Policy conditions consist of a variety of selection criteria that act as filters for AT-TLS rules. Traffic can be filtered based on local addresses, remote addresses, local port range, remote port range, job name, user identification, and direction. For more details, see Application Transparent Transport Layer Security data protection.
AT-TLS policy rules can refer to one or more policy conditions. A policy rule with a single policy condition is known as a simple rule, while one with more conditions is known as a complex rule. Complex AT-TLS policy rules have their conditions evaluated according to Conjunctive Normal Form (CNF), which means an ANDed set of ORed conditions. For details on CNF, see Policy object model overview.
When AT-TLS rules are read and parsed, Policy Agent creates the rule as a complex rule. For example, consider the following TTLSRule statement:
TTLSRule ttlsRule1
{
LocalAddrGroupRef addrGroup1
RemoteAddrGroupRef addrGroup2
LocalPortGroupRef portGroup1
RemotePortGroupRef portGroup2
Jobname jobABC
Userid user1
Direction Outbound
TTLSGroupActionRef ttlsAction7
}
IpAddrGroup addrGroup1
{
IpAddr
{
Addr 9.1.1.1
}
IpAddr
{
Addr 10.1.1.1
}
}
IpAddrGroup addrGroup2
{
IpAddr
{
Addr 200.1.1.1
}
IpAddr
{
Addr 201.1.1.1
}
}
PortGroup portGroup1
{
PortRange
{
Port 21
}
PortRange
{
Port 23
}
}
PortGroup2
{
PortRange
{
Port 10
}
PortRange
{
Port 15
}
}
This rule is represented as a CNF rule with the following condition levels (levels are ANDed together):
The pasearch command displays the AT-TLS policy as complex rules.