Contents

Policy Settings

References > Policy Settings

---

---

From "Policy Settings" in the navigation menu, you can view and configure security policies for devices and the UnAuth Group.
You can also view and add actions from this menu.

About Security Policies

Each security policy consists of the following attributes.

• Network
  A tagged VLAN to which devices are assigned to.
  If the registered device is connected to the AMF Member (Edge Node), TQ of the AMF Application Proxy, it is connected to the VLAN subnet configured in the network.
  If the device's security policy does not specify a Network, it is assigned to the untagged VLAN (a subnet without VLAN) on the OpenFlow Switch or the VLAN configured on the Edge Node.
  AMF Security achieved this VLAN assignment by instructing the switch to add VLAN tags with the specified VLAN ID when the switch forwards packets from the device out of their upstream port.
  

  Note

  If a device can access untagged VLAN, depending on the switch settings, the device may be able to connect to devices on the control plane.

  Note

  If the device with the MAC Address is connected to the TQ of the AMF Application Proxy, it depends on the TQ settings. Refer to Quick Tour/What is AMF Security > TQ's AMF Application Proxy/Behavior when using TQ dynamic VLAN.

  
  
• Location
  A physical location where a device can access the network.
  If you specify a Location for a device, the device can access the network only from the OpenFlow Switches or Edge Nodes in the location.
  If you do not specify a Location, a device can access the network from any switches.
  
  
• Schedule
  A time period during a device can access the network (Start Date / Time, and End Date / Time).
  If you specify a Schedule for a device, the device can access the network only when the schedule is effective. If you do not specify a schedule, a device can always access the network.
  A quarantined device may be able to communicate after the configured End Date / Time of a Schedule because a flow lifetime for the Quarantine VLAN precedes the Schedule End Date / Time. The value of "Flow Lifetime" on the System Settings > OpenFlow Settings page is used for this timeout.
  

When a device has multiple security policies attached, a matching policy with the lowest priority value is used.

When a security policy has a specific schedule, AMF Security determines what action to take based on the date and time when a device gets connected.
This section describes an example in which the security policies shown in the following table:

Table 1: A security policy for a registered device

Priority	Schedule Start Date / Time	Schedule End Date / Time	Network
10	20XX-04-01 00:00:00	20XX-09-30 23:59:59	VLAN10
20	20XX-01-01 00:00:00	20XX-12-31 23:59:59	VLAN20

When a device gets connected to a network at "20XX-03-30 10:00:00", the device is assigned to the VLAN20 because it matches the security policy with the priority value of 20.
As the time goes on, the device is re-assigned to the VLAN10 at "20XX-04-01 00:00:00" because the time suddenly goes into the valid range of the security policy with the higher priority value of 10.

About the start date and time and end date and time of the schedule

The Start Date / Time and End Date / Time to be set are the date and time of the timezone currently set on the System Settings > Date / Time Settings page.
If the timezone is changed after registering the schedule, the Start Date / Time and End Date / Time of the schedule is changed according to the changed timezone.

As an example, if you register the schedule with the timezone set to "UTC" and then change the timezone to "Asia/Tokyo", the Start Date / Time of the schedule is "UTC + 9 hours".

Table 2: Set the following with the timezone set to "UTC"

Schedule Start Date / Time	Schedule End Date / Time
20XX-04-01 08:00:00	20XX-09-30 23:59:59

Table 3: Timezone changed from "UTC" to "Asia / Tokyo"

Schedule Start Date / Time	Schedule End Date / Time
20XX-04-01 17:00:00	20XX-10-01 08:59:59

Therefore, when performing operations related to schedule settings such as the following, make sure that the timezone used is set in advance.

