Contents

Policy Settings

References > Policy Settings

---

---

From "Policy Settings" in the navigation menu, you can view and configure security policies for devices and the UnAuth Group.
You can also view and add actions from this menu.

About Security Policies

Each security policy consists of the following attributes.

• Network
  A tagged VLAN to which devices are assigned to.
  If the registered device is connected to the AMF Member (Edge Node), TQ of the AMF Application Proxy, it is connected to the VLAN subnet configured in the network.
  If the network is not registered on the device, it is connected to the VLAN configured on the edge node.
  AMF Security mini achieved this VLAN assignment by instructing the switch to add VLAN tags with the specified VLAN ID when the switch forwards packets from the device out of their upstream port.
  

  Note

  If a device can access untagged VLAN, depending on the switch settings, the device may be able to connect to devices on the control plane.

  Note

  If the device with the MAC Address is connected to the TQ of the AMF Application Proxy, it depends on the TQ settings. Refer to Quick Tour's What is AMF Security mini > TQ's AMF Application Proxy/Behavior when using TQ dynamic VLAN.

  
  
• Location
  A physical location where a device can access the network.
  If you specify a Location for the device, connection is possible only from the edge node registered in the location.
  If you do not specify a Location, a device can access the network from any switches.
  
  
• Schedule
  A time period during a device can access the network (Start Date / Time, and End Date / Time).
  If you specify a Schedule for a device, the device can access the network only when the schedule is effective. If you do not specify a schedule, a device can always access the network.
  

When a device has multiple security policies attached, a matching policy with the lowest priority value is used.

When a security policy has a specific schedule, AMF Security mini determines what action to take based on the date/time when a device gets connected.
This section describes an example in which the security policies shown in the following table:

Table 1: A security policy for a registered device

Priority	Schedule Start Date / Time	Schedule End Date / Time	Network
10	20XX-04-01 00:00:00	20XX-09-30 23:59:59	VLAN10
20	20XX-01-01 00:00:00	20XX-12-31 23:59:59	VLAN20

When a device gets connected to a network at "20XX-03-30 10:00:00", the device is assigned to the VLAN20 because it matches the security policy with the priority value of 20.
As the time goes on, the device is re-assigned to the VLAN10 at "20XX-04-01 00:00:00" because the time suddenly goes into the valid range of the security policy with the higher priority value of 10.

About the start date and time and end date and time of the schedule

The Start Date / Time and End Date / Time to be set are the date and time of the timezone currently set on the System Settings > Date / Time Settings page.
If the timezone is changed after registering the schedule, the Start Date / Time and End Date / Time of the schedule is changed according to the changed timezone.

As an example, if you register the schedule with the timezone set to "UTC" and then change the timezone to "Asia/Tokyo", the Start Date / Time of the schedule is "UTC + 9 hours".

Table 2: Set the following with the timezone set to "UTC"

Schedule Start Date / Time	Schedule End Date / Time
20XX-04-01 08:00:00	20XX-09-30 23:59:59

Table 3: Timezone changed from "UTC" to "Asia / Tokyo"

Schedule Start Date / Time	Schedule End Date / Time
20XX-04-01 17:00:00	20XX-10-01 08:59:59

Therefore, when performing operations related to schedule settings such as the following, make sure that the timezone used is set in advance.

• Add / update schedule in "Policy Settings"
  
• Export / Import Authentication Data on the System Settings > System Information page
  
• Registration of Authentication Data by AMF Security mini linked application (API)
  

Note

The system settings exported on the System Settings > System Information page include timezone settings. Since the initial setting of the time zone of AMF Security mini is "UTC", import the backed up system settings and authentication data in the following order after initializing AMF Security mini or after a new installation. (1) Import "System Settings" (2) Restarting AMF Security mini instance (stop and start) (3) Import of "Authentication Data"
Refer to the AlliedWare Plus device manual for the setting method.

Network List

This page shows a list of Networks.

