Skip to main content
Versa Networks

Configure SD-WAN Access Control Policies

  1. Last updated
  2. Save as PDF

Versa-logo-release-icon.pngFor supported software information, click here.

You configure access control policies to filter traffic flowing through Versa Operating SystemTM (VOSTM) devices. 

Note: In Concerto Releases 12.2.2 and earlier, access control policies are configured under subprofiles. For information about configuring access control in Releases 12.2.2 and earlier, see Configure SD-WAN Security Access Control Policies and Rules

Access control policies consist of a set of rules for matching traffic, actions to take on traffic that matches the rule set, and a permissions list indicating which user roles can access or modify the policy.

Each rule consists of a set of match criteria, an action, and permissions for the rule.

You can configure match criteria in the following categories:

  • Applications
  • URL categories and reputations
  • User and user groups
  • Source/destination IP and zones
  • Traffic protocol, such as TCP, encapsulating security payload (ESP), or authentication header (AH)

You can configure actions to take on traffic that meets the match criteria, in the following categories:

This article describes how to configure access control policies.

Create an Access Control Policy

You can create an access control policy as part of a main template, or you can create it separately and then associate it with a main template. For more information about main templates, see Configure Main Templates.

  • To create an access control policy using the main template workflow:
    1. In Tenant view, select Configure > Secure SD-WAN > Main Templates.
    2. Click + Add, or select an existing main template for which you want to configure the policy.
    3. Select workflow step 7, Security, in the top menu bar. The following screen displays.

      Configure Secure Access Policies.png
       
    4. Select the Access Control tab, and then click Add New Access Control Policy. The Add Access Control Policy screen displays.
    5. Continue to Configure Access Control Rules, below.
  • To create an access control policy separately from a main template:
    1. In Tenant view, select Configure > Secure SD-WAN > Security > Policies.

      Select_configure_security_policies.png

      The following screen displays.

      Access_Control_Policy_plusAdd.png
    2. Select the Access Control tab, and then click + Add. The Add Access Control Policy screen displays.
    3. Continue to Configure Access Control Rules, below.

Configure Access Control Rules

  1. In the Add Access Control Policy screen, click Add Access Control Rule.

    Add_access_control_policy_main_screen.png

    The screen displays the workflow to create a rule, beginning with workflow step 1, Applications and URLs.

    Create_Access_Control_Rules_Main_Sccreen.png
     
  2. By default, all applications, URLs, and reputations are included in the match criteria. You can include or exclude specific applications, application groups, application categories, URL categories and URL reputations. 

    To specify traffic for application groups, specific applications, application categories, and URL categories and reputations for the rule:
    1. Select the Applications > Application Groups tab.

      applications1.png
    2. To select specific application groups to include or exclude in the rule, click User Defined Application Groups, Predefined Application Groups, or both. Then select the application groups for the rule to match. You can use the Search bar to find specific application groups.
      • To create an Application Group object, click + Add Application Group. See Add a User-Defined Application Group in Configure Reusable Objects.
    3. Select the Applications > Applications tab.

      applications2.png
    4. To select specific applications, click User Defined Applications, Predefined Applications, or both. Then select the applications for the rule to match. You can use the Search bar to find specific applications.
    5. Select the Applications > Application Category tab.

      applications3.png
    6. Select one or more user-defined and predefined application categories for the rule to match. You can use the Search bar to find specific application categories.
      • To create an Application Category object, click + Add Application Category. See Add Application Categories in Configure Reusable Objects.
    7. Select the URLs and Reputations tab. 

      applications4.png
    8. In the URL Categories field, click the down arrow, and then select one or more URL categories for the rule to match.
      • To create a URL category, scroll to the end of the drop-down list and select + Add URL Category. See Add a URL Category in Configure Reusable Objects.
    9. In the Reputations field, click the down arrow, and then select one or more reputations to include in the rule:
      • High risk
      • Low risk
      • Moderate risk
      • Suspicious
      • Trustworthy
      • Undefined
  3. Click Next or select workflow step 2, Users & User Groups.
  4. By default, all users and user groups are included in the match criteria. To customize which traffic to include or exclude from users & user groups:
    1. Click to select the user type for which you want to apply the rule:
      • All Users—Apply rule for all matched users. This is the default.
      • Selected Users—Apply rule for selected users. 
      • Known Users—Apply rule for all known (authenticated) users. 
      • Unknown Users—Apply rule only for users that are not authenticated. 
    2. If you select the Selected Users option, the following screen displays. 

      users-match-selected-update.png
    3. Click the User and Device Authentication Profile field to select a user authentication profile for the matched users and groups.
    4. On the User Groups tab, click the checkbox for each user group to include. You can search for specific user groups, or click Select All to include all user groups.
    5. Click the Users tab, and then click the checkbox for each user to include. You can search for specific users, or click Select All to include all users. 
  5. Click Next or select workflow step 3, Source & Destination Traffic.
  6. By default, traffic from all source and destination addresses and zones, and all sites, are included in the match criteria. You can include or exclude specific source and destination traffic to match the rule.   

