Getting started with editing policies

Rules in policies are instructions to the engines for handling traffic.

What rules do

There are five main types of rules.

  • Ethernet rules (IPS, Layer 2 Firewall, and Layer 2 Interface Policies only) filter traffic based on MAC addresses and low-level network protocols. These rules can be used to segment a network.
  • Access rules filter traffic based on IP addresses and IP-based protocols. These rules control access to resources. There are separate Access rules for IPv4 and IPv6 traffic.
  • NAT rules (Firewall Policy only) change source or destination IP addresses in traffic that is allowed to pass through the firewall. NAT (network address translation) can hide the network structure and allows several computers to use the same IP address on the Internet. There are separate NAT rules for IPv4 and IPv6 traffic.
  • Inspection rules in Inspection Policies filter traffic based on patterns in any of the information that is transferred. These rules log complex traffic use patterns and find network attacks, network worms, or other worrying or unwanted traffic like the use of peer-to-peer file transfer applications.
  • Exceptions in Inspection Policies create detailed exceptions to the Inspection rules to eliminate false positives and to activate blacklisting or User Responses for specific traffic patterns.

The engines process the rules one type at a time in the order previously listed. IPv4 and IPv6 traffic can be matched to both IPv4 and IPv6 Access rules in any order if traffic is tunneled, possibly several times.

Basic rule design considerations

Keep the following in mind when editing rules:
  • Rule tables are read from the top down, so the order of the rules is important. Make sure that the rules advance logically from specific rules at the top toward more general rules at the bottom whenever the matching criteria in rules overlap.

    Example: A rule that denies access to your server from a particular network must be placed above a general rule that allows access from any source address.

  • Any two rules that have identical matching criteria are redundant and should be merged. Automatic rule validation can be used to find such mistakes.
  • When rules are matched to traffic, the traffic is compared to each rule one by one until a match is found. What happens when the end of the rule table is reached without any matches varies by the component and the type of rules.
  • If you use element-based NAT, the NAT rules generated from NAT definitions are applied only after the NAT rules that you have added manually to the policy. This means that the NAT rules that are generated from NAT definitions do not override the rules that you have manually added to the policy. Remember, however, that a more specific manually created NAT rule can prevent traffic from matching the automatically generated NAT rules.

What do I need to know before I begin?

There are different policy types for different NGFW Engine elements.
Table 1. Policy types
Policy type NGFW Engine elements
Firewall Policy Single Firewall, Firewall Cluster, Master NGFW Engine, Virtual Firewall
Note: Master NGFW Engines always use Firewall Policies regardless of the role of the Virtual NGFW Engines they host.
IPS Policy Single IPS, IPS Cluster, Virtual IPS
Layer 2 Firewall Policy Single Layer 2 Firewall, Layer 2 Firewall Cluster, Virtual Layer 2 Firewall
Layer 2 Interface Policy Single Firewall, Firewall Cluster
Note: You select the Layer 2 Interface Policy for the NGFW Engine in the Engine Editor.