• About SonicOS and SonicOSX 7
  • What is SonicOS/X 7?
  • Where Do I Find Information?
  • SonicOS Web Interface to Admin Guides Reference
  • SonicOSX Web Interface to Admin Guides Reference
  • Guide Conventions
• Firewall Management Methods
• About the SonicOS/X Management Interface
  • Logging into SonicOS/X
  • Logging Out of SonicOS/X
  • Contemporary vs Classic Web Interface
  • Global Search
  • Online Help
  • Notification Center
  • SonicOS/X Guides (Wizards)
  • SSH Terminal Access
  • About the Top Menu Views
  • About the API and CLI
  • Legal Information
• What's New in SonicOS/X 7.0.1
• Features in Both SonicOS and SonicOSX
• Features Specific to SonicOSX
  • About Unified Policies in SonicOSX
  • About the Shadow Feature
  • About Action Profiles
• Features Specific to TZ, NSa and NSsp 13700
  • Switch Management
  • PortShield Groups
  • Access Points Management
  • WWAN and 4G/LTE
  • Storage Device Configuration
• Features Specific to NSv
  • Feature Support on NSv Series
  • Changing Between SonicOS and SonicOSX
    • Choosing the Mode in Fresh Deployments or Upgrades
    • Changing From Classic to Policy Mode
    • Changing From Policy to Classic Mode
• Features Specific to NSsp 15700
  • About Multi-Instance
• SonicWall Support

About Unified Policies in SonicOSX

SonicOSX 7 introduces a new, redesigned unified policy configuration workflow combining Layer 2 to Layer 7 policy enforcement for security policies and optimizing the workflow for other policy types. This unified policy workflow gathers many security settings into one place, which were previously configured on different pages of the SonicOSX management interface. The benefits of this new approach also include improved reporting, auditing and logging, better diagnostics, monitoring and debugging, and faster loading and searching of rules and objects in the management interface.

All rules are manually created by administrators, there are no automatic or system-added rules.

Priority characteristics of rules:

• Rules are applied in the order of priority, as shown by the rule order in the policy table.
• Rules are created at a certain priority.
• No automatic priority of rules.

A policy is defined by a group of rules that are applied to do a certain job. SonicOSX provides six policy types based on their characteristics, of which four are introduced in SonicOSX 7 and the others are improved and enhanced over previous implementations.

The following new policy types consolidate and reorganize policy configuration for improved logic and efficiency:

• Security Policy

  Security Policy configuration unifies elements that were configured independently in previous versions of SonicOS. A Security Policy consists of one or more rules that apply security services to traffic. Each security rule merges the following security settings:

  • Access Rules
  • App Rules
  • App Control
  • Content Filter
  • Botnet Filter
  • Geo-IP Filter
  • Intrusion Detection and Prevention
  • Anti-Virus
  • Anti-Spyware

  

  

• Decryption Policy

  In SonicOSX, DPI-SSLand DPI-SSH settings are converted into decryption rules that define which SSL/TLS traffic should be decrypted. DPI-SSL and DPI-SSH settings are only configurable within decryption rules. You have granular control over what needs to be decrypted and how.

  

  

• DoS Policy

  DoS rules define which traffic can cause Denial of Service and how to protect the system from such attacks. DoS rule configuration provides a unified workflow that includes connection limiting settings and all the settings to protect against Flood attacks (UDP/TCP-syn/ICMP floods), Smurf attacks, LAND (Local Area Network Denial) attacks and other denial of service attacks. These settings are no longer configured from various pages of the management interface as in versions prior to 7.0.

  

• Endpoint Policy

  Endpoint rules provide client security settings that apply to traffic on the specified zone. These rules combine settings for the zone, inclusion and exclusion addresses, and an enforcement profile that controls grace period and bypass settings for guest users. At least one client security service must be licensed before endpoint rules can be configured.

  

The following two policy types are carried forward from earlier versions of SonicOS with minor enhancements:

• NAT Policy

  NAT rules define which traffic needs to be translated and how.

• Route Policy

  Routing rules define how traffic should be routed.

Traffic is defined by match criteria. Each policy type has its own set of match criteria. Each rule defines the specific criteria to match, and defines an associated action. Actions are defined in an Action Profile. Some policy types do not need an action profile, such as Decryption Policy.

In summary, a policy is a set of rules and each rule is defined by match criteria and has an action and/or action profile.

The SonicOSX unified policy redesign provides additional enhancements, including:

• Enhanced rules and policy processing engine for Security, NAT, Route, Decryption, DoS, and Endpoint policies:

  

• SonicOSX policy rules can scale up to 8KB (8192 bytes) in size to accommodate the additional configuration data.
• Rule configuration is intuitive with a simplified view, even with all the merged settings.
• Relevant objects and action profiles for individual components are selected within the workflow.
• Policy cloning is available.
• In-cell editing capability can be used from within the policies table.
• Shadow policy views allow analysis for Security, NAT, Route, Decryption, and DoS policy sets.
• Simplified and advanced policy views for policy management:
  • Policy grid column customizations for simple and advanced use cases
  • Rule grouping
• Rule statistics:
  • Used vs unused rules
  • Active vs inactive rules
  • Hit counts and bandwidth consumption