Configuring a Security Policy

Policy > Security Policy

A security policy can allow or deny the traffic forwarding between security zones/segments.

In the Security Policy page, you can perform the following actions:

In the filtering bar, set the filtering conditions to search the matched security policies.
Click New to create a new security policy.
Edit security policies:
- Click Edit to edit the selected security policy.
- Quick editing: Click Show Object Panel at the top-right corner to display the object panel at the bottom. Select the desired object tab, hover your mouse over the name of the object, and then drag the desired object from the object panel into the corresponding column in the policy panel. The system will replace the object or add the object. Meanwhile, if the desired object is not in the object panel, you can create it conveniently in the tab. For detailed information, see Introduction to Objects.
Delete security policies
- Click Delete to delete the selected security policies.
- Quick deleting: Hover your mouse over the object in the policy list and then click the red cross icon () to delete the object.
Click Enable or Disable to determine whether the selected security policies take effect or not.
Click Clone to clone the selected security policy. The copy of the selected security policy is located at the bottom of the policy list.
Click Priority to adjust the priority of the selected security policy. The security policies located at the top have the high priority.
Click Clear Policy Hit Count to clear the hit count of the selected security policy.
Click Remove Protection Configuration button to remove the configured protection configurations.

Options in the Policy Rule Configuration dialog:

Option	Description
Basic
Source Information	Specify the source information of the traffic: Zone: Specify the source zone of the traffic. By default, Any is selected. To search zones, enter the keyword in the textbox in the drop-down list and then press the Enter key. To create a new zone, click New Zone in the drop-down list. For more information on zone, view Configuring a Security Zone Address Entry: Specify the source address of the traffic. By default, Any is selected. To search address entries, enter the keyword in the textbox in the drop-down list and then press the Enter key. To add more source addresses, click Multiple and then the Address Configuration dialog appears. In the dialog. Select the address type, enter the corresponding address, and then click Add to add the newly-specified addresses into the list. User: Specify the user or user group of the source traffic. To add more users or user groups, click Multiple. In the pop-up dialog, select the type and the AAA server, enter the username/user group name in the textbox or select the user/user group from the drop-down list, and then click Add to add the user/user group into the list.
Destination Information	Specify the destination information of the traffic: Zone: Specify the destination zone of the traffic. By default, Any is selected. To search zones, enter the keyword in the textbox in the drop-down list and then press the Enter key. To create a new zone, click New Zone in the drop-down list. For more information on zone, view Configuring a Security Zone Address Entry: Specify the destination address of the traffic. By default, Any is selected. To search address entries, enter the keyword in the textbox in the drop-down list and then press the Enter key. To add more destination addresses, click Multiple. In the pop-up dialog. Select the address type, enter the corresponding address, and then click Add to add the newly-specified addresses into the list.
Other Information	Specify other information of the traffic: Service Book: Specify the service of the traffic. By default, Any is selected. To add more services or service groups, click Multiple. In the pop-up dialog, add more services or service groups. To search services or service groups, enter the keyword in the textbox in the drop-down list and then press Enter key. To create a new service or service group, click New Service or New Group in the drop-down list. For more information, view Configuring a Service Book. Application Book: Specify the application of the traffic. By default, Any is selected. To add more applications or application groups, Click Multiple. To search applications or application groups, enter the keyword in the textbox in the drop-down list and then press Enter key. To create a new application group, click New Application Group in the drop-down list. For more information, view Configuring an Application Book. Schedule: Specifies the schedule of the traffic. To search schedules, enter the keyword in the textbox in the drop-down list and then press Enter key. To create a new schedule, click New Schedule in the drop-down list. To add more schedules, click Multiple. For more information, view Configuring a Schedule.
Action	Specifies the action for the traffic that matches the security policy: Permit: Select Permit to permit the traffic to pass through the device. Deny: Select Deny to deny the traffic. Security Connection: Perform the Web authentication action to the traffic. Select WebAuth from the Security Connection drop-down list, and then select an authentication server from the following drop-down list.
Advanced
Description	Enter the description for the security policy.
Record Log	You can log policy matching status for the following situations: the traffic that is matched to security policies starts and ends its session; traffic that is matched to security policies is denied.
Position	When the traffic flows into a Hillstone device, the device will query for security policies by turn and processes the traffic according to the first matched rule. The top security policies in the UI　are the first priority to be queried for and the bottom ones are the last priority. By default, newly-created security policy will be located at the bottom of the policy list in the UI. You can adjust the position of the security policy to the top, to the bottom, or between other security policies.
Protection Configuration	Configure the threat protection methods. For more information, view Configuring Threat Configuration.