• SonicOSX 7 Rules and Policies
• Settings
  • Configuring App/Match/Malware
  • Configuring Content Filtering Service (CFS)
    • SonicWall CFS
    • CFS Custom Category
  • Geo-IP
    • Custom List
      • Editing a Custom List Entry
      • Deleting Custom List Entries
    • Using Geo-IP Diagnostics
  • Botnet
    • Configuring Botnet Settings
    • Creating Custom Botnet Lists
    • Viewing Dynamic Botnets Lists
    • Configuring a Dynamic Botnet List Server
    • Using Botnet Diagnostics
  • Decryption (DPI-SSL)
    • Certificate
    • Common Name
    • SSL Servers
  • Decryption (DPI-SSH)
  • Signature Update
• Security Policy
  • App/URL/Custom Match
  • Action Profile
• NAT Policy
  • About NAT in SonicOSX
  • About NAT Load Balancing
    • Determining the NAT LB Method to Use
    • Caveats
    • How Load Balancing Algorithms are Applied
    • Sticky IP Algorithm Examples
      • Example One - Mapping to a Network
      • Example Two - Mapping to an IP Address Range
  • About NAT64
    • Use of Pref64::/n
  • About FQDN-based NAT
  • About Source MAC Address Override
  • Viewing NAT Policy Entries
    • Changing the Display
    • Filtering the Display
  • Adding or Editing NAT or NAT64 Policies
  • Deleting NAT Policies
  • Creating NAT Rule Policies: Examples
    • Creating a One-to-One NAT Policy for Inbound Traffic
    • Creating a One-to-One NAT Policy for Outbound Traffic
    • Inbound Port Address Translation via One-to-One NAT Policy
    • Inbound Port Address Translation via WAN IP Address
    • Creating a Many-to-One NAT Policy
    • Creating a Many-to-Many NAT Policy
    • Creating a One-to-Many NAT Load Balancing Policy
    • Creating a NAT Load Balancing Policy for Two Web Servers
    • Creating a WAN-to-WAN Security Policy for a NAT64
    • DNS Doctoring
• Routing Rules
  • About Routing
    • About Metrics and Administrative Distance
      • About Metrics
      • About Administrative Distance
    • Route Advertisement
    • ECMP Routing
    • Policy-based Routing
    • Policy-based TOS Routing
    • PBR Metric-based Priority
    • Policy-based Routing and IPv6
    • OSPF and RIP Advanced Routing Services
      • About Routing Services
        • Protocol Type
        • Maximum Hops
        • Split-Horizon
        • Poison Reverse
        • Routing Table Updates
        • Subnet Sizes Supported
        • Autonomous System Topologies
      • OSPF Terms
    • Drop Tunnel Interface
    • App-based Routing
  • Rules and Policies > Routing Rules
    • Configuring Routing Rules
      • Adding Static Routes
      • Probe-Enabled Policy-based Routing Configuration
• Decryption Policy
  • Client-side SSL Rules
  • Server-side SSL Rules
  • SSH Rules
  • Setting up the Decryption Policy Table
    • Managing the Decryption Policy Toolbars
    • Changing the Policy Priority
    • Creating Decryption Policies
      • Adding Decryption Policies
      • Editing Decryption Policies
      • Deleting Decryption Policies
• DoS Policy
  • Setting up the DoS Policy Table
    • Managing the DoS Policy Toolbars
    • Changing the DoS Policy Priority
    • Creating DoS Policies
      • Adding DoS Policies
      • Editing DoS Policies
      • Deleting DoS Policies
• Endpoint Policy
• Shadow
• SonicWall Support
  • About This Document

Security Policy

To configure Security Policy rules, the service or service group that the policy applies to must first be defined. If it is not, you can define the service or service group and then create one or more rules for it.

The following procedure describes how to add, modify, reset to defaults, or delete Security Policy rules for firewalls running SonicOSX. Paginated navigation and sorting by column header is supported on the Security Policy screen. In the Security Policy table, you can click the column header to use for sorting. An arrow is displayed to the right of the selected column header. You can click the arrow to reverse the sorting order of the entries in the table.

By hovering your mouse over icons on the Security Policy page, you can display information about criteria, such as an Source Port or Service.

IPv6 is supported for Security Policy. Search for IPv6 Security Policies in the Security Policy Search section. A list of results displays in a table.

From there you can click the Configure icon for the Security Policy you want to edit. The IPv6 configuration for Security Policy is almost identical to IPv4.

To configure a Security Policy

1. Navigate to POLICY | Rules and Policies > Security Policy. The Security Policy page displays. The POLICY | Rules and Policies > Security Policy page enables you to select multiple configuration screens for your security policies.

2. From the bottom of the Security Policy table, click Add. The Adding Rule dialog displays.

3. Or, under the Configure column, click the Edit icon for the source and destination zones or interfaces for which you are configuring a rule. The Editing Rule page for that zone/interface pair displays.

   

4. In the top view, enter or edit the policy Name and any identifying Tags you would like to enter to help sort your policies.
5. Enter a Description of the policy and its intent.

6. Select an Action, whether to Allow, Deny, or Discard access.

   If a policy has a “No-Edit” policy action, the Action settings are not editable.

7. Specify the IP version in Type, IPv4 or IPv6.

8. Set your Security Policy's Priority.

   Higher numbers indicate lower priority. The lowest priority rule is the final/default rule applied to matching traffic (traffic matching the defined attributes) when no higher priority rules apply. Lower priority rules should be more general than rules with higher priorities.
   If a higher priority rule does not match all the attributes, then the next rule is evaluated to see if it applies, all the way down the list of rules. Rules with more specific matching attributes need to be set at a higher priority or else a more general rule could match before that specific rule is evaluated.
   

9. Specify when the rule is applied by selecting a schedule or Schedule Group from the Schedule drop-down menu. If the rule is always applied, select Always On. If the schedule does not exist, refer to Configuring Schedules.
10. Click Enable to activate the policy schedule and enable logging.
11. In the Source/Destination view, select the Source and Destination zones, and network address objects, and port/services for each from the drop-down menus.

• There are no default zones. Any is supported for both zone fields.

For the Port/Services object in the Port/Services drop-down menus, if the service does not exist, refer to Configuring Service Objects.

Under Users, specify if this rule applies to all users or to an individual user or group in the Include drop-down menu. You can exclude users as well using the Exclude drop-down menu.

Under GEO Country, indicate a (From/To) Country from the drop-down menu.

Click Save, and continue with App/URL/Custom Match and Action Profile.