Contents

Policy Settings

References > Policy Settings

---

---

From the "Policy Settings" in the navigation menu, you can view and configure security policies for devices and UnAuth groups.
You can also view and add actions from this menu.

Each security policy consists of the following attributes.

• Network
  A tagged VLAN to which devices are assigned to.
  A registered device is assigned to the VLAN subnet specified by a Network attribute of the matched security policy when the device gets connected to the AMF Member (Edge Node).
  If the network is not registered on the device, it is connected to the VLAN configured on the edge node.
  AMF Security mini achieved this VLAN assignment by instructing the switch to add VLAN tags with the specified VLAN ID when the switch forwards packets from the device out of their upstream port.
  

  Note

  If the VLAN set in the AMF Member is accessible, the device may be able to connect to the equipment on the control plane depending on the switch settings.

  
  
• Location
  A physical location from which a device can access the network.
  If you specify a Location for the device, connection is possible only from the AMF Member (edge node) registered in the location.
  If you do not specify a Location, a device can access the network from any switches.
  
  
• Schedule
  A time period during which a device can access the network (Start/End date/time).
  If you specify a Schedule for a device, the device can access the network only when the schedule is effective. If no Schedule is selected, it is always accessible.
  

When a device has multiple security policies attached, a matching policy with the lowest priority value is used.

When a security policy has a specific schedule, AMF Security mini determines what action to take based on the date/time when a device gets connected.
This section describes an example in which the security policies shown in the following table:

Table 1: A security policy for a registered device

Priority	Schedule Start Date / Time	Schedule End Date / Time	Network
10	20XX-04-01 00:00:00	20XX-09-30 23:59:59	VLAN10
20	20XX-01-01 00:00:00	20XX-12-31 23:59:59	VLAN20

When a device gets connected to a network at "20XX-03-30 10:00:00", the device is assigned to the VLAN20 because it matches the security policy with the priority value of 20.
As the time goes on, the device is re-assigned to the VLAN10 at "20XX-04-01 00:00:00" because the time suddenly goes into the valid range of the security policy with the higher priority value of 10.

Network List

This page shows a list of Networks.

Table 2: Target columns for search and sort operations

Item Name	Search	Sort
Network ID	×	×
VLAN ID	×	×
Note	×	×

Table 3: Displayed columns

Item Name	Description
Network ID	ID (Name) of the network. When clicked, the Update Network page for the Network is displayed.
VLAN ID	VLAN ID for the network.
Note	Arbitrary string (comment) for the network.

Table 4: Buttons

Item Name	Description
Page Top
Add Network	Open the Add Network page.
Export to CSV	Start downloading of a list of networks in CSV format.
Network List
Heading Row
Delete Selected	Delete all the checked networks.
Each Row
Edit	Open the Update Network page.
Delete	Delete the network.

Note

Refer to CSV File in Appendix for CSV Files.

Add Network

This page lets you create a new network with its VLAN ID.
Networks are used for specifying which VLAN to put an allowed device in.
AMF Security mini achieves this by telling switches to add appropriate VLAN tags to the packet originating from the allowed devices.

Table 5: Sample Configuration Data

Item Name	Description
Network ID (Mandatory)	ID (Name) of the network. Network ID must be unique. Max 255 characters
VLAN ID (Mandatory)	A VLAN ID for the network. You cannot specify a VLAN ID which is already assigned to another network. If you specify VLAN ID 0, VLAN tag is not added for the network. This is the same as the network is not specified in a policy. VLAN ID must be in the range of 0 to 4094.
Note	Arbitrary string (comment) for the network. Max 255 characters.

Table 6: Buttons

Item Name	Description
Page Bottom
Submit	Add a new network with the input data.
Cancel	Cancel the operation for adding a new network.

Update Network

This page lets you update the information of an existing network.

Table 7: Configurable fields

Item Name	Description
Network ID (Mandatory)	ID (Name) of the network. Network ID must be unique. Max 255 characters
VLAN ID (Mandatory)	A VLAN ID for the network. If you specify VLAN ID 0, VLAN tag is not added for the network. This is the same as the network is not specified in a policy. VLAN ID must be in the range of 0 to 4094.
Note	Arbitrary string (comment) for the network. Max 255 characters.