• Add / update schedule in "Policy Settings"
  
• Export / Import Authentication Data on the System Settings > System Information page
  
• Registration of Authentication Data by AMF Security linked application (API)
  

Note

The system settings exported on the System Settings > System Information page include timezone settings. The default timezone for AMF Security is UTC. If you want to import the backed up System Settings and Authentication Data after initializing AMF Security or performing a new installation, Import "System Settings"-> Restart AMF Security Application (Stop-> Start)-> Import "Authentication Data".
For more information, refer to the AT-VST-APL document posted on our website.

Network List

This page shows a list of Networks.

Table 4: Target columns for search and sort operations

Item Name	Search	Sort
Network ID	×	×
VLAN ID	×	×
Note	×	×

Table 5: Displayed columns

Item Name	Description
Network ID	ID (Name) of the network. When clicked, the Update Network page for the Network is displayed.
VLAN ID	VLAN ID for the network.
Note	Arbitrary string (comment) for the network.

Table 6: Buttons

Item Name	Description
Page Top
Add Network	Open the Add Network page.
Export to CSV	Start downloading of a list of networks in CSV format.
Network List
Heading Row
Delete Selected	Delete all the checked networks.
Each Row
Edit	Open the Update Network page.
Delete	Delete the network.

Note

Refer to Appendix/CSV File for CSV Files.

Add Network

This page lets you create a new network with its VLAN ID.
Networks are used for specifying which VLAN to put an allowed device in.
AMF Security achieves this by telling switches to add appropriate VLAN tags to the packet originating from the allowed devices.

Table 7: Configurable fields

Item Name	Description
Network ID (Mandatory)	ID (Name) of the network. Network ID must be unique. Max 255 characters
VLAN ID (Mandatory)	A VLAN ID for the network. You cannot specify a VLAN ID which is already assigned to another network. If you specify VLAN ID 0, VLAN tag is not added for the network. This is the same as the network is not specified in a policy. VLAN ID must be in the range of 0 to 4094.
Note	Arbitrary string (comment) for the network. Max 255 characters.

Table 8: Buttons

Item Name	Description
Page Bottom
Submit	Add a new network with the input data.
Cancel	Cancel the operation for adding a new network.

Update Network

This page lets you update the information of an existing network.

Table 9: Configurable fields

Item Name	Description
Network ID (Mandatory)	ID (Name) of the network. Network ID must be unique. Max 255 characters
VLAN ID (Mandatory)	A VLAN ID for the network. If you specify VLAN ID 0, VLAN tag is not added for the network. This is the same as the network is not specified in a policy. VLAN ID must be in the range of 0 to 4094.
Note	Arbitrary string (comment) for the network. Max 255 characters.

Table 10: Buttons

Item Name	Description
Page Bottom
Submit	Update information of the network with the input data.
Cancel	Cancel the operation for updating the network.

Location List

This page shows a list of Locations.

Table 11: Target columns for search and sort operations

Item Name	Search	Sort
Location ID	×	×
Note	×	×
Number of Switches	×	×

Table 12: Displayed columns

Item Name	Description
Location ID	ID (Name) of the location. When clicked, the Update Location page for the location is displayed.
Note	Arbitrary string (comment) for the location.
Number of Switches	The number of OpenFlow Switches and AMF Members registered at the location.

Table 13: Buttons

Item Name	Description
Page Top
Add Location	Open the Add Location page.
Export to CSV	Start downloading of a list of locations in CSV format.
Location List
Heading Row
Delete Selected	Delete all the checked locations.
Each Row
Edit	Open the Update Location page for the location.
Delete	Delete the location.

Note

Refer to Appendix/CSV File for CSV Files.

Add Location

This page lets you add a new Location and associate OpenFlow Switches and AMF Members with the location.
If you specify an added Location for a device, the device can access the network only from the OpenFlow Switches and AMF Members associated with the location.

Table 14: Configurable fields

Item Name	Description
Location ID (Mandatory)	ID (Name) of the location. Location ID must be unique. Max 255 characters
Note	Arbitrary string (comment) for the location. Max 255 characters.
OpenFlow Switches / AMF Members	List of OpenFlow Switches and AMF Members associated with the location.

