Adding or editing a network rule

You can use the Network policy stage page to configure network rules that filter network traffic initiated from within your organization.

To configure the network rules:

Steps

  1. On the Navigation pane, click Policy. The All Policies page opens.
  2. Click the New button to add a policy, or click the Edit button against the policy rule in the table to edit a policy. The Policy panel is displayed.
  3. Enter a name for the policy in the Name field. You can skip this step if this field is populated or if no change is required.
  4. Enter a description for the policy in the Description field. This is an optional step.
  5. Type or click to select a source site in the Source Sites field. You can skip this step if this field is populated or if no change is required.
    Note:
    1. When you type or click in the Source Sites field, you are displayed with the appropriate options to select from in a pop-up dialog box. Also, you can click Set to ANY to use any sites as the option.
    2. If you do not add a source site, the default entry of ANY is used.
    3. Click x on the source site element under the Source Sites field to remove it.
    4. If Set to ANY is selected, then the policy will match all traffic processed by the policy and no further policies are checked.
  6. From the Default TLS Inspection Setting drop-down menu, select one of the following:
    • Decrypt: The secure traffic is decrypted for inspection and then re-encrypted before it is sent to the destination. You must have the Forcepoint root certificate installed on the end user workstations.
    • Do not decrypt: The secure traffic is not decrypted, and the traffic cannot be fully inspected. Also, this option is selected by default.
    Note: You can skip this step if this field is populated or if no change is required.
  7. Under Policy Summary, click the Network link. The Network stage page opens.
  8. Click a cell within an existing rule in the table to edit it, or click New to create a new rule.
  9. Enter a name for the rule, and optionally a description in the Rule cell for the rule in the table.
  10. To define a source, do the following:
    1. Click the Source cell of the rule in the table to define the local traffic sources to which the rule will apply.
      Note: If you do not add a source, the default entry of ANY is used, and the rule will apply to traffic from any source to which the policy applies.
    2. Click the Type or click to select field and begin typing to search for an available object, or click an object type to select the available objects from a list. Repeat the process to add all required sources for the rule.
      Note:
      1. If required, click the New Source IP Address List button to create a new source IP address list. For more details, refer to the Creating a source IP address list topic in the Forcepoint ONE | Firewall Application Online help documentation.
      2. You can click the Set to ANY button to use any source IP address list as the option. If this is selected, then the policy will match all traffic processed by the policy and no further policies are checked.
  11. Click the Users cell of the rule to define the users or user groups from which the request must originate to match this rule.
    Note:
    1. Rules can be applied to all users in order to match any user whose identity is known. Users can be identified by the Web Security Endpoint or via SAML-based authentication.
    2. If you want the user or user groups to authenticate, click the Set to authentication required button.
  12. To define a destination, do the following:
    1. Click the Destination cell of the rule in the table to define the traffic destinations to which the rule will apply.
      Note: If you do not add a destination, the default entry of ANY is used. The rule will apply to traffic to any destination.
    2. Click the Type or click to select field and begin typing to search for an available object, or click an object type to select available objects from a list. Repeat the process to add all required destinations for the rule.
      Note:
      1. If required, you can create a new domain name list or destination IP address list. To create a domain name list or destination IP address list, click the New menu and select Domain Name List or Destination IP Address List to create a new source IP address list. For more details, refer to the Creating a domain name list or Creating a destination IP address list topic in the Forcepoint ONE | Firewall Application Online help documentation.
      2. You can click the Set to ANY button to use any destination IP address list as the option. If this selected, then the policy will match all traffic processed by the policy and no further policies are checked.
  13. To define a Network Service, do the following:
    1. Click the Network Service cell of the rule in the table to define the services to which the rule will apply.
      Note: If you do not add a service, the default entry of ANY is used, and the rule will apply to traffic to any protocol, port,or ICMP type.
    2. Click the Type or click to select field and begin typing to search for an available object, or click a service type to select available services from a list. Repeat the process to add all required services for the rule.
      Note:
      1. If required, you can create a new network service. To create a network service, click the New menu and select a network service type to create a new network service. For more details, refer to the Creating a network service topic in the Forcepoint ONE | Firewall Application Online help documentation.
      2. You can click the Set to ANY button to use any network service as the option. If this selected, then the policy will match all traffic processed by the policy and no further policies are checked.
  14. Click the Action cell of the rule in the table to select an action option to apply to the traffic that matches this rule. Available actions are:
    • Allow and Bypass: Allows matching traffic and bypasses further policy processing stages. Traffic is not decrypted.
    • Block: Blocks matching traffic.
    • Continue Inspection: Allows matching network traffic, and continues processing further policy stages. The request may be blocked by a subsequent policy stage.
  15. In the list of rules, use the ::: Drag to move icon to define the priority order of your rule.
  16. When you are done, click Save.