Configuring a User-defined Policy

User-defined policies are forwarding policies defined for privileged users to obtain network permissions without going through user authentication, security checks, or authorization.

Context

A user-defined policy indicates that certain forwarding rules are defined manually in the SACG authentication policy to process certain special packets before the Agile Controller processes packets.

Applying a user-defined policy to an interzone is equivalent to applying a packet-filtering policy that has precedence over the SACG authentication function in the interzone. When forwarding packets, the device first matches packets with user-defined policies. If the packets do not match any user-defined policy, the device uses the SACG authentication function for authentication and authorization. Therefore, the user-defined policy can be configured for certain privileged users.

Procedure

Access the interworking policy view from the system view.
rightm-policy
Create an interworking policy and access its view.
rule name rule-name
Optional: Configure description for the interworking policy.
description description-information
Optional: Configure a tag for the policy.
add tag tag-name

After policies reference tags, you can query policies based on tags and delete, move, enable, or disable policies in batches based on query results. For the tag description and configuration, see Tag.

Configure match conditions of the interworking policy.

If multiple interworking policies are configured, they are matched based on their priorities. By default, policies configured earlier have higher priorities. You can use the rule move command to manually change the policy priorities. If the traffic matches an interworking policy, the remaining interworking policies are ignored. Therefore, you must place the policies from the most specific to the least specific.
The system has an implicit deny all policy. Interzone traffic that does not match any interworking policy is discarded. The default policy denies interzone traffic, including but not limited to the traffic sent and received by the FW and the traffic between security zones. Intrazone traffic is allowed by default. To control the forwarding of intrazone traffic, configure specific policies.
Each policy contains one or more match conditions, such as source and destination IP addresses and services. All conditions in a policy take effect on packets. This means that a packet must meet all conditions to match the policy. The default conditions of a policy are all any, which means that all traffic (including intrazone traffic) matches the policy.
A match condition may specify multiple traffic attributes. A packet that matches any of the traffic attributes in the match condition is considered to have matched the condition.

Task	Command
Specify a source IP address.	source-address { address-set address-set-name &<1-6> \| ipv4-address { ipv4-mask-length \| mask mask-address \| wildcard } [ description description ] \| range { ipv4-start-address ipv4-end-address } [ description description ] \| any } source-address-exclude { address-set address-set-name &<1-6> \| ipv4-address { ipv4-mask-length \| mask mask-address \| wildcard \| range { ipv4-start-address ipv4-end-address } } [ description description ]
Specify a destination IP address.	destination-address { address-set address-set-name &<1-6> \| ipv4-address { ipv4-mask-length \| mask mask-address \| wildcard } [ description description ] \| range { ipv4-start-address ipv4-end-address } [ description description ] \| any } destination-address-exclude { address-set address-set-name &<1-6> \| ipv4-address { ipv4-mask-length \| mask mask-address \| wildcard \| range { ipv4-start-address ipv4-end-address } } [ description description ]
Configure a service (reference a service or service group).	service { service-name &<1-6> \| any } service-exclude service-name &<1-6>
Specify the validity period.	time-range time-range-name

You can create different policies in one policy view for different types of traffic. By default, the earliest configured policy has the highest priority and is preferentially matched. You can use commands to change the policy priorities. For details, see Follow-up Procedure.

Set an action for the interworking policy.
action { permit | deny }

The specified action is taken for the traffic matching the interworking policy. permit: permits the traffic that matches the rule. deny: implements authentication for users whose the traffic matches the rule.
Return to the system view.
quit
Optional: Access the interzone policy view and apply the interworking policy.
You do not need to run the following command if a interworking policy has been applied in Configuring the Connection Between the SACG and Service Controller. If no interworking policy has been applied, run the following command:

firewall interzone [ vpn-instance vpn-instance-name ] zone-name1 zone-name2

apply packet-filter right-manager { inbound | outbound }

User-defined policies take effect immediately after being created. Therefore, you do not need to apply interworking policies for them.

Follow-up Procedure

You can make the following adjustments to configured user-defined policies:

Enable or disable a user-defined policy in the SACG interworking user-defined policy view.
enable
Change the priority of an interworking policy.
- Move policy rule-name1 to before policy rule-name2. Then the priority of rule-name1 is higher than that of rule-name2.
  rule move rule-name1 before rule-name2
- Moves policy rule-name1 to after policy rule-name2. Then the priority of rule-name1 is lower than that of rule-name2.
  rule move rule-name1 after rule-name2
- Increase the priority of policy rule-name1 by one level.
  rule move rule-name1 up
- Reduce the priority of policy rule-name1 by one level.
  rule move rule-name1 down
- Increase the priority of policy rule-name1 to the highest level.
  rule move rule-name1 top
- Reduce the priority of policy rule-name1 to the lowest level (higher only than the default policy).
  rule move rule-name1 bottom

To view priorities of each rule, run the display rightm-policy rule all command. The order in which rules are displayed indicates their matching order.

[sysname] display rightm-policy rule all
Total:3  
RULE ID RULE NAME                      STATE      ACTION       HITS           
------------------------------------------------------------------------------- 
2       aa                             enable     -            0                
1       1                              enable     -            0                 
0       default                        enable     -            0                 
-------------------------------------------------------------------------------