Table 15: Displayed columns

Item Name	Description
OpenFlow Switch
Switch ID	ID (Name) of the OpenFlow Switch or AMF Member associated with the location.
Datapath ID	OpenFlow Switch's Datapath ID (used by OpenFlow controller to identify this switch). In most cases, It is automatically generated or configured on the switch.
Note	Arbitrary string (comment) for the OpenFlow Switch or AMF Member.

Table 16: Buttons

Item Name	Description
OpenFlow Switches / AMF Members
Select	Open the OpenFlow Switches / AMF Members dialog.
Page Bottom
Submit	Add a new location with the input information on this page and subordinate dialogs by committing the information for the newly added location.
Cancel	Cancel the operation for updating the list of switches which belong to the location.

OpenFlow Switches / AMF Members

This dialog lets you associate or dissociate OpenFlow Switches and AMF Members with the location.
This page shows a list of OpenFlow Switches / AMF Members which are registered on the Switches > OpenFlow Switch List page or the Switches > AMF Member List page.
By selecting OpenFlow Switches or AMF Members using the checkboxes, they can be added to the location.

Table 17: Displayed columns

Item Name	Description
Switch ID	ID (Name) of the registered OpenFlow Switch or AMF Member.
Datapath ID	OpenFlow Switch's Datapath ID (used by OpenFlow controller to identify this switch). In most cases, It is automatically generated or configured on the switch.
Note	Arbitrary string (comment) for the OpenFlow Switch or AMF Member.

Table 18: Buttons

Item Name	Description
Bottom of the dialog
Submit	Add the checked OpenFlow Switches or AMF Members to the location.
Cancel	Cancel the operation on the list of OpenFlow Switches or AMF Members in the location.

Update Location

This page lets you update the information of an existing location.

Table 19: Configurable fields

Item Name	Description
Location ID (Mandatory)	ID (Name) of the location. Location ID must be unique. Max 255 characters
Note	Arbitrary string (comment) for the location. Max 255 characters.
OpenFlow Switches / AMF Members	List of OpenFlow Switches and AMF Members associated with the location.

Table 20: Displayed columns

Item Name	Description
OpenFlow Switch
Switch ID	ID (Name) of the OpenFlow Switch or AMF Member associated with the location.
Datapath ID	OpenFlow Switch's Datapath ID (used by OpenFlow controller to identify this switch). In most cases, It is automatically generated or configured on the switch.
Note	Arbitrary string (comment) for the OpenFlow Switch or AMF Member.

Table 21: Buttons

Item Name	Description
OpenFlow Switches / AMF Members
Select	Open the OpenFlow Switches / AMF Members dialog.
Page Bottom
Submit	Update the location.
Cancel	Cancel the operation for updating the location.

OpenFlow Switches / AMF Members

This dialog lets you associate or dissociate OpenFlow Switches and AMF Members with the location.
This page shows a list of OpenFlow Switches / AMF Members which are registered on the Switches > OpenFlow Switch List page or the Switches > AMF Member List page.
By selecting or deselecting OpenFlow Switches or AMF Members using the checkboxes, they can be added to or removed from the location.

Table 22: Displayed columns

Item Name	Description
Switch ID	ID (Name) of the registered OpenFlow Switch or AMF Member.
Datapath ID	OpenFlow Switch's Datapath ID (used by OpenFlow controller to identify this switch). In most cases, It is automatically generated or configured on the switch.
Note	Arbitrary string (comment) for the OpenFlow Switch or AMF Member.

Table 23: Buttons

Item Name	Description
Bottom of the dialog
Submit	Update the list of switches which belong to the location.
Cancel	Cancel the operation for updating the list of switches which belong to the location.

Schedule List

This page shows a list of Schedules.

