Configuring network access policy rules

You can create an ordered list of rules to protect your network, which is based on the five attributes of the packet data.

1. Perform one of the following actions:
   • Click New to create a new rule.
   • Select an existing rule and click Edit.
   • Right-click an existing rule, and then click Clone to create a new rule with the same attributes.
2. On the General Configuration tab, select a position to put the rule in a specific order in your policy.
   Note: By default, a new rule is placed in the rule list from which you previously selected. If no rule is selected, the new rule is placed at the end of the rule list.
3. Select Enable to enable this rule in the Network Access policy.
4. Select the Action that you want the rule to trigger:

   Option	Description
   Reject	Drops the packet without any further inspection and sends an ICMP error or TCP reset to the originator of the packet. Network users that try to access HTTP content are redirected to a block page that explains that the site is blocked according to company policy. The block page includes the URL the user tried to access and the reason the page was blocked. Exception: When the system rejects a packet that is based on a rule for domain certificates, it sends only the TCP reset. The system does not redirect the user to a block page. Note: On networks that contain an extra network segment between the user segment and the appliance, you must configure static routes to the paired protection interfaces on your appliance to enable network routers to redirect users to block pages or authentication pages. If you do not configure static routes, the appliance sends an HTML message that is not translated into the language that is selected in the LMI. For more information, see Block messages.
   Drop	Drops the packet without any further inspection or response to the origin of the packet.
   Accept	Allows the packet to pass through to be inspected by other security protection engines (such as IPS, Antivirus, or Application Protection).
   Authenticate (Reject)	When a user attempts to access HTTP traffic, the appliance redirects them to an authentication page and requires them to log in. Upon successful authentication, the user is redirected to their original destination. Traffic that uses protocols other than HTTP that triggers this rule is rejected. You can redirect traffic to management or protection interfaces on the appliance. To redirect to a protection interface, you must configure an IP alias on one or more of the interfaces. For more information about protection interfaces, see Configuring protection interfaces. Note: You must use the Unauthenticated Users object in a rule with the Authenticate (Reject) action to apply the rule only to users who do not successfully authenticate.
   Do Not Inspect	Allows the traffic to pass through without being inspected by additional security protection engines. Note: No inspection objects are associated with this action. If you select this action, traffic that matches this rule is not inspected by any other security protection engines.

5. Type a comment to identify the expected behavior of the rule.
6. Select the Response tab, and then select one or more response objects from the list to add the objects to the rule.
   Tip: You can also create or edit network objects when you configure a network access policy rule.
7. Select the Source tab, and then complete one of the following actions:
   • In Available Objects, select the objects to add them to the rule.
   Note: The users and groups available in the Source tab are populated from your Network User Identity list. For more information about local users, see Managing Local Users. You can also use identity objects to add users and groups to multiple network access policy rules.
   XFF (X-Forwarded-For) configuration:
   The Network Security appliance uses the source IP address to match Network Access policy rules and to identify the user who is associated with the session. However, if the session is established through a proxy, the source IP address that the appliance sees belongs to the proxy and not to the originating client. If you want to match Network Access policy rules based on the originating IP address and to identify the originating user correctly, enable XFF processing. When enabled, the appliance extracts the originating client IP address from the X-Forwarded-For HTTP header and uses that IP address to match Network Access policy rules and to identify the originating user.

   Important: Events and flow data are still reported with the proxy server’s IP address, not the XFF IP address.
   XFF tuning parameters:
   

   Important: Change advanced tuning parameter values only under the supervision of IBM® Support.

   Use the following tuning parameters to configure XFF processing:

   Parameter	Description
   alpsd.xff.enabled	true: Enable XFF processing. false: Disable XFF processing. (default)
   alpsd.xff.proxy	Defines the list of trusted (internal enterprise proxy servers) that are enabled for XFF processing. If you set alpsd.xff.enabled to true, XFF processing is not enabled unless this tuning parameter is also set. If the connection is through an untrusted proxy, the information in the XFF header might not be trustworthy and should not be used. To enable it for all proxy servers, set this parameter to any. Options: comma-separated list of IPv4/IPv6 addresses, ranges, subnets|any

   Note: Modifying or adding these tuning parameters restarts the analysis engine, but does not cause a change in link state.
8. Select the Available Objects tab, and then select one or more network objects from the Address list to add the objects to the rule.
9. Select the Application tab, and then select one or more network objects from the Applications list to add the objects to the rule.
10. Select the Inspection tab, and then select a network object from the list to add the objects to the rule.
11. Select the Schedule tab, and then select one or more network objects from the list to add the objects to the rule.
    Tip: You can also add network objects to a Network Access Policy rule by clicking the object and dragging it to the rule.
12. Click Save Configuration. The policy update can take several seconds. The deployment banner appears on the page after you change a policy or policy rule.
13. In the deployment banner, click the following link to deploy the policy with your new or updated rules: Click here to review the changes or apply them to the system. The Deploy Pending Changes window is displayed.
14. In the Deploy Pending Changes window, select one of the following options:
    • Click Cancel to keep the changes you made without deploying them.
    • Click Rollback to discard any edits you made or rules you added. The Rollback function erases all of your changes and reverts to the previously deployed policy.
    • Click Deploy to deploy the new or changed rules.
    Tip: The Deploy Pending Changes window displays a list of links to policies with undeployed changes. You can click the links to those policies to review your changes before you deploy them.