User Guide

ManualsBrandsAlcatel-Lucent ManualsOtherOMNIACCESS SAFEGUARD CONTROLLER

311

312

313

314

315

316

317

318

319

320

OmniAccess SafeGuard OS Administration Guide

319

Chapter 7: Establishing a Security Policy

Configuring the Roles

Two system roles, authenticated and unauthenticated, are created by default for you. All

user-defined roles are assumed to be children of the authenticated role, unless the new

role is designated to be a child of another role.

Although configure roles can be configured in any order, it is usually easiest to configure

roles from the least specific to the most specific. For example, Figure 11 on page 307, shows

a simple role hierarchy. In this example, perhaps you would start configuring a role for

the Engineering role, and continue down the tree towards Hardware Engineer and

Software Engineer roles.

After binding all the required user policies to the role, issue a “refresh policy role blah”

command to refresh the policies applied to the role blah. Likewise, unbinding the policy

from a user role will also be effective only after refresh is done.

Some rules for configuring roles are:

■ Each user role can have up to eight policies bound to it.

■ The chain within a role hierarchy cannot be cyclical.

■ The default role of unauthenticated cannot be a parent of other user configured

roles.

■ Default roles cannot be deleted.

For more details on system roles, see System Generated Policies and Roles on page 325.

action Specifies the action to be taken if the traffic

matches the preceding patterns. When log is

specified, it is sent to OmniVista SafeGuard

Manager as part of Visualization. Action can be

any of the following:

■ action deny – drop the packet

■ action deny RESET – drop the packet and

reset the denied TCP connection (L7 only)

■ action permit – permit the packet

mirror Mirror the flow. For more details, see Configuring

Policy-Based Mirroring on page 323.

log Log the event to OmniVista SafeGuard

Manager.

precedence

number

Each policy filter has an associated

precedence, which sorts the filters with in the

policy. The precedences have a valid range of

1(highest) to 65535 (lowest). If a precedence

number is not supplied, the system assigns a

precedence. For more details, see Displaying

Policy Configurations on page 327.