Note

The Start Date / Time and End Date / Time to be set are the date and time of the timezone currently set on the System Settings > Date / Time Settings page.
For details, refer to Policy settings > About the start date and time and end date and time of the schedule.

Table 24: Target columns for search and sort operations

Item Name	Search	Sort
Schedule ID	×	×
Start Date / Time	×	×
End Date / Time	×	×
Note	×	×

Table 25: Displayed columns

Item Name	Description
Schedule ID	ID (Name) of the schedule. When clicked, the Update Schedule page for the schedule is displayed.
Start Date / Time	The beginning of the time range during a device is allowed to connect to the network. This can be also used as a condition for detecting unauthenticated devices with the UnAuth Group.
End Date / Time	The end of the time range during a device is allowed to connect to the network. This can be also used as a condition for detecting unauthenticated devices with the UnAuth Group.
Note	Arbitrary string (comment) for the schedule.

Table 26: Buttons

Item Name	Description
Page Top
Add Schedule	Open the Add Schedule page.
Export to CSV	Start downloading of a list of schedules in CSV format.
Schedule List
Heading Row
Delete Selected	Delete all the checked schedules.
Each Row
Edit	Open the Update Schedule page.
Delete	Delete the schedule.

Note

Refer to Appendix/CSV File for CSV Files.

Add Schedule

This page lets you add a new schedule.
You can control when devices can access the network by specifying schedules in security policies.

Table 27: Configurable fields

Item Name	Description
Schedule ID (Mandatory)	ID (Name) of the schedule. Schedule ID must be unique. Max 255 characters
Start Date / Time	The beginning of the time range during a registered device or a device in the UnAuth Group is allowed to connect to the network. Date / Time can be selected using calendar controls or entered manually. When you enter them manually, use the format "YYYY-mm-dd" for date and "HH:MM:SS" for time.
End Date / Time	The end of the time range during a registered device or a device in the UnAuth Group is allowed to connect to the network. Date / Time can be selected using calendar controls or entered manually. When you enter them manually, use the format "YYYY-mm-dd" for date and "HH:MM:SS" for time.
Note	Arbitrary string (comment) for the schedule. Max 255 characters.

◼ Calendar Controls

• Date
  

  

• Time
  

  

  Note

  Day of the week cannot be specified.

Table 28: Buttons

Item Name	Description
Page Bottom
Submit	Add a new schedule.
Cancel	Cancel the operation for adding a new schedule.

Update Schedule

This page lets you update information of an existing schedule.

Table 29: Configurable fields

Item Name	Description
Schedule ID (Mandatory)	ID (Name) of the schedule. Schedule ID must be unique. Max 255 characters
Start Date / Time	The beginning of the time range during a registered device or a device in the UnAuth Group is allowed to connect to the network. Date / Time can be selected using calendar controls or entered manually. When you enter them manually, use the format "YYYY-mm-dd" for date and "HH:MM:SS" for time.
End Date / Time	The end of the time range during a registered device or a device in the UnAuth Group is allowed to connect to the network. Date / Time can be selected using calendar controls or entered manually. When you enter them manually, use the format "YYYY-mm-dd" for date and "HH:MM:SS" for time.
Note	Arbitrary string (comment) for the schedule. Max 255 characters.

◼ Calendar Controls

• Date
  

  

• Time
  

  

Table 30: Buttons

Item Name	Description
Page Bottom
Submit	Update the schedule.
Cancel	Cancel the operation for updating the schedule.

Action List

This page shows a list of actions such as Block and Quarantine which are being executed on the Device > Active Device List page or at the request of external applications.

You can also unblock devices by deleting actions on this page.

Note

To unblock an AMF Security-reported suspected device in an AMF Application Proxy environment, use this page to delete a corresponding action. Refer to Quick Tour/What is AMF Security > What is AMF Application Proxy for more details on AMF Application Proxy.

