Did you mean: 

Security Policy for Anti-virus blocks or allows all

Not applicable

Hello,

I've watched the video on how to setup a URL filter security policy. It shows the action selected to be allow. When I created an Anti-virus Profile I set it up to block anything on http.

I then went and created the Security policy selecting that anti-virus profile. If I leave the action set to allowed, this Policy is then shown as letting all traffic through in the logs. If I set the action to Block, then the logs show this Policy as blocking all http traffic.

Can anyone please tell me what step I'm missing?

Thanks,

Daniel

4 REPLIES 4

L4 Transporter

Hi Daniel,

There are a couple of actions that you can specify:

-     If you set an action in the URL profile it will only take effect on the category you set the action on. So for example if you do not want people to search for another job you can set the action to block on the category job-search.

-     If you set an action in the antivirus profile it will only take affect when we find a virus. If we find one we will take the action you have applied on the profile.

-     If you set an action in the security policy it will take effect if the traffic matches the policy. So if you setup a policy that includes service 80 and set the action to block it will block all traffic on port 80.

-     The different actions do not overrule each other. So the security policy action does not overrule the profile actions.

Hope this helps.

Marcel

Hi Marcel,

Thanks for the reply. I believe I understand most of what you said. I do have a few more questions.

If what you say is true, then why if I have a rule that is for checking for virus's only and I set the security policy action to allow; then why does the log say that that rule is allowing traffic through instead of the rule following it?

I guess I'm coming from my old firewall's perspective. I want to create a rule for each profile I have created, have the traffic go through each rule, until it's reached the last rule and then allow the traffic to go to it's final destination.

I hope I'm making sense.

Thanks,

Daniel

Daniel,

The key to understanding the rulebase is to understand that it is always "first match". If there is a rule that matches (i.e. all the columns to the left of the action column match the traffic) that is the rule that will be used to allow or deny the traffic. Once a match is found, the action is taken. If the action is allow, any profiles applied are then used to scan the traffic. If the application changes midstream, the rulebase is rescanned with the new application to be sure that application should also be allowed. The information in the profile is not used as part of the match criteria.

Mike

Hi Mike,

Your last sentence cleared it up for me.

The information in the profile is not used as part of the match criteria.

That is what was holding up my understanding of how to apply policies!

Thanks,

Daniel

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!