Table 8: Buttons

Item Name	Description
Page Bottom
Submit	Update information of the network with the input data.
Cancel	Cancel the operation for updating the network.

Location List

This page shows a list of Locations.

Table 9: Target columns for search and sort operations

Item Name	Search	Sort
Location ID	×	×
Note	×	×
Number of Switches	×	×

Table 10: Displayed columns

Item Name	Description
Location ID	ID (Name) of the location. When clicked, the Update Location page for the location is displayed.
Note	Arbitrary string (comment) for the location.
Number of Switches	The number of AMF Members registered at the location.

Table 11: Buttons

Item Name	Description
Page Top
Add Location	Open the Add Location page.
Export to CSV	Start downloading of a list of networks in CSV format.
Location List
Heading Row
Delete Selected	Delete all the checked locations.
Each Row
Edit	Open the Update Location page for the location.
Delete	Delete the location.

Note

Refer to CSV File in Appendix for CSV Files.

Add Location

This page lets you add a new Location and associate the AMF Members with the location.
If you specify an added Location for a device, the device can access the network only from the AMF Members associated with the location.

Table 12: Configurable fields

Item Name	Description
Location ID (Mandatory)	ID (Name) of the location. Location ID must be unique. Max 255 characters
Note	Arbitrary string (comment) for the location. Max 255 characters.
OpenFlow Switches / AMF Members	List of the AMF Members associated with the location.

Table 13: Displayed columns

Item Name	Description
OpenFlow Switches / AMF Members
Switch ID	ID (Name) of the AMF Members associated with the location.
Datapath ID	Not supported in this version.
Note	Arbitrary string (comment) for the AMF Member.

Table 14: Buttons

Item Name	Description
OpenFlow Switches / AMF Members
Select	Open the OpenFlow Switches / AMF Members dialog.
Page Bottom
Submit	Add a new location with the input information on this page and subordinate dialogs by committing the information for the newly added location.
Cancel	Cancel the operation for updating the list of switches which belong to the location.

OpenFlow Switches / AMF Members

This dialog lets you associate or dissociate the AMF Members with the location.
This page displays a list of the AMF members registered in the Switches > AMF Member List page.
By checking the box at the left end of the AMF Member list, the AMF member is added to the location.

Table 15: Displayed columns

Item Name	Description
Switch ID	Name of a registered the AMF Member.
Datapath ID	Not supported in this version.
Note	Arbitrary string (comment) for the AMF Member.

Table 16: Buttons

Item Name	Description
Page Bottom
Submit	Add the checked the AMF Members to the location.
Cancel	Cancel the operation on the list of the AMF Members in the location.

Update Location

This page lets you update the information of an existing location.

Table 17: Configurable fields

Item Name	Description
Location ID (Mandatory)	ID (Name) of the location. Location ID must be unique. Max 255 characters
Note	Arbitrary string (comment) for the location. Max 255 characters.
OpenFlow Switches / AMF Members	List of the AMF Members associated with the location.

Table 18: Displayed columns

Item Name	Description
OpenFlow Switches / AMF Members
Switch ID	ID (Name) of the AMF Members associated with the location.
Datapath ID	Not supported in this version.
Note	Arbitrary string (comment) for the AMF Member.

Table 19: Buttons

Item Name	Description
OpenFlow Switches / AMF Members
Select	Open the OpenFlow Switches / AMF Members dialog.
Page Bottom
Submit	Update the location.
Cancel	Cancel the operation for updating the location.

OpenFlow Switches / AMF Members

This dialog lets you associate or dissociate the AMF Members with the location.
This page displays a list of the AMF members registered in the Switches > AMF Member List page.
By selecting or deselecting the AMF Members using the checkboxes, they can be added to or removed from the location.

Table 20: Displayed columns

Item Name	Description
Switch ID	Name of a registered the AMF Member.
Datapath ID	Not supported in this version.
Note	Arbitrary string (comment) for the AMF Member.