    To match traffic from specific source and destination addresses, zones, and sites:
    1. Select the Source Addresses tab.

      src-dest-traffic-1.png
    2. Select a source address group or address object for the rule to match, or use the search box to find a source address group or object. To exclude the source address or addresses, click Negate Source Address.
      • To create an Address Group object, click the + icon. For more information, see Add an Address Group in Configure Reusable Objects.
      • To create an Address Object, click the + icon. For more information, see Add an Address Object in Configure Reusable Objects.
    3. To match on IP range, subnet, or wildcard, enter one or more values in the IP Range, Subnet, or Wildcard fields. 
    4. Select the Destination Addresses tab.

      src-dest-traffic-2.png
    5. Select a destination address group or object for the rule to match, or use the search box to find a source address or object. To exclude the destination address or addresses, click Negate Source Address.
      • To create an Address Group object, click the + icon. For more information, see Add an Address Group in Configure Reusable Objects.
      • To create an Address Object, click the + icon. For more information, see Add an Address Object in Configure Reusable Objects.
    6. To match on IP range, subnet, or wildcard, enter one or more values in the IP Range, Subnet, or Wildcard fields.
    7. Click the Enable Match Anycast Address to enable match on an anycast IP address, which is a shared default gateway IP address. 
    8. Select the Source Zones & Sites tab to specify source zones to include in the match criteria. Select one or more source zones or source sites from the lists. You can also select an ingress routing instance.

      src-dest-traffic-3.png
    9. Select the Destination Zones & Sites tab to specify destination zones to include in the match criteria. Select one or more destination zones or destination sites from the lists. You can also select an egress routing instance.

      src-dest-traffic-4.png
  7. Click Next or select workflow step 4, Source and Destination Geolocation.
  8. Geolocation uses IP addresses to identify the location of connected devices. By default, source and destination traffic from all locations are included in the match criteria. You can specify the source and destination traffic to include or exclude in the match criteria based on geographic location.

    geolocation.png

    To specify the geographic locations to include or exclude:
    1. On the Source Geo Location tab, click the Country drop-down list to select a geographic category to search. 
    2. In the next field, type the name of the country, state, or city. When a match is found, it is added to the Selected list.
    3. To remove a country from the list, click the X next to the country name. To remove all selections, click Clear All.
    4. To exclude the selected geographic locations from the match criteria, click Negate Selection.
    5. Click the Destination Geo Location tab, and repeat steps 8a through 8d.
       
  9. Click Next or select workflow step 5, Services & DSCP.
  10. By default, all services, service groups, and DSCPs are included in the match criteria. You can specify the services, service groups, and Differentiated Services Code Points (DSCPs) for the rule to match.

    To specify services, service groups, and DSCP to include:
    1. Select the Services tab.

      services-update.png
    2. Select the services to include in the match criteria. To filter the list, click All Types, and select Predefined or User Defined. You can also search by service name.
    3. Select the Service Groups tab.

      service-groups-update.png
    4. Select the service groups to include in the match criteria. You can search by service group name.
      • To create a service group object, click the + icon. For more information, see Add a Service Group in Configure Reusable Objects.
    5. Select the DSCP tab. By default, all DSCP decimal values are included in the match criteria. You can specify which DSCP decimal values to include.

      services-dscp3.png
    6. Select one or more DSCP decimal values. The value range is 0 to 63. You can use the search bar to locate values.
  11. Click Next or select workflow step 6, Security Enforcement.

    Secure_access_policy_rule_security_enforcement.png

    You can apply exactly one of the following security enforcements to traffic that matches the rule:
    • Allow—Allow all traffic that matches the rule to pass unfiltered.
    • Deny—Drop all traffic that matches the rule.
    • Reject—Drop the session and send a TCP reset (RST) message or a UDP ICMP port unreachable message.
    • Profiles—Apply one or more security enforcement profiles to traffic that matches the rule. You can select from predefined or user-defined enforcement profiles in the following categories.
      • Malware protection—Scan web and email traffic for all types of malicious software (malware), which is a file or code that infects, explores, steals or otherwise damages servers and host devices.
      • URL filtering—Prevent access to specific URLs, controlling access to secure (HTTPS) and unsecure (HTTP) websites. This allows you to limit web-browsing activity and reduce risks from uncontrolled access to internet websites, including threat propagation, loss of data, and lack of compliance.
      • Intrusion protection system (IPS)—Identify malicious activity using signatures, which are rules for matching suspicious software or patterns in an application's traffic, and by monitoring for unusual events or trends in network traffic.
      • IP filtering—Identify network traffic based on the source or destination IP address or fully-qualified domain name (FQDN), such as www.acme.com, and filter or block traffic based on its IP address or FQDN, and based on the reputation associated with an IP address or FQDN and its geographic location.
      • File filtering—Identify files based on the file type and the hash of the file to block the transfer of potentially dangerous files and types of files (that is, files associated with specific applications), files of specific sizes, files associated with specific protocols, and files traveling in a particular direction. You can configure file filtering to perform reputation-based file hash lookups on a cloud server.
      • DNS filtering—Identify traffic based on DNS requests and suspected DNS tunneling and block potentially detrimental sites. 
  12. To allow, deny, or reject all traffic that matches the rule, click Allow, Deny, or Reject.
  13. To apply one or more security enforcement profiles to traffic that matches the rule, click Profiles, and then follow the procedure below.

