About Policy Precedence
Precedence is the sequence in which the Firebox examines network traffic and applies a policy rule. The Firebox automatically sorts policies from the most detailed to the most general. It compares the information in the packet to the list of rules in the first policy. The first rule in the list to match the conditions of the packet is applied to the packet. If the detail level in two policies is equal, a proxy policy always takes precedence over a packet filter policy.
Automatic Policy Order
The Firebox automatically gives the highest precedence to the most specific policies, and the lowest precedence to the least specific policies. The Firebox examines specificity of the criteria in the policy. If it cannot determine the precedence from the first criterion, it moves to the second, and so on. The precedence criteria are examined in this order:
- Policy specificity
- Protocols set for the policy type
- Traffic rules of the To list
- Traffic rules of the From list
- Firewall action (Allowed, Denied, or Denied (send reset)) applied to the policies
- Schedules applied to the policies
- Alphanumeric sequence based on policy type
- Alphanumeric sequence based on policy name
The subsequent sections include more details about what the Firebox does within these eight steps.
Policy Specificity and Protocols
The Firebox uses these criteria in sequence to compare two policies until it finds that the policies are equal, or that one is more detailed than the other.
- An Any policy always has the lowest precedence.
- Check for the number of TCP 0 (any) or UDP 0 (any) protocols. The policy with the smaller number has higher precedence.
- Check for the number of unique ports for TCP and UDP protocols. The policy with the smaller number has higher precedence.
- Add up the number of unique TCP and UDP ports. The policy with the smaller number has higher precedence.
- Score the protocols based on their IP protocol value. The policy with the smaller score has higher precedence.
If the Firebox cannot set the precedence when it compares the policy specificity and protocols, it examines traffic rules.
The Firebox uses these criteria in sequence to compare the most general traffic rule of one policy with the most general traffic rule of a second policy. It assigns higher precedence to the policy with the most detailed traffic rule.
- Host address
- IP address range (smaller than the subnet being compared to)
- IP address range (larger than the subnet being compared to)
- Authentication user name
- Authentication group
- Interface, Firebox
- Any-External, Any-Trusted, Any-Optional
For example, compare these two policies:
(HTTP-1) From: Trusted, user1
(HTTP-2) From: 10.0.0.1, Any-Trusted
Trusted is the most general entry for HTTP-1. Any-Trusted is the most general entry for HTTP-2. Because Trusted is included in the Any-Trusted alias, HTTP-1 is the more detailed traffic rule. This is correct despite the fact that HTTP-2 includes an IP address, because the Firebox compares the most general traffic rule of one policy to the most general traffic rule of the second policy to set precedence.
If the Firebox cannot set the precedence when it compares the traffic rules, it examines the firewall actions.
The Firebox compares the firewall actions of two policies to set precedence. Precedence of firewall actions from highest to lowest is:
- Denied or Denied (send reset)
- Allowed proxy policy
- Allowed packet-filter policy
If the Firebox cannot set the precedence when it compares the firewall actions, it examines the schedules.
The Firebox compares the schedules of two policies to set precedence. Precedence of schedules from highest to lowest is:
- Always off
- Sometimes on
- Always on
If the Firebox cannot set the precedence when it compares the schedules, it examines the policy types and names.
Policy Types and Names
If the two policies do not match any other precedence criteria, the Firebox sorts the policies in alphanumeric sequence. First, it uses the policy type. Then, it uses the policy name. Because no two policies can be the same type and have the same name, this is the last criteria for precedence.
Set Precedence Manually
You can change to manual-order mode and set the policy precedence for your Firebox.
To switch to manual order mode, from Fireware Web UI:
- Select Firewall > Firewall Policies.
The Firewall Policies page appears.
- Below the policy list, click Disable policy Auto-Order mode.
A confirmation message appears.
- Click Yes.
- To change the order of a policy, select the check box for a policy and click Move Up or Move Down to move it higher or lower in the list, or drag it to a new location in the Policy List.
- Click Save Policy Order.
To switch to manual order mode, from Policy Manager:
- Select View > Auto-Order Mode.
The checkmark disappears and a confirmation message appears.
- Click Yes to confirm that you want to switch to manual-order mode.
When you switch to manual-order mode, the Policy Manager window changes to the Details view. You cannot change the order of policies if you are in Large Icons view.
- To change the order of a policy, use one of these methods:
- Select a policy and drag it to a new location.
- Select the policy order number and type the number for the new location.
- Select a policy and click the Up and Down arrows on the Policy Order toolbar.