Manualshelf

User Guide

ManualsBrandsAlcatel-Lucent ManualsOtherOMNIACCESS SAFEGUARD CONTROLLER
341342343344345346347348349350
OmniAccess SafeGuard OS Administration Guide
348
Chapter 9: End Point Validation
In addition to the standard L2-L4 policy rules, EPV bypass filters can be
configured based on the assigned user role. This may be useful, for example, if a
group of guest users authenticate via captive-portal, but should not be scanned. If
these guest users are placed in a role called GUEST_ROLE, the following bypass
filter can be used to keep these users from being subjected to EPV bypass:
filter noGuestCheck from role GUEST_ROLE to any bypass
This type of role-based filter can also be used to keep unauthenticated users from
being scanned by EPV. This may be desirable in an environment where the
unauthenticated role is being used to provide some minimal guest access. In this
case, the following filter can be used:
filter noUnauthCheck from role unauthenticated to any bypass
Bypass Examples
In the following example, the UDP traffic coming from the conference center (conf_ctr)
going to any destination is bypassed from posture checking:
(SafeGuardOS) #configure terminal
(SafeGuardOS) (config) #policy epv bypass
(SafeGuardOS) (policy-epv) #description “This is our standard bypass policy.”
(SafeGuardOS) (policy-epv) #filter stdBypass from network-zone conf_ctr to any
UDP range 60000 65535 bypass
(SafeGuardOS) (policy-epv) #exit
(SafeGuardOS) (config) #exit
(SafeGuardOS) #
In the next example, users with the role of “guest” are bypassed from posture checking:
(SafeGuardOS) #configure terminal
(SafeGuardOS) (config) #policy epv bypass
(SafeGuardOS) (policy-epv) #description “Bypass policy for guests.”
(SafeGuardOS) (policy-epv) #filter guestPolicy from role guest to any any bypass
(SafeGuardOS) (policy-epv) #exit
(SafeGuardOS) (config) #exit
(SafeGuardOS) #
Configuring a Trigger Policy
Trigger policies control which conversations the EPV feature will hijack.
To create a trigger policy:
1 Use the Global Configuration command,
policy epv trigger, to enter the
Policy-epv submode. This command does not have any options or parameters.
For example,
(SafeGuardOS) #configure terminal
(SafeGuardOS) (config) #policy epv trigger
(SafeGuardOS) (policy-epv) #