Getting started with policies

Policies organize traffic processing rules hierarchically, to make administration easier and to optimize traffic inspection performance.

What policy elements do

Firewall, IPS, and Layer 2 Firewall Policies contain the rules according to which the NGFW Engines allow or block traffic.
Layer 2 Interface Policies contain rules according to which NGFW Engines in the Firewall/VPN role allow or block traffic detected by Capture Interfaces, Inline IPS Interfaces, and Inline Layer 2 Firewall Interfaces on NGFW Engines in the Firewall/VPN role.
The same policy can be shared by several NGFW Engines that have the same role, several Master NGFW Engines, and several Virtual NGFW Engines that have the same role.
Inspection Policies contain the rules according to which the NGFW Engines inspect traffic. The same Inspection Policy can be shared by several Firewall Policies, IPS Policies, and Layer 2 Firewall Policies.
Note: Inspection Policies are not supported in Layer 2 Interface Policies.
Each policy must always be based on a Template Policy. Template Policies contain rules that are inherited into any template or policy below it in the policy hierarchy.
You can also insert Sub-Policies in your policies. A Sub-Policy is a set of IPv4 or IPv6 Access rules that can be matched conditionally to a restricted part of the traffic. Using Sub-Policies can improve processing performance. Sub-Policies can also enforce administrative boundaries.
Policies can share Policy Templates and Sub-Policies. In shared rules, Alias elements can represent IP addresses that depend on the environment, so that the actual values are defined separately for each component.

Master NGFW Engines always use Firewall Policies, regardless of the role of the Virtual NGFW Engines they host.
Virtual Firewalls use Firewall Policies.
Virtual IPS engines use IPS Policies.
Virtual Layer 2 Firewalls use Layer 2 Firewall Policies.