< Home

Policy

After the SACG function is enabled, you can configure an interworking policy and apply it to the interzone.

Applying the Policy to the Interzone

  1. Choose Network > SACG > Policy.
  2. On the Apply Policy to Interzone List page, select two different security zones and click Add to apply the interworking policy to the interzone.

Configuring a User-Defined Policy

A user-defined policy indicates that certain forwarding rules are defined manually in the interworking policy to process certain special packets before the SACG authentication function processes packets.

Applying a user-defined policy in the interzone is equivalent to applying a packet-filtering policy that has precedence over the SACG authentication function in the interzone. When forwarding packets, the device first adopts the user-defined policy for processing. If no user-defined policy corresponding to the traffic exists, the device adopts the SACG authentication function for authentication and authorization. Therefore, the user-defined policy can be configured for certain special users.

  1. Choose Network > SACG > Policy.
  2. On the User-Defined Policy List page, click Add and set parameters.

    Parameter

    Description

    Name

    Name of a user-defined interworking policy rule. The name must be unique.

    Description

    Description of the user-defined interworking policy rule. A clear description helps the administrator understand the function of the interworking policy rule.

    Tag

    The tag identifies and categorizes the policy. You can query policies based on tags and delete, move, enable, or disable policies in batches based on the query results. For the tag description and configuration, see Tag.

    Source Address

    Source IP address of a packet. A source address refers to one or multiple IP addresses, IP address ranges, or IP address groups.

    • The value is an IP address in dotted decimal notation and "/"and its positive mask or mask length ranging from 1 to 32. For example, 10.1.1.1/255.255.255.0 or 10.1.1.1/24.

    • The value is an IP address in dotted decimal notation and "\"and wildcard or 0. For example, 10.1.1.1\0.0.0.255 or 10.1.1.1\0.

    • The value is an IP address range in dotted decimal notation on the same network segment or across network segments. For example, 10.1.1.1 - 10.1.1.10 or 10.1.1.1 - 10.2.1.10.

    • The value can be the name of an existing address or address group, or a new address or address group.

    • If no option is selected or any is selected, the value can be any IP address.

    NOTE:

    To exclude an address or address group (source address or source addresses of traffic) from policy matching, select the address or address group from the available address area, select it in the selected address area and click Invert, and then click OK.

    Destination Address

    Destination IP address of a packet. A destination address refers to one or multiple IP addresses, IP address ranges, or IP address groups.

    • The value is an IP address in dotted decimal notation and "/"and its positive mask or mask length ranging from 1 to 32. For example, 10.1.1.1/255.255.255.0 or 10.1.1.1/24.

    • The value is an IP address in dotted decimal notation and "\"and wildcard or 0. For example, 10.1.1.1\0.0.0.255 or 10.1.1.1\0.

    • The value is an IP address range in dotted decimal notation on the same network segment or across network segments. For example, 10.1.1.1 - 10.1.1.10 or 10.1.1.1 - 10.2.1.10.

    • The value is the name of an existing address or address group, or a new address or address group.

    • If no option is selected or any is selected, the value can be any IP address.

    NOTE:

    To exclude an address or address group (destination address or destination addresses) from policy matching, select the address or address group from the available address area, select it in the selected address area and click Invert, and then click OK.

    Service

    Service types provided by the system.

    By default, the value is the IP service.

    NOTE:

    To exclude a service or service group (service or service group of traffic) from policy matching, select the service or service group from the available service area, select it in the selected service area and click Invert, and then click OK.

    Schedule

    Time range in which the policy is effective.

    all: indicates all time ranges.

    Action

    Action that the system takes to process the packets matching the policy.

    Permit: indicates that the packets meeting the conditions are allowed to pass through. Deny: implements authentication for users whose the traffic matches the rule.

  3. Click OK.

Clearing Interworking Policy Statistics

  1. Choose Network > SACG > Policy.
  2. On the User-Defined Policy List page, click Reset All Statistics. Policy Statistics are cleared. After that, the policy match count is collected again.

Changing the Match Sequence of a Policy

  1. Choose Network > SACG > Policy.
  2. Click of an existing policy to move the current policy in front of or behind the specified one.

Inserting a User-Defined Policy

  1. Choose Network > SACG > Policy.
  2. Click of an existing policy to insert a new one before it.
Parent Topic: Configuring SACG Interworking Using the Web UI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >