Skip to main content

Configuring a Policy

Sensei comes pre-installed with a Default policy for the Free and Premium Editions. Default policy configuration is managed by the Sensei engine. A Premium subscription includes the following features not available in the Free Edition:

  • Create new policies

  • Enable/disable policies

  • Specify the packet direction for protection

  • Include/exclude VLANs, IP/Network addresses, users, groups to be protected

  • Time schedule for each policy

  • Advanced Security functionality

  • Custom Web Control profiles

  • Create Cloud Centralized policies

For more information on the features available for each type of subscription, please refer to plans & pricing.

Although you cannot change the Default policy, you can still change the Security rules, Application Control rules, Web Control rules, and Exclusions on the default policy to suit your needs.

When you have a Premium Edition, you can create new policies to protect your network infrastructure in a more customizable way. For more information about creating a new policy, please refer to Managing policies. After creating a new policy, you must edit it to complete the configuration and identification of the policy rules.

Policy Configuration#

After the creation of a new policy, you must complete the configuration of the policy rules. You can edit the configuration of a policy by clicking on the name of the policy in the policy list view. This will display the policy configuration view as shown in figure 1.

Editing a policy

Figure 1. Editing a policy

Once the policy configuration has been completed, you will be able to apply the policy to your firewall.

IMPORTANT NOTE

Please note that all of the criteria listed below are matched with the AND logical operator. In order for a flow to match your configured policy, all of these criteria need to match the flow information. For instance, if you have a policy configuration specifying the 10.0.0.0/24 network, the em0 interface, and the 'Admins' group, all of these conditions should be met for a policy to be applied. If a packet is identified as belonging to the 'Admins' group but is on the ixl0 interface, the packet will not match this particular policy.

You may configure the following options for a policy:

  • Status: By default, a newly created policy is set to disable. You must enable it to activate the new policy on your node.

  • Name: The name of the policy may be changed by clicking on the name.

  • Priority: By default, the priority is set to disable. If you wish to restrict all Internet access at specific time intervals, you can enable this option. When it is enabled, it overrides all rules and blocks all connections. In other words, the Priority option blocks all connections in your network regardless of the policy's app/web/security rules.

  • Interfaces: The interface(s) that will be protected by the engine may be selected. This option will be available in future releases of the cloud portal.

  • Packet Direction: The network packet direction in which to apply the rules may be specified for a policy. Packets may be filtered inbound, outbound, or both directions.

  • VLANs: You may apply policies to specific VLANs on your network. Click on the + Add vlan button, enter the VLAN ID, and then click on the Add button. (Warning: The VLAN ID must be a number between 1 and 4096.)

Adding VLAN to apply the policy

Figure 2. Adding a VLAN to the policy

  • IP / Networks: A policy may be applied to the IPv4/IPv6 addresses that you enter into this option. You can enter a single IPv4/IPv6 address or many IP addresses by specifying their subnet masks. CIDR format is also accepted ( i.e 172.10.10.0/24). Click on the + Add IP / Networks button, enter an IP address and then click on the Add button.

Adding IP address to apply the policy

Figure 3. Adding an IP address to the policy

  • MAC Address: A policy may be applied to the MAC addresses that you enter into this option. Click on the + Add MAC Address button, enter a MAC address and then click on the Add button.

Adding a MAC address to the policy

Figure 4. Adding a MAC address to the policy

  • Users: To apply policies to specific users, you may select the desired Active Directory or OPNsense Captive Portal users.

  • Groups: Policies may be applied to groups from Active Directory or OPNsense Captive Portal.

  • Time Schedules: If you want the policy to be active at a specific time interval, you can create a time schedule for your policy.

Editing policy configuration

Figure 5. Editing the policy configuration

Defining User-Based Policy#

The Sensei Active Directory integration feature provides user-based policy filtering. However, it is only available on the OPNsense platform. For more information on how to integrate Active Directory with Sensei, please refer to the Active Directory Integration Guide.

Sensei also supports OPNsense Captive Portal for username resolution. If your OPNsense Captive portal is enabled, Sensei will automatically have access to the username.

You can define a user/group-based policy by just adding a user or group to the policy on the policy configuration page.

To define a user-based policy:

  • Navigate to the Configuration page of the policy
  • Click on the + Add user button

  • Enter a username

  • Click on the Add button

Adding user to apply the policy

Figure 6. Adding user to the policy

To define a group-based policy:

  • Navigate to the Configuration page of the policy

  • Click on the + Add group button

  • Enter a group name

  • Click on the Add button

Adding group to apply the policy

Figure 7. Adding a group to the policy

After enabling and synchronizing the policy with your firewall, your user/group-based filtering will be activated on your node.