Table 4: Target columns for search and sort operations

Item Name	Search	Sort
Network ID	×	×
VLAN ID	×	×
Note	×	×

Table 5: Displayed columns

Item Name	Description
Network ID	ID (Name) of the network. When clicked, the Update Network page for the Network is displayed.
VLAN ID	VLAN ID for the network.
Note	Arbitrary string (comment) for the network.

Table 6: Buttons

Item Name	Description
Page Top
Add Network	Open the Add Network page.
Export to CSV	Start downloading of a list of networks in CSV format.
Network List
Heading Row
Delete Selected	Delete all the checked networks.
Each Row
Edit	Open the Update Network page.
Delete	Delete the network.

Note

Refer to Appendix > CSV File for CSV Files.

Add Network

This page lets you create a new network with its VLAN ID.
Networks are used for specifying which VLAN to put an allowed device in.
AMF Security mini achieves this by telling switches to add appropriate VLAN tags to the packet originating from the allowed devices.

Table 7: Configurable fields

Item Name	Description
Network ID (Mandatory)	ID (Name) of the network. Network ID must be unique. Max 255 characters
VLAN ID (Mandatory)	A VLAN ID for the network. You cannot specify a VLAN ID which is already assigned to another network. If you specify VLAN ID 0, VLAN tag is not added for the network. This is the same as the network is not specified in a policy. VLAN ID must be in the range of 0 to 4094.
Note	Arbitrary string (comment) for the network. Max 255 characters.

Table 8: Buttons

Item Name	Description
Page Bottom
Submit	Add a new network with the input data.
Cancel	Cancel the operation for adding a new network.

Update Network

This page lets you update the information of an existing network.

Table 9: Configurable fields

Item Name	Description
Network ID (Mandatory)	ID (Name) of the network. Network ID must be unique. Max 255 characters
VLAN ID (Mandatory)	A VLAN ID for the network. If you specify VLAN ID 0, VLAN tag is not added for the network. This is the same as the network is not specified in a policy. VLAN ID must be in the range of 0 to 4094.
Note	Arbitrary string (comment) for the network. Max 255 characters.

Table 10: Buttons

Item Name	Description
Page Bottom
Submit	Update information of the network with the input data.
Cancel	Cancel the operation for updating the network.

Location List

This page shows a list of Locations.

Table 11: Target columns for search and sort operations

Item Name	Search	Sort
Location ID	×	×
Note	×	×
Number of Switches	×	×

Table 12: Displayed columns

Item Name	Description
Location ID	ID (Name) of the location. When clicked, the Update Location page for the location is displayed.
Note	Arbitrary string (comment) for the location.
Number of Switches	The number of AMF Members registered at the location.

Table 13: Buttons

Item Name	Description
Page Top
Add Location	Open the Add Location page.
Export to CSV	Start downloading of a list of locations in CSV format.
Location List
Heading Row
Delete Selected	Delete all the checked locations.
Each Row
Edit	Open the Update Location page for the location.
Delete	Delete the location.

Note

Refer to Appendix > CSV File for CSV Files.

Add Location

This page lets you add a new Location and associate the AMF Members with the location.
If you specify an added Location for a device, the device can access the network only from the AMF Members associated with the location.

Table 14: Configurable fields

Item Name	Description
Location ID (Mandatory)	ID (Name) of the location. Location ID must be unique. Max 255 characters
Note	Arbitrary string (comment) for the location. Max 255 characters.
OpenFlow Switches / AMF Members	List of the AMF Members associated with the location.

Table 15: Displayed columns

Item Name	Description
OpenFlow Switches / AMF Members
Switch ID	ID (Name) of the AMF Members associated with the location.
Datapath ID	Not supported in this version.
Note	Arbitrary string (comment) for the AMF Member.

Table 16: Buttons

Item Name	Description
OpenFlow Switches / AMF Members
Select	Open the OpenFlow Switches / AMF Members dialog.
Page Bottom
Submit	Add a new location with the input information on this page and subordinate dialogs by committing the information for the newly added location.
Cancel	Cancel the operation for updating the list of switches which belong to the location.

