Filter policy

On SNS firewalls, the same objects may need to be used several times if they appear in several filter rules or when these rules are used in addition to a configuration menu. For example, the same sub-network may appear in several filter rules (from a network of workstations to a mail server, or to a web proxy, etc.), or as an administration network (refer to the chapter Configuring administration IP addresses) and in a correlated explicit filter rule (in line with chapter Implicit rules).

Every time something is changed (e.g. address range), added (new sub-networks to host new workstations) or deleted (restriction of the number of administration workstations), the configuration must be updated, thereby increasing the risk of error or omission. Using objects and object groups makes it possible to apply a configuration globally and simultaneously when changes are made.

R33 | SNS-SMC | Use object groups
Object groups are recommended when defining filter rules, to remain consistent with the other menus.

When groups are used, it is possible to control for example:

  • An administration group containing the IP addresses of administration workstations,

  • A user workstation group containing the IP sub-networks used,

  • A service group containing the IP addresses of internal servers,

  • A BU group containing the ports used by ERPs,

  • etc.

After which, items only need to be added to or removed from groups when there is a change of situation.

Furthermore, the best practices with regard to defining a network filter policy are explained in the guide Recommendations for the definition of a firewall’s filter policy (in French). The main aim of this document is to set out the practices to adopt to guarantee that the filter policy will be durable and controllable.