The negate option can be used in both the WebUI and the CLI. You are effectively saying, “Allow any source address to FTP, except for 10.10.10.0/24.” This can save you time instead of making a policy to deny the 10.10.10.0/24 network to access FTP and then a second policy to allow access to FTP to any. For example, suppose you created a policy with the following configuration: Source: 10.10.10.0/24 Negated Destination: Any Service: FTP Action: Permit. Turning on the negate option will apply the following logic: everything except the selected objects. The option is turned on for either source or destination addresses, and can be turned on separately for each policy. The negate option is available for the source and destination addresses. This concept is used on several firewall products and can be quite useful depending on what you are attempting to accomplish. When creating policies and working with address book entries, you can enable an option called negate. If you wish to place this policy at the top of the list of policies with matching source and destination zones, enable the Position at Top checkbox. If you wish to turn on logging for this policy, enable the Logging checkbox. (VPN configuration is discussed in greater detail in Chapter 11.) 11. If you selected Tunnel in the Action drop-down list, use the Tunnel VPN drop-down list to specify the appropriate VPN tunnel. To select an antivirus object, select it from the Available AV Object Names list on the right, and then click the << button to place it in the Attached AV Object Names list on the left. The Antivirus Objects section allows you to specify which antivirus scanners will be applied to the policy. (Deep inspection is explained in more detail in Chapter 10.) 9.
To apply deep inspection groups to the policy, click the Deep Inspection button. If you select Tunnel, you must also select an option from the Tunnel drop-down list. Use the Action drop-down list to specify whether matching traffic will be permitted, denied, or tunneled. Use the Application drop-down list to map a custom-defined service to a specific application layer. Select a single service or group of services, or select ANY, or click Multiple if you wish to specify multiple (but not all) services. Use the Service drop-down list to specify the services you want to use in this policy.
You can select multiple address book entries by clicking the Multiple button.
If the address already exists in the address book, select the Address Book Entry option and enter the name of the entry. If it is a new address, select the New Address option and enter the IP address range. Use the Destination Address options to specify the source address for the policy. Use the Source Address options to specify the source address for the policy. This should be a descriptive name that will allow you to identify what the policy does.
0 kommentar(er)
