Policies are a fundamental building block of implementing a security configuration in ScreenOS. Policies are used by the stateful firewall/Network Address Translation (NAT) engine, the Content Security engine, authentication, and Quality of Service (QoS) configuration, and for building policy-based IP Security (IPSec) virtual private networks (VPNs).
ScreenOS policies contain various elements that help categorize a packet and take several actions on it. ScreenOS policy elements include zones, source and destination address objects, and services. Actions on a packet can include permit, tunnel (IPSec encrypt), deny, reject, authenticate, log, count, schedule, apply QoS, and perform deep inspection, web filtering, and antispam functions. A multitude of actions can be taken on a single policy.
Address objects are a key component of ScreenOS policies. An address object can define a single host or a classless inter-domain routing (CIDR) network address block that "resides" in a zone. An example of an address object that defines a single host, a workstation named Orion, in the
Trust zone is as follows:
set address Trust Orion 192.168.4.10/32 "Orion Wkstn"
The address object
Orion can, thus, be referenced in any ScreenOS policy. The string
Orion Wkstn is an optional description of the address object.
Here is an example of an address object that defines a CIDR network address block,
192.168.3.16/29, in the