User Guide

OmniAccess SafeGuard OS Administration Guide

326

Chapter 7: Establishing a Security Policy

EPV System Policies

EPV also maintains a system-level policy to permit EPV processing for certain types of

packets.

Filter System_Redirect-epvhttp-tcp from any to host 69.233.160.203 tcp 31862

redirect-cpu precedence 7

EPV also has system-level bypass policies to bypass certain types of packets:

(SW108) #show policy epv system

policy epv "System-epv"

filter "bypass1" from host 255.255.255.255 to any any bypass precedence 1

filter "bypass2" from network 0.0.0.0 255.255.255.255 to any any bypass

precedence 2

filter "bypass3" from network 224.0.0.0 240.0.0.0 to any any bypass precedence 3

filter "bypass4" from network 127.0.0.0 255.0.0.0 to any any bypass precedence 4

filter "bypass-dhcp1" from any to any udp 67 bypass precedence 5

filter "bypass-dhcp2" from any to any udp 68 bypass precedence 6

filter "bypass-dns-udp" from any to any udp 53 bypass precedence 7

Default System Roles

SafeGuard OS creates two system roles, with all other user roles are based off of,

authenticated and unauthenticated. These default roles are automatically applied to the

default system and EPV system policies. All customer-defined roles are assumed to be

children of the authenticated role, unless the new role is designated to be a child of

another role.

Dynamic System Policies

Dynamic system policies only apply to the unauthenticated role.

After Captive Portal is enabled using the aaa captive portal command, the system

automatically creates a policy to redirect web portal traffic. An example for port 6

follows:

system-policy System_6

filter System_6-1 from port 6 to any tcp 3128 redirect-cpu

filter System_6-2 from port 6 to any tcp 443 redirect-cpu

filter System_6-3 from port 6 to any tcp 80 redirect-cpu

Likewise, if you configure EPV bypass and trigger policies, the system automatically

creates system policies.