    Secure_access_enforcement_select_profiles.png.png
     
    1. To apply enforcement profiles to the rule, click the circle in the upper-right corner of the pane for each profile type. 
    2. In the drop-down list for each selected pane, select a user-defined or predefined profile. The pane refreshes to display details for the selected profile. 
      The following example displays the Malware Protection Profile pane with the pre-defined profile MalwareProfCheck selected. Details for the profile display in the lower portion of the pane.

      Malware_protection_profile_details.png

      Note: To configure a user-defined enforcement profile, see the following documentation:
       
      Profile Type Documentation for Profile Type
      Malware protection Configure SD-WAN Malware Protection Profiles
      URL filtering Configure SD-WAN URL-Filtering Profiles
      Intrusion prevention system Configure SD-WAN IPS Profiles
      IP filtering Configure SD-WAN IP-Filtering Profiles
      File filtering Configure SD-WAN File-Filtering Profiles
      DNS filtering Configure SD-WAN DNS-Filtering Profiles
  14. Click Next or select workflow step 7, Review and Submit.
  15. In the General section, enter information for the following fields.

    Review_and_Submit_a_Rule.png
     
    Field Description

    Name

    		 Enter a name or the rule.

    Description

    		 (Optional) Enter a description for the rule.

    Tags

    		 (Optional) Enter one or more tags. A tag is an alphanumeric text descriptor with no spaces or special characters. You can specify multiple tags added for the same object. The tags are used for searching the objects.

    Schedule

    		 Select a schedule to set the time and frequency at which the rule is in effect.

    Rule Enabled

    		 Click to disable the rule once it is saved. By default, the rule is enabled.

    Logging Disabled

    		 Click to the slider bar to enable logging for the rule. By default, logging is disabled.
    Logging Profile (Group of Fields) If you enable logging, configure the logging profile.
    • Use Default
    		 Click to use the default logging profile.
    • Custom
    		 Click to use a custom logging profile, and then select the profile from the Logging Profile field. To add a custom logging profile, go to Configuration > Reusable Objects > Logging Profile. The profile is automatically added to the Logging Profile drop-down list.
    • Events

    Select when to log events:

    End—End of traffic flows (session). 

    Start—Start of traffic flows.

    Start & End—Start and end of traffic flows.

    For information about log flows, see Flow Logs.
  16. Review the remaining sections. Click the pencil-icon-blue-on-white-22.png Edit icon in any section to make changes, as needed.
  17. Click Save Access Control Rule. The Add Access Control Policy screen displays the saved rule. 

    Add_Access_Control_policy_after_adding_rule.png
     
  18. To add another rule, click + Add in the horizontal menu. You can also select an existing rule and perform the following operations: 
    • Clone—Creates a copy of the rule. You can change the default name of the cloned rule, if desired. The cloned rule then appears in the list of traffic steering rules.
    • Reorder—Reorder the selected policy rule. 
    • Delete—Delete the selected policy rule. 
  19. Continue to Configure Permissions, Review, and Submit the Access Control Policy. 

Configure Permissions, Review, and Submit the Access Control Policy

  1. In the Add Access Control Policy screen, select workflow step 2, Permissions. The following screen displays. 

    permissions.png
  2. To change the permissions for a role, select Edit, Hide, or Read in the Permissions column.
  3. Click Next or select workflow step 3, Review and Submit.
  4. In the General section, enter values for the following fields.

    General_pane_with reusable on other templates option.png
     
    Field Description
    Name Enter a name for the access control policy. 
     
    Description Enter a text description.
    Tags Enter a tag, and then press the Enter key. You can enter multiple tags. A tag is an alphanumeric text descriptor with no spaces or special characters. The tags are used for searching the objects. 
    Reuse Options (For policies added through the Main Templates workflow) Click Reusable on Other Templates to make the policy usable in other main templates. Otherwise, click Not Reusable. If you mark the policy as reusable, the policy is listed in the Access Control Policies table at Configure > SD-WAN > Security > Access Control.

     
  5. Review the settings you have selected. Click the pencil-icon-blue-on-white-22.png Edit icon to change a setting, as needed.
  6. Click Submit.

Manage SD-WAN Access Control Policies

You can perform the following actions on SD-WAN access control policies:

  • Edit
  • Clone
  • Delete
  • View references
  • Propagate
  • Compare versions
  • View the audit log
  • Enable and disable auto delete

For information about these actions, see Manage SD-WAN Policies and Profiles.

Supported Software Information 

Releases 13.1.1 and later support all content described in this article.