Table 21: Buttons

Item Name	Description
Page Bottom
Submit	Add the checked the AMF Members to the location.
Cancel	Cancel the operation for updating the list of switches which belong to the location.

Schedule List

This page shows a list of Schedules.

Table 22: Target columns for search and sort operations

Item Name	Search	Sort
Schedule ID	×	×
Start Date / Time	×	×
End Date / Time	×	×
Note	×	×

Table 23: Displayed columns

Item Name	Description
Schedule ID	ID (Name) of the schedule. When clicked, the Update Schedule page for the schedule is displayed.
Start Date / Time	The beginning of the time range during which a device is allowed to connect to the network. This can be also used as a condition for detecting unauthenticated devices with an UnAuth Group.
End Date / Time	The end of the time range during which a device is allowed to connect to the network. This can be also used as a condition for detecting unauthenticated devices with an UnAuth Group.
Note	Arbitrary string (comment) for the schedule.

Table 24: Buttons

Item Name	Description
Page Top
Add Schedule	Open the Add Schedule page.
Export to CSV	Start downloading of a list of schedules in CSV format.
Schedule List
Heading Row
Delete Selected	Delete all the checked schedules.
Each Row
Edit	Open the Update Schedule page.
Delete	Delete the schedule.

Note

Refer to CSV File in Appendix for CSV Files.

Add Schedule

This page lets you add a new schedule.
You can control when devices can access the network by specifying schedules in security policies.

Table 25: Configurable fields

Item Name	Description
Schedule ID (Mandatory)	ID (Name) of the schedule. Schedule ID must be unique. Max 255 characters
Start Date / Time	The beginning of the time range during which a registered device or a device in an UnAuth group is allowed to connect to the network. Date / Time can be selected using calendar controls or entered manually. When you enter them manually, use the format "YYYY-mm-dd" for date and "HH:MM:SS" for time.
End Date / Time	The end of the time range during which a registered device or a device in an UnAuth group is allowed to connect to the network. Date / Time can be selected using calendar controls or entered manually. When you enter them manually, use the format "YYYY-mm-dd" for date and "HH:MM:SS" for time.
Note	Arbitrary string (comment) for the schedule. Max 255 characters.

◼ Calendar Controls

• Date
  

  

• Time
  

  

  Note

  Day of the week cannot be specified.

Table 26: Buttons

Item Name	Description
Page Bottom
Submit	Add a new schedule.
Cancel	Cancel the operation for adding a new schedule.

Update Schedule

This page lets you update information of an existing schedule.

Table 27: Configurable fields

Item Name	Description
Schedule ID (Mandatory)	ID (Name) of the schedule. Schedule ID must be unique. Max 255 characters
Start Date / Time	The beginning of the time range during which a registered device or a device in an UnAuth group is allowed to connect to the network. Date / Time can be selected using calendar controls or entered manually. When you enter them manually, use the format "YYYY-mm-dd" for date and "HH:MM:SS" for time.
End Date / Time	The end of the time range during which a registered device or a device in an UnAuth group is allowed to connect to the network. Date / Time can be selected using calendar controls or entered manually. When you enter them manually, use the format "YYYY-mm-dd" for date and "HH:MM:SS" for time.
Note	Arbitrary string (comment) for the schedule. Max 255 characters.

◼ Calendar Controls

• Date
  

  

• Time
  

  

Table 28: Buttons

Item Name	Description
Page Bottom
Submit	Update the schedule.
Cancel	Cancel the operation for updating the schedule.

Action List

This page shows a list of actions such as Block and Quarantine which are being executed on the Device > Active Device List page or at the request of external applications.

You can also unblock devices by deleting actions on this page.

Note

To unblock an AMF Security mini-reported suspected device in an AMF Application Proxy environment, use this page to delete a corresponding action. Refer to Quick Tour's What is AMF Security mini > What is the AMF Application Proxy for more details on the AMF Application Proxy.

