Getting started with policies
Policies organize traffic processing rules hierarchically, to make administration easier and to optimize traffic inspection performance.
What policy elements do
- Firewall, IPS, and Layer 2 Firewall Policies contain the rules according to which the NGFW Engines allow or block traffic.
- Layer 2 Interface Policies contain rules according to which NGFW Engines in the Firewall/VPN role allow or block traffic detected by Capture Interfaces, Inline IPS Interfaces, and Inline Layer 2 Firewall Interfaces on NGFW Engines in the Firewall/VPN role.
- The same policy can be shared by several NGFW Engines that have the same role, several Master NGFW Engines, and several Virtual NGFW Engines that have the same role.
- Inspection Policies contain the rules according to which the NGFW Engines inspect traffic. The same
Inspection Policy can be shared by several Firewall Policies, IPS Policies,
and Layer 2 Firewall Policies.Note: Inspection Policies are not supported in Layer 2 Interface Policies.
- Each policy must always be based on a Template Policy. Template Policies contain rules that are inherited into any template or policy below it in the policy hierarchy.
- You can also insert Sub-Policies in your policies. A Sub-Policy is a set of IPv4 or IPv6 Access rules that can be matched conditionally to a restricted part of the traffic. Using Sub-Policies can improve processing performance. Sub-Policies can also enforce administrative boundaries.
- Policies can share Policy Templates and Sub-Policies. In shared rules, Alias elements can represent IP addresses that depend on the environment, so that the actual values are defined separately for each component.
What do I need to know before I begin?
- Master NGFW Engines always use Firewall Policies, regardless of the role of the Virtual NGFW Engines they host.
- Virtual Firewalls use Firewall Policies.
- Virtual IPS engines use IPS Policies.
- Virtual Layer 2 Firewalls use Layer 2 Firewall Policies.