Editing an Access Control Policy

If View () appears instead, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration.

Tip

You can operate on multiple rules at one time by selecting their checkboxes in the left column, then selecting the action you want to perform from the Select Action drop-down list next to the search box. Bulk editing is available for enabling and disabling, copying, cloning, moving, deleting, and editing rules, or viewing hit counts or related events. You can also remove object overlaps in the selected rules.

You can change the following settings or perform these actions:

• Name and Description—Click Edit () next to the name, make your changes, and click Save.

• Default Action—Choose a value from the Default Action drop-down list.

• Default Action Settings—Click Cog (), make your changes, and click OK. You can configure settings for logging, the location of an external syslog server or SNMP trap server, and the variable set associated with an intrusion prevention default action.

• Associated Policies—To edit or change policies in the packet flow, click the policy type in the packet flow representation below the policy name. You can select the Prefilter Rules, Decryption, Security Intelligence, and Identity policies. When necessary, click Access Control to return to the access control rules.

• Policy Assignment—To identify the managed devices targeted by this policy, or enforce this policy in a subdomain, click the Targeted: x devices link. You can assign the policy to devices or device templates.

• Rules—To manage access control rules, and to inspect and block malicious traffic using intrusion and file policies, click Add Rule, or right-click an existing rule and select Edit or another appropriate action. The actions are also available from the More () button for each rule. See Create and Edit Access Control Rules.

• Layout—Use the Grid/Table View icon above the list of rules to change the layout. Grid view provides color-coded objects in an easy-to-see layout. Table view provides a summary list so that you can see more rules at once. You can freely switch views without impacting the rules.

• Columns (Table view only)—Click the Show/Hide Columns icon above the list of rules to select which information to show in the table. Click Hide Empty Columns to quickly remove all columns that have no information, that is, you are not using those conditions in any rule. Click Revert to Default to undo all of your customizations.

• Analyze rule logic. You can select the following options from the Analyze menu to examine the logic of your rules:

  • Hit Count—To view statistics on how many connections matched each rule.

  • Enable/Disable Rule Conflicts—Select whether you want to see information on whether rules interfere with each other.

  • Show Rule Conflicts—See whether you have redundant or shadowed rules. These conflicts could prevent certain rules from ever being matched by connections, meaning either that you need to fix the match criteria, move the rule, or simply delete the rule.

  • Show Warnings—See whether there are rules with configuration issues that you need to address.

• Additional Settings—To change additional settings for the policy, select one of the following options from the More drop-down arrow at the end of the packet flow line.

  • Advanced Settings—To set preprocessing, SSL inspection, identity, performance, and other advanced options. See Access Control Policy Advanced Settings.

  • HTTP Responses—To specify what the user sees in a browser when the system blocks a website request. See Choosing HTTP Response Pages.

  • Inheritance Settings—To change the base access control policy for this policy, and to enforce this policy's settings in its descendant policies. See Choosing a Base Access Control Policy and Locking Settings in Descendant Access Control Policies .

  • Logging—To set the default logging options for the policy.