Getting started with policies

Policies organize traffic processing rules hierarchically, to make administration easier and to optimize traffic inspection performance.

What policy elements do

  • Engine, IPS, and Layer 2 Engine Policies contain the rules according to which the Secure SD-WAN Engines allow or block traffic.
  • Layer 2 Interface Policies contain rules according to which Secure SD-WAN Engines in the Engine/VPN role allow or block traffic detected by Capture Interfaces, Inline IPS Interfaces, and Inline Layer 2 Engine Interfaces on Secure SD-WAN Engines in the Engine/VPN role.
  • The same policy can be shared by several Secure SD-WAN Engines that have the same role, several Master Engines, and several Virtual Engines that have the same role.
  • Inspection Policies contain the rules according to which the Secure SD-WAN Engines inspect traffic. The same Inspection Policy can be shared by several Engine Policies, IPS Policies, and Layer 2 Engine Policies.
    Note: Inspection Policies are not supported in Layer 2 Interface Policies.
  • Each policy must always be based on a Template Policy. Template Policies contain rules that are inherited into any template or policy below it in the policy hierarchy.
  • You can also insert Sub-Policies in your policies. A Sub-Policy is a set of IPv4 or IPv6 Access rules that can be matched conditionally to a restricted part of the traffic. Using Sub-Policies can improve processing performance. Sub-Policies can also enforce administrative boundaries.
  • Policies can share Policy Templates and Sub-Policies. In shared rules, Alias elements can represent IP addresses that depend on the environment, so that the actual values are defined separately for each component.

What do I need to know before I begin?

  • Master Engines always use Engine Policies, regardless of the role of the Virtual Engines they host.
  • Virtual Engines use Engine Policies.
  • Virtual IPS engines use IPS Policies.
  • Virtual Layer 2 Engines use Layer 2 Engine Policies.