CLI: Example for Configuring User- and Application-Specific Security Policies
This section provides an example for configuring security policies to implement access control by user, time range, or application.
Networking Requirements
As shown in Figure 1, the FW is deployed at the network border of an enterprise as a security gateway.
Based on their ranks and functions, employees of the enterprise are divided into three user groups: senior executives, marketing employees, and R&D employees. The permissions granted to them are as follows:
- Senior executives are granted the full Internet access permission.
- Marketing employees are granted the access to the Internet, but they cannot play online games or watch online videos.
- R&D employees are granted the access only to the TortoiseSVN application.
Data Planning
Users in this example are already added to the FW, and the authentication configuration is complete.
Item |
Data |
Description |
|---|---|---|
Security policy for senior executives |
|
Security policy policy_sec_management grants senior executives the full access to the Internet. |
Security policy 1 for marketing employees |
|
Security policy policy_sec_marketing_1 does not allow marketing employees to play online games or watch online videos. Game indicates online games. Media_Sharing indicates online videos. |
Security policy 2 for marketing employees |
|
Security policy policy_sec_marketing_2 allows marketing employees to access the Internet. |
Security policy 1 for R&D employees |
|
Security policy policy_sec_research_1 allows R&D employees to access the TortoiseSVN application for version control. |
Security policy 2 for R&D employees |
|
Security policy policy_sec_research_2 does not allow R&D employees to access other Internet applications. |
Procedure
- Set interface IP addresses and assign interfaces to security zones.
- Configure a security policy for senior executives.
[FW] security-policy [FW-policy-security] rule name policy_sec_management [FW-policy-security-rule-policy_sec_management] source-zone trust [FW-policy-security-rule-policy_sec_management] destination-zone untrust [FW-policy-security-rule-policy_sec_management] user user-group /default/management [FW-policy-security-rule-policy_sec_management] action permit [FW-policy-security-rule-policy_sec_management] quit
- Configure security policies for marketing employees.
# Configure security policy 1 for marketing employees.
[FW-policy-security] rule name policy_sec_marketing_1 [FW-policy-security-rule-policy_sec_marketing_1] source-zone trust [FW-policy-security-rule-policy_sec_marketing_1] destination-zone untrust [FW-policy-security-rule-policy_sec_marketing_1] application category Entertainment sub-category Media_Sharing [FW-policy-security-rule-policy_sec_marketing_1] application category Entertainment sub-category Game [FW-policy-security-rule-policy_sec_marketing_1] user user-group /default/marketing [FW-policy-security-rule-policy_sec_marketing_1] action deny [FW-policy-security-rule-policy_sec_marketing_1] quit
# Configure security policy 2 for marketing employees.
[FW-policy-security] rule name policy_sec_marketing_2 [FW-policy-security-rule-policy_sec_marketing_2] source-zone trust [FW-policy-security-rule-policy_sec_marketing_2] destination-zone untrust [FW-policy-security-rule-policy_sec_marketing_2] user user-group /default/marketing [FW-policy-security-rule-policy_sec_marketing_2] action permit [FW-policy-security-rule-policy_sec_marketing_2] quit
- Configure security policies for R&D employees.
# Configure security policy 1 for R&D employees.
[FW-policy-security] rule name policy_sec_research_1 [FW-policy-security-rule-policy_sec_research_1] source-zone trust [FW-policy-security-rule-policy_sec_research_1] destination-zone untrust [FW-policy-security-rule-policy_sec_research_1] user user-group /default/research [FW-policy-security-rule-policy_sec_research_1] application app TortoiseSVN [FW-policy-security-rule-policy_sec_research_1] action permit [FW-policy-security-rule-policy_sec_research_1] quit
# Configure security policy 2 for R&D employees.
[FW-policy-security] rule name policy_sec_research_2 [FW-policy-security-rule-policy_sec_research_2] source-zone trust [FW-policy-security-rule-policy_sec_research_2] destination-zone untrust [FW-policy-security-rule-policy_sec_research_2] user user-group /default/research [FW-policy-security-rule-policy_sec_research_2] action deny [FW-policy-security-rule-policy_sec_research_2] quit
Verification
- Check whether senior executives have the full Internet access permission. If yes, the security policy for senior executives is successfully configured.
- Check whether marketing employees can access the Internet but not game and media_sharing applications defined by the FW. If yes, the security policies for R&D employees are successfully configured.
- Check whether R&D employees can access only the TortoiseSVN application. If yes, the security policies for R&D employees are successfully configured.
- Choose and check whether senior executives, marketing employees, and R&D employees match the desired security policies.
Configuration Scripts
# interface GigabitEthernet0/0/1 undo shutdown ip address 1.1.1.1 255.255.255.0 # interface GigabitEthernet0/0/3 undo shutdown ip address 10.3.0.1 255.255.255.0 # firewall zone trust add interface GigabitEthernet0/0/3 # firewall zone untrust add interface GigabitEthernet0/0/1 # security-policy rule name policy_sec_management source-zone trust destination-zone untrust user user-group /default/management action permit rule name policy_sec_marketing_1 source-zone trust destination-zone untrust user user-group /default/marketing application category Entertainment sub-category Game application category Entertainment sub-category Media_Sharing action deny rule name policy_sec_marketing_2 source-zone trust destination-zone untrust user user-group /default/marketing action permit rule name policy_sec_research_1 source-zone trust destination-zone untrust user user-group /default/research application app TortoiseSVN action permit rule name policy_sec_research_2 source-zone trust destination-zone untrust user user-group /default/research action deny