OpenFlow Switches / AMF Members

This dialog lets you associate or dissociate the AMF Members with the location.
This page displays a list of the AMF members registered in the Switches > AMF Member List page.
By checking the box at the left end of the AMF Member list, the AMF member is added to the location.

Table 17: Displayed columns

Item Name	Description
Switch ID	Name of a registered the AMF Member.
Datapath ID	Not supported in this version.
Note	Arbitrary string (comment) for the AMF Member.

Table 18: Buttons

Item Name	Description
Bottom of the dialog
Submit	Add the checked the AMF Members to the location.
Cancel	Cancel the operation on the list of the AMF Members in the location.

Update Location

This page lets you update the information of an existing location.

Table 19: Configurable fields

Item Name	Description
Location ID (Mandatory)	ID (Name) of the location. Location ID must be unique. Max 255 characters
Note	Arbitrary string (comment) for the location. Max 255 characters.
OpenFlow Switches / AMF Members	List of the AMF Members associated with the location.

Table 20: Displayed columns

Item Name	Description
OpenFlow Switches / AMF Members
Switch ID	ID (Name) of the AMF Members associated with the location.
Datapath ID	Not supported in this version.
Note	Arbitrary string (comment) for the AMF Member.

Table 21: Buttons

Item Name	Description
OpenFlow Switches / AMF Members
Select	Open the OpenFlow Switches / AMF Members dialog.
Page Bottom
Submit	Update the location.
Cancel	Cancel the operation for updating the location.

OpenFlow Switches / AMF Members

This dialog lets you associate or dissociate the AMF Members with the location.
This page displays a list of the AMF members registered in the Switches > AMF Member List page.
By checking the box at the left end of the AMF Member list, the AMF member is added to the location.

Table 22: Displayed columns

Item Name	Description
Switch ID	Name of a registered the AMF Member.
Datapath ID	Not supported in this version.
Note	Arbitrary string (comment) for the AMF Member.

Table 23: Buttons

Item Name	Description
Bottom of the dialog
Submit	Add the checked the AMF Members to the location.
Cancel	Cancel the operation for updating the list of switches which belong to the location.

Schedule List

This page shows a list of Schedules.

Note

The Start Date / Time and End Date / Time to be set are the date and time of the timezone currently set on the System Settings > Date / Time Settings page.
For details, refer to Policy settings > About the start date and time and end date and time of the schedule.

Table 24: Target columns for search and sort operations

Item Name	Search	Sort
Schedule ID	×	×
Start Date / Time	×	×
End Date / Time	×	×
Note	×	×

Table 25: Displayed columns

Item Name	Description
Schedule ID	ID (Name) of the schedule. When clicked, the Update Schedule page for the schedule is displayed.
Start Date / Time	The beginning of the time range during a device is allowed to connect to the network. This can be also used as a condition for detecting unauthenticated devices with the UnAuth Group.
End Date / Time	The end of the time range during a device is allowed to connect to the network. This can be also used as a condition for detecting unauthenticated devices with the UnAuth Group.
Note	Arbitrary string (comment) for the schedule.

Table 26: Buttons

Item Name	Description
Page Top
Add Schedule	Open the Add Schedule page.
Export to CSV	Start downloading of a list of schedules in CSV format.
Schedule List
Heading Row
Delete Selected	Delete all the checked schedules.
Each Row
Edit	Open the Update Schedule page.
Delete	Delete the schedule.

Note

Refer to Appendix > CSV File for CSV Files.

Add Schedule

This page lets you add a new schedule.
You can control when devices can access the network by specifying schedules in security policies.

