Policy Rule Set Gateway and Management

Policy Rule Management

A policy rule set assigned to a gateway can be changed dynamically to a different policy rule set. If there is a requirement to swap in a different policy rule set to an active gateway, this operation can be initiated in a non-impactful way. The assignment of the new policy rule set operates similarly to a gateway update/upgrade process. New gateway instances are instantiated with the new policy rule set. New traffic sessions are redirected to the new gateway instances once they are active and healthy. Old traffic sessions are flushed from the old gateway instances. The old gateway instances are deleted. The operation completes in a matter of minutes. This change is initiated as part of the gateway configuration settings. Navigate to Infrastructure > Gateways > Gateways. The change can be initiated using the Multicloud Defense portal or the Multicloud Defense Terraform Provider.

Policy Rule Set Gateway Status

The status of the connection between the policy rule and the gateway it is associated with can be one of the two options:

  • Updated - The policy is active on the gateway and is synchronized with the controller.

  • Updating - The gateway is actively processing a policy change. The policy change is known to the gateway, but is not yet active. The gateway is still process traffic using the current policy.

Policy Rule Set Processing

Each gateway has a policy specified by a Policy Rule Set consisting of a set of rules that perform traffic matching (segmentation) and advanced security protection (security). The Policy Rule Set plays a crucial role in determining the criteria for evaluating traffic that requires protection by the gateway. Each rule within this rule set undergoes an evaluation process in a strict order, that continues until a match is found or the end of the list is reached. In the absence of any matches, the traffic is promptly dropped as an implicit deny, without being logged as a session or a sequence of events. Matched traffic that is allowed by the rule will undergo further evaluation by the associated advanced security profiles.

When traffic is received by the gateway, L3 (IP) and L4 (transport) information is obtained from the initial packet (TCP SYN or UDP). The L3 and L4 information is used to evaluate the first rule that matches the traffic.

Once the first rule is found, the traffic is processed as Forwarding or Forward Proxy, depending on configuration of the rule. If the traffic is Forwarding, the TCP session is not terminated, but passed through the gateway and terminated at the destination. If the traffic is Forward Proxy, the TCP session is terminated on the gateway and a new TCP session is established from the gateway to the destination.

If a rule is configured for matching on FQDN, L5 information is obtained from the TLS Hello packet, and a further matching takes place to consider the the L5 information. This match might be the initial matched rule, but it also might be a rule further down the list, if the initial matched rule does not also match on L5.

Note

FQDN matching is considered L5 matching since the domain is extracted from the TLS Hello SNI header field. However, if the traffic is unencrypted HTTP traffic (no TLS), the domain can also reside in the HTTP Host header field. This is not applicable if your policy only accepts encrypted HTTP traffic.

If a match is found, then the action of the matched rule will determine whether to allow or deny the traffic. If no match is found, the gateway will deny the traffic and not record a session log.

A Forwarding Rule configured to process TCP traffic with an action of deny can be configured to actively close the connection by sending a TCP RST to the client. This is achieved through the Reset on Deny checkbox. If this option is not configured, the traffic will be dropped. A Forward Proxy Rule will always actively close the connection since it is actively participating in the connection.

If a rule is configured to allow traffic, further evaluation will occur using the advanced security profiles. The profiles consist of Malicious IP, Anti-Virus, Network Intrusion (IDS, IPS), Data Loss Prevention (DLP), and URL Filtering. Any profile can deny the traffic if a threat or malicious activity is detected.

Policy Rule Sets are of two types:

  • Standalone: A set of rules used to evaluate and protect traffic.

  • Group: A set of Standalone Policy Rule Sets where the combined set of rules are used to evaluate and protect traffic. The Policy Rule Set order and the order of rules within each Policy Rule Set defines the resulting rule order.