Configure prefilter policies

To perform custom prefiltering, configure prefilter policies and assign the policies to access control policies. It is through the access control policy that prefilter policies get assigned to managed devices.

Only one person should edit a policy at a time, using a single browser window. If multiple users save the same policy, the last saved changes are retained. For your convenience, the system displays information on who (if anyone) is currently editing each policy. To protect the privacy of your session, a warning appears after 30 minutes of inactivity on the policy editor. After 60 minutes, the system discards your changes.

Procedure

Step 1

Choose Policies > Security policies > Prefilter.

At the top of the page, there are convenient links to some related features: object management and access control.

You cannot tell from the prefilter page, or when editing a prefilter policy, whether it is used by an access control policy or which policies use it.

Step 2

Do any of the following:

  • Create—Click New Policy to create a custom prefilter policy. You are prompted for a name and an optional description. The new policy is opened for edit after you click Save. A new prefilter policy has no rules and a default action of Analyze all tunnel traffic.

  • Edit—Click Edit (edit icon) to open a policy so that you can add rules or otherwise modify it.

  • Copy—Click Copy (copy icon). You are prompted for a name. The copy is added to the list when you click OK, but it is not opened for edit.

  • Delete—Click Delete (delete icon) to remove a policy. You cannot delete a policy that is currently being used by an access control policy.

Step 3

When editing a prefilter policy, you can do the following:

  • Set the default action—Set the default action for tunnels at the bottom of the policy. See Configuring the default action.

  • Add prefilter rules—Click Add Prefilter Rule. The rule is added to the bottom of the policy. See Configuring prefilter rules.

  • Add tunnel rules—Click Add Tunnel Rule. The rule is added to the bottom of the policy. See Configuring tunnel rules.

  • Insert rules—Right click the rule before where you want to add the new rule, and select either Insert New Prefilter Rule or Insert New Tunnel Rule, as appropriate.

  • Copy/cut and paste rules—To copy a rule, right-click the rule and select Copy. You can also cut the rule (remove it) by selecting Cut. Then, select where you want to insert the rule, right click, and select either Paste Above or Paste Below. When copying, a number in parentheses is added to the rule name; you should edit the rule and change the name and other criteria as needed. Cut rules retain the original name.

  • Edit a rule—Click Edit (edit icon) to open the rule editor. You can also click on any element for the rule in the table. See Configuring prefilter rules and Configuring tunnel rules.

  • Delete rules—Click Delete (delete icon) to remove a rule.

  • Move a rule—Click a rule and drag and drop it to the right location. Alternatively, cut the rule and then paste it in the right location. You can also change the rule location while editing it.

    Properly creating and ordering rules is a complex task, but one that is essential to building an effective deployment. If you do not plan carefully, rules can preempt other rules or contain invalid configurations. For more information, see Prefilter policy rule order.

  • Move a prefilter rule to an associated access control policy—To move a prefilter rule from the prefilter policy to an associated access control policy, right-click the rule and select Move to another policy. You cannot move tunnel rules to an access control policy. See Moving prefilter rules to an access control policy.

  • View hit counts—To view statistics on how many connections matched each rule, click Analyze Hit Counts. See Viewing rule hit counts.

  • Search for rules—Use the Search Rules box to do a plain text search. Type the string and press enter. The search box shows the number of hits and up/down buttons to move through them.

    Matches are highlighted in the table. Matches include partial hits, but only to explicitly set items. For example, entering “any” does not match the default network, but “any-ipv4” will match because it is a network object and not a passive default. Action and rule type do not match the search string.

  • View object details—To see the contents of an object used in a rule, right click the object and select Object Details.

  • Change the policy description—To modify the description of a policy, click in the description text below the policy name at the top of the page. Click away from the description to save changes.

Be sure to click Save to save any changes you make.

Step 4

Use the prefilter policy in the appropriate access control policies.

For each access control policy that should use a custom prefilter policy:

  • Edit the access control policy and select the prefilter policy in the Prefilter Policy link or in the advanced settings. See Associating other policies with access control.

  • If you applied tunnel zone tags in any tunnel rules, create access control rules that use those tunnel zones as source interface criteria.

What to do next

You can now deploy changes.

If you will deploy time-based rules, specify the time zone of the device to which the policy is assigned. See Time Zone.