Table 31: Target columns for search and sort operations

Item Name	Search	Sort	Note
Action ID	×	×
Priority	×	×
Condition	△*	×	* Only the strings after "mac=", "ip=", "device-name=", "tag=", "location=", "switch=" and "network=" can be matched.
Action (OpenFlow, TQ/AMF)	△ *1	△*2	*1 Only the strings after "Pass(Permit) ->", "Drop(Block) ->", "Quarantine ->" and "Log-Only ->" can be matched. AMF Action after them cannot be matched. *2 Sorted in the order of "Pass(Permit)", "Drop(Block)", "Quarantine" and "Log-Only". Sort by the AMF Action is not supported.
Requester	×	×
Reason	×	×

Table 32: Displayed columns

Item Name	Description
Action ID	ID (Name) of the action to register. It is automatically assigned if unspecified. When clicked, the Action Detail page for the action is displayed.
Priority	Priority of the action. Smaller number has higher priority. Thus the matching action with the smaller priority value is executed.
Condition	Trigger condition of the action.
Action (OpenFlow, TQ/AMF)	Action OpenFlow/TQ Action (Pass(Permit), Quarantine, Drop(Block) and Log-Only) and AMF Action (Quarantine, Drop Packets, Link-Down and IP-Filter) are displayed.
Requester	Name or identifier of the system which runs the action. "sesc.block" and "sesc.action" indicate the actions operated by AMF Security, and "sesc.trap.XXX" indicates the actions from the linked application (XXX varies depending on the linked application).
Reason	Reason why the action is triggered.

Table 33: Buttons

Item Name	Description
Page Top
Add Action	Open the Add Action page.
Export to CSV	Start downloading of a list of actions in CSV format.
Refresh	Refresh the Action List page.
Action List
Heading Row
Delete Selected	Delete all the checked actions.
Each Row
Delete	Delete the action.

Note

Refer to Appendix/CSV File for CSV Files.

Add Action

This page lets you add a new action.

Table 34: Configurable fields

Item Name	Description
Action ID (Mandatory)	ID (Name) of the action to register. Action ID must be unique. Max 255 characters
Priority	Priority of the action. It must be an integer between 1 and 65535. Smaller number has higher priority. Thus the matching action with the smaller priority value is executed. Priority value is set to 10 if it is unspecified.
Reason	Administrative comment such as a reason for running this action. Max 255 characters
Condition
Device MAC Address	Unicast MAC Address of the target device. Valid formats are as follows xx:xx:xx:xx:xx:xx, xx-xx-xx-xx-xx-xx, xxxx.xxxx.xxxx
Device IPv4 Address	Unicast IPv4 Address of the target device.
Device	Device ID of the target device. Maximum 100 device IDs are shown in the dropdown list. If you enter text in the field, device IDs in the dropdown list are dynamically filtered to the ones which contain the input text in Device ID, Tag or Note (it shows maximum 100 elements). From the dropdown list, select a Device ID for the device.
Device Tag	Device Tag of the target device.
Location	Location ID for the target device. Maximum 100 IDs of the existing locations are shown in the dropdown list. If you enter text in the field, location IDs in the dropdown list are dynamically filtered to the ones which contain the input text in Location ID or Note (it shows maximum 100 elements). From the dropdown list, select a Location ID.
OpenFlow Switch	Switch ID for the target device. Maximum 100 IDs of the existing switches are shown in the dropdown list. If you enter text in the field, switch IDs in the dropdown list are dynamically filtered to the ones which contain the input text in Switch ID, Datapath ID, Upstream Port or Note (it shows maximum 100 elements). From the dropdown list, select a Switch ID.
Connecting Network	Network ID for the target device. Maximum 100 IDs of the existing networks are shown in the dropdown list. If you enter text in the field, Network IDs in the dropdown list are dynamically filtered to the ones which contain the input text in Network ID, VLAN ID or Note (it shows maximum 100 elements). From the dropdown list, select a Network ID.
Action
OpenFlow/TQ Action	An action of the OpenFlow/TQ's AMF Application Proxy to be applied to the target device. Pass(Permit): Permit traffic from the device. Quarantine: Move the device to the quarantine network. Drop(Block): Block traffic from the device. Log-Only: Permit traffic from the device and record a log.
Pass/Quarantine VLAN ID	A VLAN ID on which the device is allowed to transmit packets.
AMF Action	Contents of the action when instructing the communication interruption of the corresponding device using AW+ AMF Application Proxy. AMF Dependency: AMF Security does not specify an action and lets AMF devices determine its action. Quarantine: Move the device to the quarantine VLAN. Drop Packets: Block traffics from the device at the layer two (MAC) level. Link-Down: Shutdown the port where the device is connected. IP-Filter: Block traffics from the device at the layer 3 (IP) level. Log-Only: AMF Security does not specify an action and records the device information.

