Getting started with policies
Policies organize traffic processing rules hierarchically, to make administration easier and to optimize traffic inspection performance.
What policy elements do
- Engine, IPS, and Layer 2 Engine Policies contain the rules according to which the Secure SD-WAN Engines allow or block traffic.
- Layer 2 Interface Policies contain rules according to which Secure SD-WAN Engines in the Engine/VPN role allow or block traffic detected by Capture Interfaces, Inline IPS Interfaces, and Inline Layer 2 Engine Interfaces on Secure SD-WAN Engines in the Engine/VPN role.
- The same policy can be shared by several Secure SD-WAN Engines that have the same role, several Master Engines, and several Virtual Engines that have the same role.
- Inspection Policies contain the rules according to which the Secure SD-WAN Engines inspect traffic. The same
Inspection Policy can be shared by several Engine Policies, IPS Policies,
and Layer 2 Engine Policies.Note: Inspection Policies are not supported in Layer 2 Interface Policies.
- Each policy must always be based on a Template Policy. Template Policies contain rules that are inherited into any template or policy below it in the policy hierarchy.
- You can also insert Sub-Policies in your policies. A Sub-Policy is a set of IPv4 or IPv6 Access rules that can be matched conditionally to a restricted part of the traffic. Using Sub-Policies can improve processing performance. Sub-Policies can also enforce administrative boundaries.
- Policies can share Policy Templates and Sub-Policies. In shared rules, Alias elements can represent IP addresses that depend on the environment, so that the actual values are defined separately for each component.
What do I need to know before I begin?
- Master Engines always use Engine Policies, regardless of the role of the Virtual Engines they host.
- Virtual Engines use Engine Policies.
- Virtual IPS engines use IPS Policies.
- Virtual Layer 2 Engines use Layer 2 Engine Policies.