Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Scheduling Security Policies

Scheduler is a security feature that allows a policy to be activated for a specified duration. You can define schedulers for a single (nonrecurrent) or recurrent time slot within which a policy is active. You can create schedulers irrespective of a policy, meaning that a scheduler cannot be used by any policies.

Security Policy Schedulers Overview

Schedulers are powerful features that allow a policy to be activated for a specified duration. You can define schedulers for a single (nonrecurrent) or recurrent time slot within which a policy is active. You can create schedulers irrespective of a policy, meaning that a scheduler cannot be used by any policies. However, if you want a policy to be active within a scheduled time, then you must first create a scheduler.

When a scheduler times out, the associated policy is deactivated. All sessions associated with the policy are subsequently timed out only if policy-rematch is used

If a policy contains a reference to a scheduler, the schedule determines when the policy is active, that is, when it can be used as a possible match for traffic. Schedulers allow you to restrict access to a resource for a period of time or remove a restriction.

The following guidelines apply to schedulers:

  • A scheduler can have multiple policies associated with it; however, a policy cannot be associated with multiple schedulers.

  • A policy is active during the time when the scheduler it refers to is also active.

  • When a scheduler is off, the policy is unavailable for policy lookup.

  • A scheduler can be configured as one of the following:

    • Scheduler can be active for a single time slot, as specified by a start date and time and a stop date and time.

    • Scheduler can be active forever (recurrent), but as specified by the daily schedule. The schedule on a specific day (time slot) takes priority over the daily schedule.

    • Scheduler can be active within a time slot as specified by the weekday schedule.

    • Scheduler can have a combination of two time slots (daily and timeslot).

Example: Configuring Schedulers for a Daily Schedule Excluding One Day

This example shows how to configure schedulers for packet match checks every day, from 8:00 AM to 5:00 PM, except Sunday.

Requirements

Before you begin:

  • Understand security policies schedulers. See Security Policies Overview.

  • Configure security zones before applying this configuration.

Overview

Schedulers are powerful features that allow a policy to be activated for a specified duration. You can define schedulers for a single (nonrecurrent) or recurrent time slot within which a policy is active. If you want a policy to be active within a scheduled time, then you must first create a scheduler.

To configure a scheduler, you enter a meaningful name and a start and stop time for the scheduler. You can also attach comments.

In this example, you:

  • Specify the scheduler, sch1, that allows a policy, which refers to it, to be used for packet match checks every day, from 8:00 AM to 5:00 PM, except Sunday.

    Note:

    Use the 24-hour format (hh:mm) to specify the hours and minutes for the daily time.

  • Create a policy, abc, and specify the match conditions and action to be taken on traffic that matches the specified conditions. and bind the schedulers to the policy to allow access during the specified days.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure a scheduler:

  1. Set a scheduler.

  2. Specify the match conditions for the policy.

  3. Specify the action.

  4. Associate the scheduler to the policy.

Results

From configuration mode, confirm your configuration by entering the show schedulers command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Schedulers are Active

Purpose

Verify if schedulers are enabled or not.

Action

From operational mode, enter the show schedulers command.

Verifying Policies

Purpose

Verify if the policies are working.

Action

From operational mode, enter the show security policies command.

Verifying Scheduled Policies

Purpose

Display information about scheduled security policies.

Action

Use the show schedulers CLI command to display information about schedulers configured on the system. If a specific scheduler is identified, detailed information is displayed for that scheduler only.

Meaning

The output displays information about schedulers configured on the system. Verify the following information:

  • Daily (recurrent) and one-time only (nonrecurrent) schedulers are configured correctly.

  • Schedulers are active if policies are associated.