Editing an access control policy

When you edit an access control policy, you should lock it to ensure that your changes do not get overridden by another person who might edit it simultaneously.

You can only edit access control policies that were created in the current domain. Also, you cannot edit settings that are locked by an ancestor access control policy.

To protect the privacy of your session, a warning appears after 30 minutes of inactivity on the policy editor. After 60 minutes, the system discards your changes.

Note

When you edit a policy and do not lock it, a banner message might indicate that other users are currently editing the policy. When one of these users saves changes, you will be prompted to either merge or discard your changes. You should immediately decide what to do. For more information, see Concurrent editing and merging changes.

Procedure

Step 1

Choose Policies > Access Control heading > Access Control.

Step 2

Click Edit ( edit icon ) next to the access control policy you want to edit.

If View ( View button ) appears instead, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration.

Step 3

Edit your access control policy.

Tip

You can operate on multiple rules at one time by selecting their checkboxes in the left column, then selecting the action you want to perform from the Select Bulk Rule Actions drop-down list next to the search box. Bulk editing is available for enabling and disabling, copying, moving, deleting, and editing rules, or viewing hit counts or related events. You can also remove object overlaps in the selected rules.

You can change the following settings or perform these actions:

Name and description—Click Edit () next to the name, make your changes, and click Save.
Default action and settings—Choose a value from the Default Action drop-down list, then click Cog (), make your changes to the settings, and click OK. For detailed information, see Setting the access control default action.
Associated policies—To edit or change policies in the packet flow, click the policy type in the packet flow representation below the policy name. You can select the Prefilter Rules, Decryption, Security Intelligence, and Identity policies. When necessary, click Access Control to return to the access control rules.
Policy assignment—To identify the managed devices targeted by this policy, or enforce this policy in a subdomain, click the Assigned: x devices link. You can assign the policy to devices or device templates.
Rules—To manage access control rules, and to inspect and block malicious traffic using intrusion and file policies, click Add Rule, or right-click an existing rule and select Edit or another appropriate action. The actions are also available from the More () button for each rule. See Create and Edit Access Control Rules.
Layout—Use the Grid/Table View icon above the list of rules to change the layout. Grid view provides color-coded objects in an easy-to-see layout. Table view provides a summary list so that you can see more rules at once. You can freely switch views without impacting the rules.
Columns (table view only)—Click the Show/Hide Columns icon above the list of rules to select which information to show in the table. Click Show/Hide Empty Columns to quickly add, or remove, all columns that have no information, that is, you are not using those conditions in any rule. Click Revert to Default to undo all of your customizations.
Analyze rule logic—You can select the following options from the Analyze menu to examine the logic of your rules:
- Manage Rule Hit Counts—To view statistics on how many connections matched each rule. See Viewing rule hit counts.
- Enable/Disable Rule Conflicts—Select whether you want to see information on whether rules interfere with each other. You can then view the results using the following commands. See Analyzing rule conflicts and warnings
  - Show Warnings and Errors—See whether there are rules with configuration issues that you need to address.
  - Show Policy Warnings—See whether there are configuration issues with the policy.
  - Show Rule Conflicts—See whether you have redundant or shadowed rules. These conflicts could prevent certain rules from ever being matched by connections, meaning either that you need to fix the match criteria, move the rule, or simply delete the rule.
Additional settings—To change additional settings for the policy, select one of the following options from the More drop-down arrow at the end of the packet flow line.
- Advanced Settings—To set preprocessing, decryption, identity, performance, and other advanced options. See Access control policy advanced settings.
- HTTP Responses—To specify what the user sees in a browser when the system blocks a website request. See Choosing HTTP Response Pages.
- Inheritance Settings—To change the base access control policy for this policy, and to enforce this policy's settings in its descendant policies. See Choosing a base access control policy and Locking settings in descendant access control policies .
- Logging—To set the default logging options for the policy.

Step 4

Click Save.

What to do next

Deploy configuration changes.