Configuring an Audit Policy

Procedure

1. Choose Policy > Audit Policy.
2. Click Add.
3. Set the name and description of the audit policy.

   Parameter	Description
   Name	Name of the audit policy. The name of the new policy cannot be the same as any existing policy.
   Description	Description of the audit policy. The description must clearly indicate the function of each profile to make them easy to find and maintain.

4. Configure a tag for the policy.

   The tag identifies and categorizes the policy. You can query policies based on tags and delete, move, enable, or disable policies in batches based on the query results. For the tag description and configuration, see Tag.

5. Configure the matching conditions in the audit policy.
   

   • Audit policies are processed from top to bottom. If the traffic matches a policy, the rest policies are ignored. Therefore, policies must be configured in order from the most specific to the least specific.

   • Each policy contains multiple matching conditions, such as security zones and interfaces. The traffic matches a policy only if the attributes of the traffic meet all the conditions defined in the policy. By default, all the conditions are set to any. In such a case, all traffic matches the policy.

   • Each condition in a policy has multiple values. If one of the values in a condition is met, the traffic meets the condition.

   Parameter	Description
   Source Zone	The security zone from which the traffic to be audited is generated.
   Destination Zone	The destination security zone of the traffic to be audited. If the source security zone and destination security zone are the same, the traffic that passes the security zone is to be audited.
   Source Address/Region	The source IP address or MAC address of the traffic to be audited. Address and address group: You can specify an IP address, a MAC address, or a continuous IP segment. You can also incorporate MAC address sets, discontinuous IP addresses, and continuous IP address that cannot be represented by network or subnet masks in to an address group. For details, see Address Object and Address Group NOTE: To exclude an address or address group (source address or source addresses of traffic) from policy matching, select the address or address group from the available address area, select it in the selected address area and click Invert, and then click OK. Domain group: You can specify a domain group to set the IP addresses of some specific domain names as the policy matching conditions. For details, see Domain Group. NOTE: When an IP address corresponds to multiple domain names, an IP address can be used to search for a maximum of 16 domain names. If the domain name to be searched is not in the policy rule, the policy cannot be matched. You are advised to configure multiple domain names with the same IP address in the same policy rule. Region and region group: You can specify a region or region group as a match condition of a policy. For details, see Region and Region Group. You can manually enter IP/MAC addresses or select an existing address object from the drop-down list. The icons in the drop-down list are described as follows: represents an address. represents an address group. or national flags represent a country or region. User-defined regions are displayed on top of predefined regions. Region is a group of addresses classified by region. represents a region group. When there are multiple available options, you can select Address or Region from the drop-down list, improving the configuration efficiency. When only Address is selected, the drop-down list displays all optional addresses, address groups, and domain groups. When only Region is selected, the drop-down list displays all optional regions and region groups. NOTE: The MAC address configured in the policy relies on the across-Layer-3 MAC identification function or the firewall ARP entries are learned. If the FW works at Layer 2 and directly connects to an intranet or connects to a Layer-2 switch, MAC addresses can serve as matching conditions. If the FW works at Layer 3 and directly connects to an intranet or connects to a Layer-2 switch, MAC addresses can serve as matching conditions through ARP learning. If the FW connects to an intranet through a Layer-3 network device, configure across-Layer-3 MAC identification on the FW and then use MAC addresses as matching conditions. For the description of across-Layer-3 MAC identification, see Across-Layer-3 MAC Identification.
   Destination Address/Region	The destination IP address of MAC address of the traffic to be audited. You can manually enter IP/MAC addresses or select an existing address object from the drop-down list. NOTE: When an IP address corresponds to multiple domain names, an IP address can be used to search for a maximum of 16 domain names. If the domain name to be searched is not in the policy rule, the policy cannot be matched. You are advised to configure multiple domain names with the same IP address in the same policy rule. The destination configuration is similar to source configuration. When there are multiple available options, you can select Address or Region from the drop-down list, improving the configuration efficiency. When only Address is selected, the drop-down list displays all optional addresses, address groups, and domain groups. When only Region is selected, the drop-down list displays all optional regions and region groups. NOTE: To exclude an address or address group (destination address or destination addresses) from policy matching, select the address or address group from the available address area, select it in the selected address area and click Invert, and then click OK.
   User	The user whose traffic is to be audited. The value can be a User, User Group, or Security Group. Users and user groups reflect the horizontal organizational structure. Users and security groups reflect the vertical organization structure. You can configure users and user groups based on company departments or add users from different departments to one security group for management.
   Service	The protocol type of the traffic. Services can be predefined or user-defined. Predefined services are well-known services, such as HTTP, FTP, and Telnet. You can also define services as needed. User-defined services are configured by specifying information such as port number. User-defined services fall into three types and the configuration methods are described as follows: For TCP/UDP packets, you must specify the source and destination ports. For ICMP packets, you must specify the ICMP message type and code. For IP packets, you must specify the protocol number in the IP header. You can also create a service group and add predefined and user-defined services to the group. For details, see Service and Service Group. NOTE: To exclude a service or service group (service or service group of traffic) from policy matching, select the service or service group from the available service area, select it in the selected service area and click Invert, and then click OK.
   Schedule	The time range during which a security policy is applied. The schedule can be a repeating schedule (for example, 19:00 to 22:00 every Friday) or one-time schedule (for example, 19:00 2012/5/1 to 19:00 2012/5/2). For details, see Schedule.

6. Specify the action in the audit policy.

   The control actions for traffic that matches the audit policy include:

   • Audit: Audits all traffic that matches the policy.
   • Do not audit: Does not audit the traffic that matches the policy.

7. Specify the audit profile to be referenced in the policy.

   You can select and edit existing profiles or create new profiles.

8. Click OK.
9. Optional: Click Commit on the upper-right corner. In the dialog box that is displayed, click OK.

   After creating, modifying, or deleting an audit profile, you need to click Commit to make the audit profile and the audit policy that references the audit profile take effect.