Table 29: Target columns for search and sort operations

Item Name	Search	Sort	Note
Action ID	×	×
Priority	×	×
Condition	△*	×	* Only the strings after "mac=", "ip=", "device-name=", "tag=", "location=", "switch=" and "network=" can be matched.
Action (OpenFlow/AMF)	×	×
Requester	×	×
Reason	×	×

Table 30: Displayed columns

Item Name	Description
Action ID	ID (Name) of the action. It is automatically assigned if unspecified. When clicked, the Action Detail page for the action is displayed.
Priority	Priority of the action. Smaller number has higher priority. Thus the matching action with the smaller priority value is executed.
Condition	Trigger condition of the action.
Action (OpenFlow/AMF)	Action AMF Action (AMF Dependency, Quarantine, Drop Packets, Link-Down and IP-Filter) are displayed.
Requester	Display the system (sesc or cooperative application) for which the action is set.
Reason	Reason why the action is triggered.

Table 31: Buttons

Item Name	Description
Page Top
Add Action	Open the Add Action page.
Export to CSV	Start downloading of a list of actions in CSV format.
Refresh	Refresh the Action List page.
Action List
Heading Row
Delete Selected	Delete all the checked actions.
Each Row
Delete	Delete the action.

Note

Refer to CSV File in Appendix for CSV Files.

Add Action

This page lets you add a new action.

Table 32: Configurable fields

Item Name	Description
Action ID (Mandatory)	ID (Name) of the action. Action ID must be unique. Max 255 characters
Priority	Priority of the action. It must be an integer between 1 and 65535. Smaller number has higher priority. Thus the matching action with the smaller priority value is executed. Priority value is set to 10 if it is unspecified.
Reason	Administrative comment such as a reason for running this action. Max 255 characters
Condition
Device MAC Address	Unicast MAC address of the target device. Valid formats are as follows xx:xx:xx:xx:xx:xx, xx-xx-xx-xx-xx-xx, xxxx.xxxx.xxxx
Device IPv4 Address	Unicast IPv4 address of the target device.
Device	Device ID of the target device. Maximum 100 device IDs are shown in the drop-down list. If you enter text in the field, device IDs in the drop-down list are dynamically filtered to the ones which contain the input text in Device ID, Tag or Note (it shows maximum 100 elements). From the drop-down list, select a Device ID for the device.
Device Tag	Device Tag of the target device.
Action
AMF Action	An action to be taken on the AMF network deploying the AMF Application Proxy feature. AMF Dependency: AMF Security mini does not specify an action and lets AMF devices determine its action. Quarantine: Move the port where the device is connected to the quarantine VLAN. Drop Packets: Block traffic from the device at the layer two (MAC) level. Link-Down: Shutdown the port where the device is connected. IP-Filter: Block traffic from the device at the layer 3 (IP) level. Log-Only: AMF Security mini does not specify an action and records the device information.

Table 33: Buttons

Item Name	Description
Page Bottom
Submit	Add a new action with the input data.
Cancel	Cancel the operation for adding a new action.

Action Detail

This page shows detailed information about the action.

Table 34: Displayed columns

Item Name	Description
Action ID	ID (Name) of the action. It is automatically assigned if unspecified.
Priority	Priority of the action. Smaller number has higher priority. Thus the matching action with the smaller priority value is executed.
Reason	Reason why the action is triggered.
Condition
Device MAC Address	Unicast MAC address of the target device.
Action
AMF Action	An action to be taken on the AMF network deploying the AMF Application Proxy feature. AMF Dependency: AMF Security mini does not specify an action and lets AMF devices determine its action. Quarantine: Move the port where the device is connected to the quarantine VLAN. Drop Packets: Block traffic from the device at the layer two (MAC) level. Link-Down: Shutdown the port where the device is connected. IP-Filter: Block traffic from the device at the layer 3 (IP) level. Log-Only: AMF Security mini does not specify an action and records the device information.

Table 35: Buttons

Item Name	Description
Page Top
Back	Go back to the Action List page.

---

(C) 2020 Allied Telesis, Inc. All rights reserved.

C613-04087-00 Rev A

18 Jan 2021 10:56