Configuring Rules Using UPL (Description)

UPL stands for UserGate Policy Language. It is a language to describe UserGate policies (rule configurations used to make decisions about authentication requirements, access permissions, or content conversion).

You configure the rules using actions, conditions, and properties.

You specify one of the actions for each rule. Actions are settings that control transaction processing (OK, WARNING, PASS, DENY). When configuring rules that do not specify an action (for example, DNS, NAT and routing, traffic shaping, etc.), you must specify a PASS or OK action.

To specify conditions, use the equals (=) or not equal (!=) signs. You can use zones, addresses, source and destination GeoIP, services, applications, etc. All conditions in a rule are checked by logical AND, which means the rule works if all conditions are met.

Rule properties are specified in parentheses and are used to provide additional information, such as rule name, description, logging function, etc.

Note When configuring a rule, first specify the action, then the conditions, and then the properties.

The UPL is used to configure rules in the following sections:

  • DNS proxy settings (network dns dns-proxy dns-rules level).

  • Captive portal (users captive-portal level).

  • Firewall (network-policy firewall level).

  • NAT and routing (network-policy nat-routing level).

  • Bandwidth (network-policy traffic-shaping level).

  • Content filtering (security-policy content-filtering level).

  • Safe browsing (security-policy safe-browsing level).

  • Tunnel inspection (security-policy tunnel-inspection level).

  • SSL inspection (security-policy ssl-inspection level).

  • SSH inspection (security-policy ssh-inspection level).

  • IDPS (security-policy intrusion-prevention level).

  • Mail security (security-policy mail-security level).

  • ICAP rules (security-policy icap-rules level).

  • DoS rules (security-policy dos-rules level).

  • Web portal (global-portal web-portal level).

  • Reverse proxy rules (global-portal reverse-proxy-rules level).

  • Server rules (vpn server-rules level).

  • Client rules (vpn client-rules level).

To create a rule, use the following command:

Admin@nodename# create <level> <position> upl-rule <str-upl-syntax>

where <level> is the level at which the rule will be created,

<position> is the position at which the rule is located, and

<str-upl-syntax> is a string that describes the rule in UPL syntax.

To update an existing rule, use the following command:

Admin@nodename# set <level> <position> upl-rule <str-upl-syntax>

where <level> is the level at which the rule will be updated,

<position> is the number of the rule to update, and

<str-upl-syntax> is a string that describes the rule in UPL syntax.

To delete a rule, use the following command:

Admin@nodename# delete <level> <position | all>

where <level> is the level at which the rule will be deleted,

<position> is the number of the rule to delete, and

<all> means delete all rules.

To display a rule, use the following command:

Admin@nodename# show <level> <position | all>

<level> is the section for which to display the rules,

<position> is the number of the rule to display, and

<all> means display all rules.

Let us consider the example of creating a firewall rule (multiline input used):

Admin@nodename# create network-policy firewall 1 upl-rule \ ...DENY \ ...src.zone = Trusted \ ...dst.zone = Untrusted \ ...user = known \ ...service = HTTPS \ ...time = lib.time("Working hours") \ ...rule_log(session)\ ...name("Example of firewall rule created in CLI") \ ...enabled(true)

Once the rule is created, it is displayed at the beginning of the firewall rules list (position 1). This rule denies HTTPS traffic from the Trusted zone to the Untrusted zone for users identified by the system. It works according to the "Working hours" schedule. When the rule triggers, the system logs information about the beginning of the session.