Note

The behavior of the "Quarantine" action depends on the firmware version of your AlliedWare Plus device.
・Version 5.5.0-1.x or earlier: Move the port to which the device is connected to the isolation VLAN
・Version 5.5.0-2.x or later: Moves the MAC Address of the corresponding device to the isolation VLAN

Note

If you also use the "Quarantine" action on the whitelist port, your Proxy Node and Edge Nodes must have AlliedWare Plus firmware version 5.5.0-2.x or later installed.

Table 35: Buttons

Item Name	Description
Page Bottom
Submit	Add a new action with the input data.
Cancel	Cancel the operation for adding a new action.

Action Detail

This page shows detailed information about the action.

Table 36: Displayed columns

Item Name	Description
Action ID	ID (Name) of the action to register. It is automatically assigned if unspecified.
Priority	Priority of the action. Smaller number has higher priority. Thus the matching action with the smaller priority value is executed.
Reason	Reason why the action is triggered.
Condition
Device MAC Address	Unicast MAC Address of the target device.
Device IPv4 Address	IPv4 Address of the target device.
Device	Device ID of the target device.
Device Tag	Device Tag of the target device.
Location	Location ID for the target device.
OpenFlow Switch	Switch ID for the target device.
Connecting Network	Network ID for the target device.
Action
Action (OpenFlow, TQ/AMF)	An action of the OpenFlow/TQ's AMF Application Proxy to be applied to the target device. Pass(Permit): Permit traffic from the device. Quarantine: Move the device to the quarantine network. Drop(Block): Block traffic from the device. Log-Only: Permit traffic from the device and record a log.
Pass/Quarantine VLAN ID	A VLAN ID on which the device is allowed to transmit packets. This item is displayed when the Action (OpenFlow, TQ/AMF) is Pass(Permit) and Quarantine.
AMF Action	Contents of the action when instructing the communication interruption of the corresponding device using AW+ AMF Application Proxy. AMF Dependency: AMF Security does not specify an action and lets AMF devices determine its action. Quarantine: Move the device to the quarantine VLAN. Drop Packets: Block traffics from the device at the layer two (MAC) level. Link-Down: Shutdown the port where the device is connected. IP-Filter: Block traffics from the device at the layer 3 (IP) level. Log-Only: AMF Security does not specify an action and records the device information.

Note

The behavior of the "Quarantine" action depends on the firmware version of your AlliedWare Plus device.
・Version 5.5.0-1.x or earlier: Move the port to which the device is connected to the isolation VLAN
・Version 5.5.0-2.x or later: Moves the MAC Address of the corresponding device to the isolation VLAN

Note

If you also use the "Quarantine" action on the whitelist port, your Proxy Node and Edge Nodes must have AlliedWare Plus firmware version 5.5.0-2.x or later installed.

Table 37: Buttons

Item Name	Description
Page Top
Back	Go back to the Action List page.

---

(C) 2023 Allied Telesis, Inc. All rights reserved.

C613-04150-00 Rev A

19 Apr 2023 14:12