Organization-wide Group Policy User Guide
Configuration Overview
In this guide we will configure and manage Organization-wide Group Policies.
Definitions
- Enforcement Target: Defines the "who" or "what" the policy applies to (acting as the "source" in a typical firewall rule). This can be a specific VLAN(s) or an SGT from which traffic originates.
- Rulesets: A collection of firewall rules that can include both Layer 3 (IPv4) and Layer 7 (Application) criteria.
- Firewall Rule: Specifies the criteria (source, destination, port, protocol) and the action (allow or deny) to be taken on traffic.
Managing Policies
Navigate to Security > Group Policy. Here, you will find a comprehensive list of all configured policies. This page allows you to review each group policy in detail, including its enforcement targets, rulesets, and the last modified date. 
Creating a New Policy
- Navigate to Security > Group Policy.
- Click Add group policy in the upper-right corner of the table.
- Enter a name for the new policy.
- (Optional) Enter a description for the policy.
- Click Save.
Once a policy is created, be sure to add an Enforcement Target and attach a Ruleset.
Editing an existing Policy
- Navigate to Security > Group Policy.
- Click the name of the policy you want to edit.
Add Enforcement Target
For more information on Enforcement Targets, please see this guide.
- Inside the policy, click the Add enforcement button.
- A selector will appear showing all configured network VLANs or SGTs.
- Only MX VLANs meeting the firmware requirements will be selectable.
- A specific VLAN or SGT can only belong to a single Organization-wide Group Policy.
- If using SGT as an Enforcement Target, please refer to the troubleshooting guide for more information.
- Select your target and click Save. This action immediately commits the change.
Warning: Changes take effect immediately upon saving.
Attaching a Ruleset
- Inside the policy, click Attach rulesets.
- Select the desired ruleset(s).
- Note: In the initial release, only one ruleset can be selected per policy. Additional functionality will be added later
- Click Save. This action immediately commits the change.
Warning: Changes take effect immediately upon saving.
Managing Rulesets
Creating a Ruleset
- Navigate to Security > Group Policy and click the Rulesets tab.
- Click Add ruleset in the top right corner.
- To edit an existing ruleset, click its name.
- To delete a ruleset, click Delete ruleset, then confirm by clicking "I understand" and "Delete ruleset" in the modal.
- Click Save. Once the rule profile is created it will appear with an empty rule list.
Adding Rules to a Ruleset
- Navigate to Security > Group Policy and select Rulesets tab.
- Click on the name of a ruleset to edit it.
- Click the Add rule button.
- Configure the Rule criteria (more information below)
- Click Save to return to the ruleset view.
Rules can be configured with the following options:
- Name: Give the rule a descriptive name without using special characters: #, /, $, @, %, !, etc
- Add description: (Optional) Add a description of the rule
- Priority: By default, new rules are added to the top. Enter a specific number to insert the rule at that priority level.
- Example: entering
2in a list of 10 rules will place the new rule in the second position and shift the rest of the rules down - Example: entering
99in a list of 10 rules will place the new rule at the bottom as rule 11.
- Example: entering
- Rule Status: Enable or disable the rule. If the rule is disabled, it will not be enforced. (Default: Enabled).
- Action: Choose Allow or Deny.
- Source:
- Default: "Any" (The dashboard uses the Policy's Enforcement Target as the source).
- Specify Source: You can manually enter an IP/CIDR, select a Policy Object/Group, select a specific VLAN, or specify source ports.
- Destination: Choose from the following:
- Policy Objects / Groups: Reusable objects created under Organization > Policy Objects.
- Internet and SaaS Resources: Layer 7 application categories (NBAR). *See note below*
- IP Address/Subnet: Standard L3 IPv4 CIDR input.
- Ports and Protocols: TCP, UDP (with specific ports), or ICMP.
- VLANs: Select any VLAN within your organization.
Note: When you add Layer 7 rules to the policy, it is expected that a small number of packets may pass through the firewall before being classified. This occurs because NBAR (Network-Based Application Recognition) requires several initial packets to accurately identify the application traffic. For classification purposes, up to 7 packets or a total of 2000 bytes may be allowed before enforcement begins. Subsequent rules may also allow some packets for classification purposes. Please see the troubleshooting section Understanding Layer 7 Rules in your Ruleset
Warning: Changes take effect immediately upon saving.
Disabling a Rule in a Ruleset
- Navigate to Security > Group Policy and select Rulesets tab.
- Click on the Ruleset that you want to edit
- To disable a specific rule, click the "..." icon in the right-most column of the rule table for that rule.
- Click Disable. The icon will change from a green star to a gray minus symbol.
Deleting a Rule in a Ruleset
- Navigate to Security > Group Policy and select Rulesets tab.
- Click on the Ruleset that you want to edit
- To delete a specific rule, click the "..." icon in the right-most column of the rule table for that rule.
- Click Delete rule
- A popup will appear. To confirm, click the checkbox for "I understand that this action cannot be undone".
- Click Delete rule. Please note that the rule is immediately deleted.
Deleting a Ruleset
- Navigate to Security > Group Policy and select Rulesets tab.
- To delete a specific Ruleset, click the "..." icon in the right-most column of the table for that ruleset.
- Click Delete ruleset
- A popup will appear. To confirm, click the checkbox for "I understand that this action cannot be undone".
- Click Delete ruleset. Please note that the ruleset is immediately deleted.
Viewing your Policy Rules
- Navigate to Security > Group Policy
- Click on the Policy you would like to view
- Scroll to the Rulesets section, then click the Rules tab
