AT-TLS policy

Policy conditions consist of a variety of selection criteria that act as filters for AT-TLS rules. Traffic can be filtered based on local addresses, remote addresses, local port range, remote port range, job name, user identification, and direction. For more details, see Application Transparent Transport Layer Security data protection.

AT-TLS policy rules can refer to one or more policy conditions. A policy rule with a single policy condition is known as a simple rule, while one with more conditions is known as a complex rule. Complex AT-TLS policy rules have their conditions evaluated according to Conjunctive Normal Form (CNF), which means an ANDed set of ORed conditions. For details on CNF, see Policy object model overview.

When AT-TLS rules are read and parsed, Policy Agent creates the rule as a complex rule. For example, consider the following TTLSRule statement:

TTLSRule ttlsRule1
{
  LocalAddrGroupRef    addrGroup1
  RemoteAddrGroupRef   addrGroup2
  LocalPortGroupRef    portGroup1
  RemotePortGroupRef   portGroup2
  Jobname              jobABC
  Userid               user1
  Direction            Outbound
  TTLSGroupActionRef   ttlsAction7
}

IpAddrGroup addrGroup1
{
  IpAddr
  {
    Addr 9.1.1.1
  }
  IpAddr
  {
    Addr 10.1.1.1
  }
}

IpAddrGroup addrGroup2
{
  IpAddr
  {
    Addr 200.1.1.1
  }
  IpAddr
  {
    Addr 201.1.1.1
  }
}

PortGroup portGroup1
{
  PortRange 
  {
    Port 21
  }
  PortRange
  {
    Port 23
  }
}

PortGroup2
{
  PortRange
  {
    Port 10
  }
  PortRange
  {
    Port 15
  }
}

This rule is represented as a CNF rule with the following condition levels (levels are ANDed together):

• Level 1 = local address 9.1.1.1 OR local address 10.1.1.1
• Level 2 = remote address 200.1.1.1 OR remote address 201.1.1.1
• Level 3 = local port 21 OR local port 23
• Level 4 = remote port 10 OR remote port 15
• Level 5 = job name jobABC, user ID user1, direction outbound

The pasearch command displays the AT-TLS policy as complex rules.