How to configuring security policies for the DHCP address pool on the firewall？

1 Device Modeland Firmware

Device  Type	Device  Model	Firmware  Version
NGFW	RG-WALL 1600-Z-S series firewalls	All NGFW_NTOS1.0 versions

In the office network shown in Figure 1-1, a firewall is deployed in router mode at the egress of the internal network and functions as a DHCP server to distribute IP addresses to users. The employee IP addresses are subject to policies that restrict their Internet access while theboss’s IP address is excluded from such restrictions. Both the boss and employees receive their IP addresses from the same DHCP address pool. Configure the following security policies to meet the following requirements:
Implement policies to ensure that employee IP addresses can only access approved applications, such as the office OA, whilethe boss’s IP address is not subject to any limitations.
3 Topology





4. Configuration Roadmap

• To prevent the boss's IP address from being mistakenly blocked by apolicy, configure it as a static IP address on the DHCP server.
• Create two security policies to permit all traffic from the boss’ IP address and restrict traffic from other IP addresses.
• Set a high priority for the security policy that permits traffic from the boss’ IP address.
  

5. Configuration Procedure
5.1 Configuring Static IP Allocation
(1) Choose Network > DHCP > DHCP Server. Onthe DHCP Service List page that is displayed, click Create to create a DHCP server.



(2) On the Create DHCP Service page, configure basic information of the DHCP server, as shown in the following figure.
a. Enter a name for the DHCPserver. In this example, the name is test.
b.  In the Interface field,use the interface Ge0/0 on the firewall.
c. Configure the IP assignment range based on your actual needs. In this example, it is set to 192.168.1.0/24.Once the configuration is complete, click Advanced to access the advanced settings.



(3) In the Advanced pane, enter the boss’s IP address and MAC address in the Binding Host MAC field for IP-MAC binding. Click Save.
In this example, the IP address 192.168.1.2 is bound to the boss host’s MAC address d8:9e:f3:3f:d5:64 for static IP assignment.



(4) After the configuration is saved, the DHCP Server toggleswitch is automatically on. If it is off, manually toggle it on.



5.2 Configuring Security Policies
1. Configure IP service address objects
(1) Choose Object > Address > IPv4 Address toaccess the Object configuration page. Click Create to create anemployee IP address object.



(2) On the Add IPv4 Address Object page, configure an employee IPaddress object named all staff, as shown in the following figure. Enterthe IP range in the IP Address/Range box, and click Save.



(3) On the Add IPv4 Address Object page, configure a boss IPaddress object named boss, as shown in the following figure. Enter the192.168.1.2 in the IP Address/Range box, and click Save.



The created IP address objects are displayed on the IPv4 Address page, as shown inthe following figure.



(1) Choose Policy > Security Policy > Security Policy, and then choose Add Policy Group > Create to create a security policy for employee IP addresses.

(2) Read the pop-up window and choose whether to create a policy in the simulation space. In this example, select Create.




(3) On the Create Security Policy page, configure two security policies for employee IP addresses. Configure a security policy for the IPrange first.
Set a policy name for the IP range:

• Set a name for the security policy. In this example, the name is for all staff.
  

In the Policy Group field, select Default Policy Group.You can select a custom policy group as required.

• In the Priority field, select Default Policy and Before.You can select the policy location as required. Policies located at the front take precedence and have a higher matching priority.
  

• Select all staff in the Src. Address field, and anyin the Dest. Address field.
  

Note: The Src. Security Zone/Interfaceand Dest. Security Zone/Interface fields are optional. In this example, Trust and Untrust are selected.
Click App、User、Effective Time to expand. In the App field, select the application that needs to be allowed. In this example, select Work-OA.
Set Action Option to Permit andclick Save. (4) Click App、User、Effective Time to expand. In the App field, select the application that needs to be blocked, and click Save.












(4)

Repeat the preceding steps to configure a security policy for theboss IP address.
2. Configure security policies


1. Set a name for the security policy. In this example, the name is for boss.
2. In the Policy Group field, select Default Policy Group.You can select a custom policy group as required.
3. In the Priority field, select for all staff and Before to ensure this security policy for the boss IP address has a higher priority.
4. Select boss in the Src. Address field, and any in the Dest. Address field.
Note: The Src. Security Zone/Interface and Dest. Security Zone/Interface fields are optional. In this example, Trust and Untrust are selected.
5. Select any for other parameters, set Action Option to Permit to allow traffic from the boss IP address to pass through. Click Save.



6 Verification
After the configuration is complete, two security policies will be displayed: one allows traffic from the boss’s IP addresses, while the other restricts employee access to the allowed application. The for boss policy has a higher priority.