On This Page
Creating a Blacklist from a Matrix
This is a Legacy Feature. It will be discontinued as of version R21-3.
We recommend you consider using the following features:
- Unified Security Policy
- Unified Security Policy Alerts
- Configuring Exceptions for the Unified Security Policy
These features give you greater flexibility in the number of zones that you can configure and allow you to define the requirements that you need.
You can create blacklist policies by configuring a matrix in a CSV file and importing it into SecureTrack. The CSV file refers to source and destination SecureTrack Network Zones, and defines for each source-destination pair whether the traffic should be fully blocked, fully permitted (subnet-to-subnet allowed), or permitted only for firewall rules that define the source and/or destination host specifically (explicitly or in a group, but not as part of a subnet).
To create a matrix file:
- If they do not already exist, configure SecureTrack network Zones for all subnets that need to be referenced as sources or destinations.
- Create a text file in CSV format (you can create it in Excel and later save as CSV). The first column of the represented table should contain source Zone names; The first row should contain destination Zone names. Each source-destination intersection cell should contain one of the following:
NA |
No Access: Access is blacklisted. |
S2S |
Subnet to Subnet: Access is fully permitted. |
H2S |
Host to Subnet: Access permitted only if allowed by a firewall rule that defines the source host specifically. |
S2H |
Subnet to Host: Access permitted only if allowed by a firewall rule that defines the destination host specifically. |
H2H |
Host to Host: Access permitted only if allowed by a firewall rule that defines the source and destination hosts specifically. |
See the example below.
To then create a Blacklist from the matrix file:
- Create a Blacklist Compliance Policy for the relevant device(s) and recipient(s). You don't need to define any connectivity items; these will be defined by the imported CSV file, which will overwrite any connectivity items you may define in the web interface.
- In the Compliance Policies list, for the Blacklist Compliance Policy you just created, click: :
- Navigate to the CSV file, and click Open.
The Blacklist Compliance Policy is populated with the configuration from the file.
The following is an example of a Blacklist configuration file:
,Zone1,Zone2,Zone3
Zone1,NA,NA,S2S
Zone2,S2S,NA,S2S
Zone3,S2H,H2H,H2S
This example represents the following table:
|
Zone1 |
Zone2 |
Zone3 |
Zone1 |
NA |
NA |
S2S |
Zone2 |
S2S |
NA |
S2S |
Zone3 |
S2H |
H2H |
H2S |
In this example, hosts from Zone1 can access only IP addresses in Zone3; hosts from Zone2 can access IP addresses in Zones 1 and 3, but not other hosts within their Zone; and hosts from Zone3 cannot access any IP addresses, unless the access is allowed per-individual source host (for Zone3), destination host (for Zone 1), or both (required for Zone2).