Table 27: Configurable fields

Item Name	Description
Schedule ID (Mandatory)	ID (Name) of the schedule. Schedule ID must be unique. Max 255 characters
Start Date / Time	The beginning of the time range during a registered device or a device in the UnAuth Group is allowed to connect to the network. Date / Time can be selected using calendar controls or entered manually. When you enter them manually, use the format "YYYY-mm-dd" for date and "HH:MM:SS" for time.
End Date / Time	The end of the time range during a registered device or a device in the UnAuth Group is allowed to connect to the network. Date / Time can be selected using calendar controls or entered manually. When you enter them manually, use the format "YYYY-mm-dd" for date and "HH:MM:SS" for time.
Note	Arbitrary string (comment) for the schedule. Max 255 characters.

◼ Calendar Controls

• Date
  

  

• Time
  

  

  Note

  Day of the week cannot be specified.

Table 28: Buttons

Item Name	Description
Page Bottom
Submit	Add a new schedule.
Cancel	Cancel the operation for adding a new schedule.

Update Schedule

This page lets you update information of an existing schedule.

Table 29: Configurable fields

Item Name	Description
Schedule ID (Mandatory)	ID (Name) of the schedule. Schedule ID must be unique. Max 255 characters
Start Date / Time	The beginning of the time range during a registered device or a device in the UnAuth Group is allowed to connect to the network. Date / Time can be selected using calendar controls or entered manually. When you enter them manually, use the format "YYYY-mm-dd" for date and "HH:MM:SS" for time.
End Date / Time	The end of the time range during a registered device or a device in the UnAuth Group is allowed to connect to the network. Date / Time can be selected using calendar controls or entered manually. When you enter them manually, use the format "YYYY-mm-dd" for date and "HH:MM:SS" for time.
Note	Arbitrary string (comment) for the schedule. Max 255 characters.

◼ Calendar Controls

• Date
  

  

• Time
  

  

Table 30: Buttons

Item Name	Description
Page Bottom
Submit	Update the schedule.
Cancel	Cancel the operation for updating the schedule.

Action List

This page shows a list of actions such as Block and Quarantine which are being executed on the Device > Active Device List page or at the request of external applications.

You can also unblock devices by deleting actions on this page.

Note

To unblock an AMF Security mini reported suspected device in an AMF Application Proxy environment, use this page to delete a corresponding action. Refer to Quick Tour's What is AMF Security mini > What is the AMF Application Proxy for more details on the AMF Application Proxy.

Table 31: Target columns for search and sort operations

Item Name	Search	Sort	Note
Action ID	×	×
Priority	×	×
Condition	△*	×	* Only the strings after "mac=", "ip=", "device-name=", "tag=", "location=", "switch=" and "network=" can be matched.
Action (OpenFlow, TQ/AMF)	△ *1	△*2	*1 Only the strings after "Pass(Permit) ->", "Drop(Block) ->", "Quarantine ->" and "Log-Only ->" can be matched. AMF Action after them cannot be matched. *2 Sorted in the order of "Pass(Permit)", "Drop(Block)", "Quarantine" and "Log-Only". Sort by the AMF Action is not supported.
Requester	×	×
Reason	×	×

Table 32: Displayed columns

Item Name	Description
Action ID	ID (Name) of the action. It is automatically assigned if unspecified. When clicked, the Action Detail page for the action is displayed.
Priority	Priority of the action. Smaller number has higher priority. Thus the matching action with the smaller priority value is executed.
Condition	Trigger condition of the action.
Action (OpenFlow, TQ/AMF)	Action OpenFlow/TQ Action (Pass(Permit), Quarantine, Drop(Block) and Log-Only) and AMF Action (Quarantine, Drop Packets, Link-Down and IP-Filter) are displayed.
Requester	Name or identifier of the system which runs the action. "Sesc.action" indicates the action operated by AMF Security mini, and "sesc.trap.XXX" indicates the action from the linked application (XXX is different depending on the linked application).
Reason	Reason why the action is triggered.

