Overview

Policy objects are resources used to define the match criteria referenced inside a policy rule. Traffic entering a gateway instance is then evaluated against this match criteria. Rules are the individual sequences inside the policy ruleset attached to a gateway or a set of gateway instances front-ended by load balancer. When traffic enters a gateway instance, each rule in the ruleset is evaluated against the incoming traffic in a strict order until a match is found, or the end of the ruleset is reached. For more information, see Rules.

Need for Policy Objects

Objects play a crucial role in defining the type of traffic a particular rule is looking to match against and then take a specified action on. If traffic matches the object definitions referenced inside a particular Rule (AND logic for match), the matched traffic can be allowed or denied. If the traffic is allowed, additional advanced security profiles can be applied for further inspection. Each type of object helps define match criteria at a different layer of the OSI model.

Types of Policy Objects

• Address Objects: Address objects are used to define match criteria that is mapped to Layer 3 IP addresses. These objects are referenced inside a policy rule. Address objects can be defined using explicit IP addresses/CIDRs, FQDNs, or cloud-native resources discovered by the Multicloud Defense Controller through periodic asset discovery / real-time event tracking.

• Service Objects: Service objects are used to define Layer 4 match criteria that is referenced inside a policy rule. They are also used to define how a gateway instance will process an incoming traffic flow. This is referred to as the connection type.

  For example, if the Service objects are defined with a connection type of either Forwarding or Forward Proxy. When the connection type is set to Forwarding inside a Service object, the incoming traffic flow is passed through the gateway instance. No proxying and/or decryption occurs. In this case, you can use the Service object to define a set of destination ports and the associated protocol incoming traffic will be evaluated against when a specific policy rule is processed.

  When the connection type is set to Forward Proxy inside a Service object, the incoming traffic flow is proxied through the gateway instance. Decryption will occur depending on the proxy type. In this case, you can use the Service object to define the proxy type as well as the destination port or set of ports the gateway instance will be listening on for packets sent from the client. The gateway instance will specifically listen for a HTTP Request packet or a TLS client Hello. Once it receives this packet, the gateway instance extracts the host information and uses it to establish a separate connection to the external host.

• FQDN Match Objects: FQDN Match Objects are used to define a set of FQDNs for explicit whitelisting or blacklisting. The gateway instance extracts the host information from a HTTP request or TLS client hello and uses it to match against the FQDNs listed in the FQDN Match Object. These FQDN Match Objects are evaluated against incoming traffic at Layer 5 and are particularly useful for matching against HTTP or HTTPS traffic, where host information is visible in the request packet.

Usage of Policy Objects

Once a policy object is defined, it is referenced inside a policy rule. It is important to note that although each of these objects can be referenced inside a policy rule, only Src/Dest Address Objects and Service Objects are mandatory objects when defining a rule. The FQDN Match Object is an optional parameter.

Matching traffic based on src/dest address objects, service objects and or FQDN match objects invokes the first two stages of the data path pipeline (L4 FW/FQDN Match) used to inspect traffic within each gateway instance. This is important to note because these stages are the first points of traffic inspection. The incoming traffic flow may be dropped at one of these stages or it may be allowed to pass through and be inspected at stages further along the pipeline correlating to the advanced security profiles referenced in the matched rule.