Policy use (application)

The policy defined or imported can be applied to a folder or to a single device.

To apply a policy, first click on the element from the tree view and then open the Firewall section on the right panel.

The firewall section allows to add the policies, to specify the behavior to be used when the policy is verified and to specify the default action in the case none of those policies has not been verified.

The default action for the domain is set to “Allow” and hence the packet that does NOT verify any of the policies is left passing through.

This approach corresponds to use the policies with negative logic and it establishes which packets have to be blocked; the policies are built then with the use of the “Deny” action.

Alternatively, you can use the positive logic by setting the default action, at domain root level, as “Deny” and configuring the policies with “Allow” action, establishing then which packets have to transit.

The policies applied to a folder are inherited by the contained devices. This behavior can be changed using the option “Do not inherit Firewall policies” available in the firewall section from the right pane.

If the inheriting chain is not interrupted (check box NOT ticked) the default action is the one specified for the father folder. The father folder is recursively subject on its father configuration.

To apply a policy to an element, select either the desired folder or device, display the Firewall section from the right panel and click the “Add” button.

Select then the policy from the list of available policies and decide if the policy has to be conditioned to a certain user or group. This allows applying a certain policy to a certain folder or device depending by the connected user.

As last step you need to specify the action to be taken in case the evaluated packet matches with the rules of the policy.


When you select any device or folder from the tree view, the firewall section is always showing a summary of all the policies applied, both explicit and inherited.

Example 1: filtering by protocol

The example shows how to import a predefined policy and how to apply it to a single device regardless of the user and the device IP address.

Click on the Domain icon and click on the “Import policy” button. Select from the list for instance the “Omron PLC with CX Programmer” policy.

Once the policy is imported, click on the device to which the policy needs to be applied.

We want that during the VPN session the only protocol admitted for the connected sub network is the “Omron” one for CX Programmer. It will be used to program the PLC which is supposed to be connected to the remote device (HMI or UBIQUITY Router). In the “Associate policy” window select then “Allow” as action.

Assuming the default action for the domain is “Allow”, you need now to mark the “Do not inherit firewall policies” check box interrupt the inherited behavior.

All the packets verified by the policy are left passing through; all the packets that do not match the policy will be subject to the default action specified as “Deny” and hence are blocked.

Example 2: adding the IP filter

With reference to the previous example we want now to introduce an additional restriction and specify that only the traffic to a specific IP is permitted. Let’s image for instance the PLC has the IP

The easiest way to implement the restriction is to edit the imported policy.

Select then the “OMRON PLC with CX Programmer” policy and from the right panel click on the “Add” button to add the rule for the IP.

Because we have modified directly the policy, the change will be immediately active in all the places where the policy has been applied.

Example 3: adding the filter by user or group

With reference to the previous examples we want now that the filter by protocol and IP is active only for the users belonging to a certain group.

The filter by user or group is an option of the policy association.

Select the device to which the policy has been applied in the example 1. Display then the Firewall area from the right panel and select the policy. Click now on the “Edit” button to get access to the association properties. From the “Group/User” drop box select then the requested group.


The final result is that only the users of the selected group will be able to access to the Omron PLC at the specified IP address. In this connection they can only use the CX programmer protocol.