Table 33: Buttons

Item Name	Description
Page Top
Add Action	Open the Add Action page.
Export to CSV	Start downloading of a list of actions in CSV format.
Refresh	Refresh the Action List page.
Action List
Heading Row
Delete Selected	Delete all the checked actions.
Each Row
Delete	Delete the action.

Note

Refer to Appendix > CSV File for CSV Files.

Add Action

This page lets you add a new action.

Table 34: Configurable fields

Item Name	Description
Action ID (Mandatory)	ID (Name) of the action. Action ID must be unique. Max 255 characters
Priority	Priority of the action. It must be an integer between 1 and 65535. Smaller number has higher priority. Thus the matching action with the smaller priority value is executed. Priority value is set to 10 if it is unspecified.
Reason	Administrative comment such as a reason for running this action. Max 255 characters
Condition
Device MAC Address	Unicast MAC Address of the target device. Valid formats are as follows xx:xx:xx:xx:xx:xx, xx-xx-xx-xx-xx-xx, xxxx.xxxx.xxxx
Device IPv4 Address	Unicast IPv4 Address of the target device.
Device	Device ID of the target device. Maximum 100 device IDs are shown in the dropdown list. If you enter text in the field, device IDs in the dropdown list are dynamically filtered to the ones which contain the input text in Device ID, Tag or Note (it shows maximum 100 elements). From the dropdown list, select a Device ID for the device.
Device Tag	Device Tag of the target device.
Action
OpenFlow/TQ Action	An action of TQ's AMF Application Proxy to be applied to the target device. Pass(Permit): Permit traffic from the device. Quarantine: Move the device to the quarantine network. Drop(Block): Block traffics from the device. Log-Only: Permit traffic from the device and record a log.
Pass/Quarantine VLAN ID	A VLAN ID on which the device is allowed to transmit packets.
AMF Action	An action to be taken on the AMF network deploying AW+ AMF Application Proxy. AMF Dependency: AMF Security mini does not specify an action and lets AMF devices determine its action. Quarantine: Move the device to the quarantine VLAN. Drop Packets: Block traffics from the device at the layer two (MAC) level. Link-Down: Shutdown the port where the device is connected. IP-Filter: Block traffics from the device at the layer 3 (IP) level. Log-Only: AMF Security mini does not specify an action and records the device information.

Table 35: Buttons

Item Name	Description
Page Bottom
Submit	Add a new action with the input data.
Cancel	Cancel the operation for adding a new action.

Action Detail

This page shows detailed information about the action.

Table 36: Displayed columns

Item Name	Description
Action ID	ID (Name) of the action. It is automatically assigned if unspecified.
Priority	Priority of the action. Smaller number has higher priority. Thus the matching action with the smaller priority value is executed.
Reason	Reason why the action is triggered.
Condition
Device MAC Address	Unicast MAC Address of the target device.
Action
OpenFlow/TQ Action	An action of TQ's AMF Application Proxy to be applied to the target device. Pass(Permit): Permit traffic from the device. Quarantine: Move the device to the quarantine network. Drop(Block): Block traffics from the device. Log-Only: Permit traffic from the device and record a log.
Pass/Quarantine VLAN ID	A VLAN ID on which the device is allowed to transmit packets. This item is displayed when the OpenFlow/TQ Action is Pass(Permit) and Quarantine.
AMF Action	An action to be taken on the AMF network deploying AW+ AMF Application Proxy. AMF Dependency: AMF Security mini does not specify an action and lets AMF devices determine its action. Quarantine: Move the device to the quarantine VLAN. Drop Packets: Block traffics from the device at the layer two (MAC) level. Link-Down: Shutdown the port where the device is connected. IP-Filter: Block traffics from the device at the layer 3 (IP) level. Log-Only: AMF Security mini does not specify an action and records the device information.

Table 37: Buttons

Item Name	Description
Page Top
Back	Go back to the Action List page.

---

(C) 2022 Allied Telesis, Inc. All rights reserved.

C613-04132-00 Rev A

12 Jul 2022 15:30