Security Policy
Policy combines one or more Security policy definitions to create a Policy based on use-case. These policies can then be attached to device templates.
Diagram
Classes
security_policies (sdwan)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| feature_policies | List | [feature_policies] | No |
feature_policies (sdwan.security_policies)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Regex: ^[A-Za-z0-9\-_]{1,32}$ | Yes | |
| description | String | Yes | ||
| use_case | Choice | custom, compliance, guest_access, direct_cloud_access, direct_internet_access, app_qoe | Yes | |
| firewall_policies | List | String[Regex: ^[A-Za-z0-9\-_]{1,32}$] | No | |
| intrusion_prevention_policy | String | Regex: ^[A-Za-z0-9\-_]{1,32}$ | No | |
| additional_settings | Class | [additional_settings] | No |
additional_settings (sdwan.security_policies.feature_policies)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| firewall | Class | [firewall] | No | |
| ips_url_amp | Class | [ips_url_amp] | No |
firewall (sdwan.security_policies.feature_policies.additional_settings)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| direct_internet_applications | Boolean | true, false | No | |
| tcp_syn_flood_limit | Integer | min: 1, max: 4294967295 | No | |
| high_speed_logging | Class | [high_speed_logging] | No | |
| audit_trail | Boolean | true, false | No | |
| match_stats_per_filter | Boolean | true, false | No |
ips_url_amp (sdwan.security_policies.feature_policies.additional_settings)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| external_syslog_server | Class | [external_syslog_server] | Yes | |
| failure_mode | Choice | open, close | Yes |
high_speed_logging (sdwan.security_policies.feature_policies.additional_settings.firewall)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| vpn_id | Integer | min: 0, max: 65530 | Yes | |
| server_ip | IP | Yes | ||
| server_port | Integer | min: 0, max: 65535 | Yes |
external_syslog_server (sdwan.security_policies.feature_policies.additional_settings.ips_url_amp)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| vpn_id | Integer | min: 0, max: 65530 | Yes | |
| server_ip | IP | Yes |
Examples
sdwan:
security_policies:
feature_policies:
- name: Security_policy_generic
description: Security Policy Generic
use_case: custom
firewall_policies:
- allow_http_internal
- allow_critical_apps
intrusion_prevention_policy: inspect_web_apps
additional_settings:
firewall:
direct_internet_applications: true
tcp_syn_flood_limit: 1239
high_speed_logging:
vpn_id: 1
server_ip: 1.1.1.1
server_port: 2055
audit_trail: true
match_stats_per_filter: true
ips_url_amp:
external_syslog_server:
vpn_id: 2
server_ip: 2.2.2.2
failure_mode: open