Forgot password?
 Register now

Welcome to use this form to feedback your problems with Ruijie Community

The category of your feedback

Your Feedback

Your Email address (optional):

How to configuring security policies for the DHCP address pool on the firewall? Reply

GTAC-Sophia

Level 5

Ruijie Staff

How to configuring security policies for the DHCP address pool on the firewall?
67 0 2024-10-21 18:58:02
Original
1 Device Modeland Firmware
  Device  Type    Device  Model    Firmware  Version  
  NGFW    RG-WALL 1600-Z-S series firewalls    All NGFW_NTOS1.0 versions  
In the office network shown in Figure 1-1, a firewall is deployed in router mode at the egress of the internal network and functions as a DHCP server to distribute IP addresses to users. The employee IP addresses are subject to policies that restrict their Internet access while theboss’s IP address is excluded from such restrictions. Both the boss and employees receive their IP addresses from the same DHCP address pool. Configure the following security policies to meet the following requirements:
Implement policies to ensure that employee IP addresses can only access approved applications, such as the office OA, whilethe boss’s IP address is not subject to any limitations.
3 Topology





4. Configuration Roadmap
  • To prevent the boss's IP address from being mistakenly blocked by apolicy, configure it as a static IP address on the DHCP server.
  • Create two security policies to permit all traffic from the boss’ IP address and restrict traffic from other IP addresses.
  • Set a high priority for the security policy that permits traffic from the boss’ IP address.
5. Configuration Procedure
5.1 Configuring Static IP Allocation
(1) Choose Network > DHCP > DHCP Server. Onthe DHCP Service List page that is displayed, click Create to create a DHCP server.



(2) On the Create DHCP Service page, configure basic information of the DHCP server, as shown in the following figure.
a. Enter a name for the DHCPserver. In this example, the name is test.
b.  In the Interface field,use the interface Ge0/0 on the firewall.
c. Configure the IP assignment range based on your actual needs. In this example, it is set to 192.168.1.0/24.Once the configuration is complete, click Advanced to access the advanced settings.



(3) In the Advanced pane, enter the boss’s IP address and MAC address in the Binding Host MAC field for IP-MAC binding. Click Save.
In this example, the IP address 192.168.1.2 is bound to the boss host’s MAC address d8:9e:f3:3f:d5:64 for static IP assignment.



(4) After the configuration is saved, the DHCP Server toggleswitch is automatically on. If it is off, manually toggle it on.



5.2 Configuring Security Policies
1. Configure IP service address objects
(1) Choose Object > Address > IPv4 Address toaccess the Object configuration page. Click Create to create anemployee IP address object.



(2) On the Add IPv4 Address Object page, configure an employee IPaddress object named all staff, as shown in the following figure. Enterthe IP range in the IP Address/Range box, and click Save.



(3) On the Add IPv4 Address Object page, configure a boss IPaddress object named boss, as shown in the following figure. Enter the192.168.1.2 in the IP Address/Range box, and click Save.



The created IP address objects are displayed on the IPv4 Address page, as shown inthe following figure.



(1) Choose Policy > Security Policy > Security Policy, and then choose Add Policy Group > Create to create a security policy for employee IP addresses.

(2) Read the pop-up window and choose whether to create a policy in the simulation space. In this example, select Create.




(3) On the Create Security Policy page, configure two security policies for employee IP addresses. Configure a security policy for the IPrange first.
Set a policy name for the IP range:
  • Set a name for the security policy. In this example, the name is for all staff.
In the Policy Group field, select Default Policy Group.You can select a custom policy group as required.
  • In the Priority field, select Default Policy and Before.You can select the policy location as required. Policies located at the front take precedence and have a higher matching priority.
  • Select all staff in the Src. Address field, and anyin the Dest. Address field.
Note: The Src. Security Zone/Interfaceand Dest. Security Zone/Interface fields are optional. In this example, Trust and Untrust are selected.
Click App、User、Effective Time to expand. In the App field, select the application that needs to be allowed. In this example, select Work-OA.
Set Action Option to Permit andclick Save. (4) Click App、User、Effective Time to expand. In the App field, select the application that needs to be blocked, and click Save.














(4)

Repeat the preceding steps to configure a security policy for theboss IP address.
2. Configure security policies


1. Set a name for the security policy. In this example, the name is for boss.
2. In the Policy Group field, select Default Policy Group.You can select a custom policy group as required.
3. In the Priority field, select for all staff and Before to ensure this security policy for the boss IP address has a higher priority.
4. Select boss in the Src. Address field, and any in the Dest. Address field.
Note: The Src. Security Zone/Interface and Dest. Security Zone/Interface fields are optional. In this example, Trust and Untrust are selected.
5. Select any for other parameters, set Action Option to Permit to allow traffic from the boss IP address to pass through. Click Save.



6 Verification
After the configuration is complete, two security policies will be displayed: one allows traffic from the boss’s IP addresses, while the other restricts employee access to the allowed application. The for boss policy has a higher priority.


RG-WALL Z Series

Configuration Firewall
There are no replies.
Related Posts
Product Model

Share this topic to

Cancel

This site contains user submitted content, comments and opinions and is for informational purposes only. Ruijie may provide or recommend responses as a possible solution based on the information provided; every potential issue may involve several factors not detailed in the conversations captured in an electronic forum and Ruijie can therefore provide no guarantee as to the efficacy of any proposed solutions on the community forums. Ruijie disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Ruijie Community Terms of Use.

More ways to get help: Visit Support Videos, call us via Service Hotline, Facebook or Live Chat.

©2000-2023 Ruijie Networks Co,Ltd