Time Schedule Configuration#

A time schedule may be added to your policy if you want your policy to be active only certain times of the day or days of the week. You may also update or remove schedules which were previously created on the Policy Configuration page.

To create a new schedule for a policy:

  • Click the Add new schedule button. This will open a dialog box for naming the schedule.

Figure 8. Adding a new time schedule for a policy

  • Enter a name and click on the Add button. This will add the new schedule to the Time schedules list.

  • Select each day you wish to be applied to the schedule. Selected days will be displayed with a solid blue checkmark icon.

  • Specify the starting and stopping hours for which the policy will be effective.

Time schedule configuration for a policy

Figure 9. Time schedule configuration for a policy

You can change the existing time schedule by updating the start/stop hours and selecting/deselecting the days any time after you create the initial schedule.

To remove an existing time schedule, click on the Remove button with a trash icon. This will open a dialog box for confirming the removal of the schedule. Clicking on Remove button on the confirmation box will erase the time schedule for the policy.

Removing a time schedule for a policy

Figure 10. Removing a time schedule for a policy

After completing Policy Configuration, you can proceed to specify the Security rules of the policy by clicking on the Security tab.

Security Rules#

The Security page allows you to select options for blocking potentially dangerous websites and various types of malware activity.

The Free Edition users can only enable the Essential Security options. The Advanced Security options are exclusive to Premium subscriptions.

Sensei Premium provides Advanced Threat Protection against the latest viruses, malware, and phishing attacks by preventing users access to websites that are known to host viruses and malware and to launch phishing attacks. With Sunny Valley’s Advanced Threat Protection capabilities, you are provided with commercial-grade threat protection and tracking in near real-time.

Configuring Security rules of a policy

Figure 11. Configuring security rules of a policy

For more information about the Essential Security and Advanced Security options, please refer to Security Rules.

After setting the security options, proceed to the application rules section by clicking on the App Controls tab.

Application Control Rules#

Application filtering for your policy may be managed on the App Controls page. You can accomplish the following management tasks:

  • Allow/Block Application Category

  • Allow/Block Application(s)

  • Search an application/category

Configuring Application Control rules of a policy

Figure 12. Configuring Application Control rules of a policy

For more information about application control configuration, please refer to Application Control Rules.

After completing the configuration of the Application Control, proceed to define the Web Control rules by clicking on the Web Controls tab.

Web Control Rules#

Web content filtering rules may be defined on the Web Controls page.

You can select one of the predefined Web Profiles or define a custom profile by blocking or allowing the web categories from the list provided.

There are four types of predefined Web Profile:

  1. Permissive: This profile has no restrictions for web browsing.

  2. Moderate Control: Only harmful/high risk web categories such as Illegal Drugs, Violence, Adult, Pornography and Advertisements are blocked in this profile.

  3. High Control: In addition to the categories blocked in the moderate profile, the following categories are blocked in this profile: Forums, Alcohol, Blogs, Gambling, Chats, Dating, Games, Job Search, Online Storage, Social Networks, Software Downloads, Weapons, Military, Swimsuits, Tobacco and Warez Sites.

  4. Custom: You may fully customize the web filtering by using this profile and selecting the categories to block.

Figure 13. Configuring Web Control rules of a policy

info

The Custom Web filtering profile is only available for Premium subscriptions. If you have the Free edition, you cannot fully customized web filtering. You can only choose between the Permissive/Moderate/High predefined profiles.

For more information about the web filtering configuration, please refer to Web Control Rules.

After selecting one of the predefined web profiles or customizing a profile, you can proceed to the Exclusions section to define whitelist and blacklist entries by clicking the Exclusions tab.

Exclusion Rules#

Sometimes you may need to define exceptions for your policy rules. Sensei allows you to define exclusions that take precedence over all Security, Web, App rules.

For example, let us assume that video streaming is not allowed in your company’s network but some of your staff may need to attend an online training program that includes training videos. In such a case, you may allow the staff to access the online training site by adding the domain/IP address to the whitelist temporarily.

You can manage exclusions(whitelist and blacklist) for your policy on the Exclusions page. You can accomplish the following management tasks:

  • Add a domain/hostname/IP address to the whitelist for a node

  • Add a domain/hostname/IP address to the whitelist for all nodes(global)

  • Add a domain/hostname/IP address to the blacklist for a node

  • Add a domain/hostname/IP address to the blacklist for all nodes(global)

  • Search for a domain/hostname/IP address in exclusions

  • View exclusions

  • Remove an exclusion

Configuring Exclusion rules of a policy

Figure 14. Configuring exclusion rules of a policy

For more information about managing exclusions, please refer to Blacklists and Whitelists: Exclusions.

caution

Don't forget to synchronize your policy with your firewall after configuring policy rules to activate the updated policy.

Last updated on