Create and Edit Access Control Rules

Use access control rules to apply actions to specific traffic classes. Rules allow you to selectively allow desirable traffic and drop unwanted traffic.

Before you begin

If you have enabled the Policy Analyzer & Optimizer tool, your edits are evaluated as you make them. If anomalies are detected, you are notified during the edit and prompted to make changes when you click Apply to save the rule. You can view the anomalies, such as redundant and shadowed rules, and choose to edit or delete the rule. You can also proceed with saving the rule as is, to deal with the issue later.

Procedure

Step 1

In the access control policy editor, you have the following options:

  • To add a new rule, click Add Rule.

  • To edit an existing rule, click Edit (edit icon) .

  • To edit multiple rules, shift-click a range of rules or control-click multiple rules to edit, then right-click and choose an option.

If View (View button) appears next to a rule instead, the rule belongs to an ancestor policy, or you do not have permission to modify the rule.

Step 2

If this is a new rule, enter a Name.

Step 3

Configure the rule components.

If you are bulk-editing multiple rules, only a subset of options are available.

  • Enabled—Specify whether the rule is Enabled.

  • Position—Specify the rule position; see Access Control Rule Order.

  • Action—Choose a rule Action; see Access Control Rule Actions.

  • Time Range—(Optional.) For Firewall Threat Defense devices, choose the days and times when the rule is applicable. For details, see Creating Time Range Objects.

  • Conditions—Click the corresponding condition you want to add. See Access Control Rule Conditions for more information.

    Note

    VLAN tags in access rules only apply to inline sets; they cannot be used in access rules applied to firewall interfaces.

  • Deep Inspection—(Optional.) For Allow and Interactive Block rules, click Intrusion policy (intrusion policy icon) or File policy (file policy icon) to configure the rule’s Inspection options. If the option is dimmed, no policy of that type is selected for the rule. See Access Control Overview for more information.

  • Content Restriction—Click Safe search (safe search icon) or YouTube EDU (YouTube EDU icon) to configure content restriction settings on Applications of the rule editor. If the option are dimmed, content restriction is disabled for the rule. See About Content Restriction for more information.

  • Logging—Click Logging (logging icon) to specify Logging options. If the option is dimmed, connection logging is disabled for the rule.

  • Comments—Click the number in the comment column to add Comments. The number indicates how many comments the rule already contains.

Step 4

Click Add or Apply to save the rule.

Step 5

Click Save to save the policy.

What to do next

If you will deploy time-based rules, specify the time zone of the device to which the policy is assigned. See Time Zone.

Deploy configuration changes.