Create and Edit Access Control Rules

Use access control rules to apply actions to specific traffic classes. Rules allow you to selectively allow desirable traffic and drop unwanted traffic.

Before you begin

If you have enabled the Policy Analyzer & Optimizer tool, your edits are evaluated as you make them. If anomalies are detected, you are notified during the edit and prompted to make changes when you click Apply to save the rule. You can view the anomalies, such as redundant and shadowed rules, and choose to edit or delete the rule. You can also proceed with saving the rule as is, to deal with the issue later.

Procedure

Step 1

In the access control policy editor, you have the following options:

  • To add a new rule, click Add Rule.

  • To edit an existing rule, click Edit (edit icon).

  • To start with a copy of an existing rule, choose one of the following commands from the More (more icon) menu.

    • Copy Rule, to copy the rule to the clipboard, so you can use the Paste Above/Below commands to place it anywhere in the same policy.

    • Clone Rule, to create the copy immediately below the duplicated rule.

  • To edit multiple rules, use the checkboxes to select multiple rules, then select Edit or another action from the Select Action list next to the search box.

  • To do inline editing, where you change the configuration of an object in a rule condition, right-click the value and choose Edit. You can also use the right-click menu to remove a item, add it to the filter, or copy the text or value.

If View (View button) appears next to a rule instead, the rule belongs to an ancestor policy, or you do not have permission to modify the rule.

Step 2

If this is a new rule, enter a Name.

Step 3

Configure the rule components.

If you are bulk-editing multiple rules, only a subset of options are available.

  • Position—Specify the rule position; see Access Control Rule Order.

  • Action—Choose a rule Action; see Access Control Rule Actions.

  • Deep Inspection—(Optional.) For Allow and Interactive Block rules, select options for Intrusion Policy, Variable Set, and File Policy. You can apply intrusion and file policies independently; you do not need to configure both.

  • Time Range—(Optional.) For Firewall Threat Defense devices, choose the days and times when the rule is applicable. If you do not choose an option, the rule is always active. For details, see Creating Time Range Objects.

  • Logging—Click Logging to specify options for connection logging and SNMP traps. The same logging settings can be configured in the Default Action Configuration dialog box (navigation path: Edit access control policy. In the Default Action area, click the Default logging and inspection icon (Cog (cog icon)) ).

    .

  • Conditions—Select the objects you want to add or either source or destination, then click either Add to Sources or Add to Destinations and Applications to add matching conditions for connections. You can click a tab to restrict the list of available objects, for example, to Networks, Security Zones, Applications, and so forth. However, the sources and destination column always show all selected objects regardless of the tab you are on. See Access Control Rule Conditions for more information.

  • Comments—Open the comments list at the bottom of the dialog box, enter your comment, and click Post to add a comment.

Step 4

Click Add or Apply to save the rule.

Step 5

Click Save to save the policy.

What to do next

If you will deploy time-based rules, specify the time zone of the device to which the policy is assigned. See Time Zone.

Deploy configuration changes.