Skip to main content

Documentation Index

Fetch the complete documentation index at: https://altostrat.io/docs/llms.txt

Use this file to discover all available pages before exploring further.

Security groups let you define traffic policy once and apply it consistently across managed sites. They are useful when you need repeatable firewall intent for branches, customer networks, cameras, servers, guest networks, or restricted environments.

Prerequisites

  • You know the sites or tags that should receive the policy.
  • You know which services, ports, and source or destination networks should be allowed.
  • You have a maintenance window for rules that could affect user traffic.

Rule Model

Security group rules are ordered. Lower order values are evaluated before higher order values, so place specific rules before broader rules. Each rule can include:
  • Order, from 1 to 1000
  • Direction and action
  • Protocol
  • Common service or custom port
  • Address target, including custom CIDR entries and prefix lists
  • Description for future operators
New security groups are seeded with common outbound allowances for HTTPS, ICMP, and DNS. Review those defaults before you attach the group to production sites.

Prefix Lists

Prefix lists are reusable CIDR collections. Use them when the same network ranges appear in multiple rules, such as partner networks, datacenter ranges, or internal service ranges. Prefix lists make changes safer because you update the range once, then every rule that references the list follows the updated definition.

Create a Security Group

  1. Open Policies and select Security Groups.
  2. Create a group with a name that describes the protected environment.
  3. Review the default outbound rules.
  4. Add rules in the order they should be evaluated.
  5. Use common services where possible, then custom ports when needed.
  6. Use prefix lists for reusable network ranges.
  7. Attach the group to a pilot site or tagged site group.
  8. Validate critical traffic before a broader rollout.

Advanced Use Cases

Use separate groups for separate security intent. A point-of-sale environment, guest network, camera VLAN, and office network should usually have different rule sets. Use descriptions on every non-obvious rule. Six months later, the description is often the fastest way to decide whether a rule is still required. Use tags for scalable assignments. For example, assign a policy to all sites tagged site-type:retail instead of maintaining a manual list.
For temporary management access, use Secure Remote Access instead of creating permanent allow rules for administrative ports.