Set Access Rules for a Policy

To configure access rules for a policy, select the Policy tab of the Policy Configuration dialog box.

The Connections are drop-down list defines whether traffic that matches the rules in the policy is allowed or denied. To configure how traffic is handled, select one of these settings:

Allowed

The XTM device allows traffic that uses this policy if it matches the rules you set in the policy. You can configure the policy to create a log message when network traffic matches the policy.

Denied

The XTM device denies all traffic that matches the rules in this policy and does not send a notification to the device that sent the traffic. You can configure the policy to create a log message when a computer tries to use this policy. The policy can also automatically add a computer or network to the Blocked Sites list if it tries to start a connection with this policy.

For more information, see Block Sites Temporarily with Policy Settings.

Denied (send reset)

The XTM device denies all traffic that matches the rules in this policy. You can configure it to create a log message when a computer tries to use this policy. The policy can also automatically add a computer or network to the Blocked Sites list if it tries to start a connection with this policy

For more information, see Block Sites Temporarily with Policy Settings.

With this option, the XTM device sends a packet to tell the device which sent the network traffic that the session is refused and the connection is closed. You can set a policy to return other errors instead, which tell the device that the port, protocol, network, or host is unreachable. We recommend that you use these options with caution to ensure that your network operates correctly with other networks.

The Policy tab also includes:

• A From list (or source) that specifies who can send (or cannot send) network traffic with this policy.
• A To list (or destination) that specifies who the XTM device can route traffic to if the traffic matches (or does not match) the policy specifications.
  

For example, you could configure a ping packet filter to allow ping traffic from all computers on the external network to one web server on your optional network. However, when you open the destination network to connections over the port or ports that the policy controls, you can make the network vulnerable. Make sure you configure your policies carefully to avoid vulnerabilities.

To add members to your access specifications:

1. Adjacent to the From or the To member list, click Add .
   The Add Member dialog box appears.

The list contains the members you can add to the From or To lists. A member can be an alias, user, group, IP address, or range of IP addresses.

2. In the Member Type drop-down list, specify the type of member you want to add to the box.
3. Select a member you want to add and click Add, or double-click an entry in this list.

4. To add other members to the From or To list, repeat the previous steps.
5. Click OK.

The source and destination can be a host IP address, host range, host name, network address, user name, alias, VPN tunnel, or any combination of those objects.

For more information on the aliases that appear in the From and To list, see About Aliases.

For more information about how to create a new alias or edit a user-defined alias, see Create an Alias.

See Also

About Policy Properties

Configure Static NAT

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base

© 2011 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, Firebox, Core, and Fireware are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.