Network Policy

Active rules that govern how Qwall responds to each connection classification.

Active Rules

allow protected_preferred ML-KEM-1024 preferred hybrid detected. Best quantum-safe posture.

allow protected Post-quantum key exchange detected (ML-KEM-768 or hybrid). Connection allowed.

warn classical_fallback Classical group negotiated despite PQC offer. Possible downgrade.

block classical Classical TLS (RSA/ECDH) is quantum-vulnerable. Blocked by Qwall policy.

warn unknown Could not determine cryptographic posture. Flagged for review.

How Policy Works

Qwall evaluates every inspected connection against these rules in order. The first matching rule wins. Rules are stored in policy.json and hot-reloadable via POST /policy.

Action	Effect
allow	Connection is permitted. Logged to Qledger if configured.
block	Connection is rejected. Traffic does not reach the backend.
warn	Connection is allowed but flagged. Alert fires to configured channels.

Update Policy via API

curl -X POST http://localhost:5051/policy \
  -H "Content-Type: application/json" \
  -d '{"rules": [
    {"action": "allow",  "condition": "pqc",       "reason": "PQC required by CMMC 2.0"},
    {"action": "block",  "condition": "classical",  "reason": "Classical TLS prohibited"},
    {"action": "warn",   "condition": "unknown",    "reason": "Unknown crypto - investigate"}
  ]}'