Applies To: Cloud-managed Fireboxes
When you add a policy to a cloud-managed Firebox, you specify the policy type. The policy type determines which settings you can configure in the policy and which security services the policy supports. The policy types that are available depend on the policy order mode that is enabled — automatic or manual.
Policy Types in Automatic Policy Order Mode
In Automatic Policy Order mode, the policy type also determines overall policy priority. For policies of the same type, policy priority depends on the policy source, destination, and traffic type. For more information about Automatic Policy Order mode, go to Firewall Policy Priority on Cloud-Managed Fireboxes.
Core Policies
Core policies allow or deny traffic based on both packet header information and content. The policy type controls which security services and policy settings are available. Core policies have normal priority and are appropriate for most traffic.
Core policy types:
Outbound — For connections from an internal network to an external network
Outbound policies support settings appropriate for connections from internal networks to external networks. Outbound policies support all security services. You can optionally configure an Outbound policy to decrypt HTTPS traffic to enable the Content Scanning services for HTTPS connections.
Inbound — For connections from an external network to an internal network
Inbound policies support settings and services appropriate for connections from external networks to internal networks. Inbound policies do not support HTTPS decryption or Content Scanning for HTTPS. They also do not support Content Filtering services.
Custom — For connections between private networks
Custom policies include settings appropriate for connections between private networks. Unlike other policies, you can configure a Custom policy to apply to connections that originate from either a policy source or destination address.
First Run and Last Run Policies
First Run and Last Run policies allow or deny traffic based only on packet header information, such as:
- Source
- Destination
- Port
- Protocol
These policy types do not examine the content of the traffic, and do not support Content Scanning services, or the WebBlocker Content Filtering service.
Add a First Run or Last Run policy as an exception when you want the policy to apply before or after the Core policies, and you do not want to use Content Scanning or WebBlocker services.
First Run
First Run policies have higher priority than all Core and Last Run policies. Configure a First Run policy when you want to always allow or deny specific types of traffic as an exception to the Core policies.
For example, you could add a First Run policy to:
- Deny outbound connections from security cameras on your network
- Allow outbound VPN connections from network clients to an external VPN endpoint.
Last Run
Last Run policies have a lower priority than all Core and First Run policies. A Last Run policy applies only to traffic that does not match configured Core or First Run policies.
The Firebox denies connections that do not match a policy. It is not necessary to add a Last Run policy to deny connections that do not match a configured policy.
Policy Types in Manual Policy Order Mode
In Manual Policy Order mode, the policy type determines which settings and services are available, but it does not affect policy priority. You control the order in which policies apply to traffic. For more information about Manual Policy Order mode, go to Firewall Policy Priority on Cloud-Managed Fireboxes.
Outbound — For connections from an internal network to an external network
Outbound policies support settings appropriate for connections from internal networks to external networks. Outbound policies support all security services. You can optionally configure an Outbound policy to decrypt HTTPS traffic to enable the Content Scanning services for HTTPS connections.
Inbound — For connections from an external network to an internal network
Inbound policies support settings and services appropriate for connections from external networks to internal networks. Inbound policies do not support HTTPS decryption or Content Scanning for HTTPS. They also do not support Content Filtering services.
Custom — For connections between private networks
Custom policies include settings appropriate for connections between private networks. Unlike other policies, you can configure a Custom policy to apply to connections that originate from either a policy source or destination address.
Packet Filter — For simple header-based filtering of connections between any networks
Packet Filter policies allow or deny traffic based only on packet header information, such as:
- Source
- Destination
- Port
- Protocol
These policies do not examine the content of the traffic, and do not support Content Scanning services, or the WebBlocker Content Filtering service.
If you switch from Automatic Policy Order Mode to Manual Policy Order mode, First Run and Last Run policies become Packet Filter policies. If you switch back to Automatic Policy Order mode, WatchGuard Cloud remembers if the Packet Filter policy was originally a First Run or Last Run policy.
If you add a Packet Filter policy in Manual Policy Order mode and then switch to Automatic Policy Order mode, the Packet Filter policy becomes a Last Run policy. To make it a First Run policy, you can move the policy. For more information, go to Move a Firewall Policy.
System Policies
The Firebox configuration also includes system policies in both Automatic Policy Order mode and Manual Policy Order mode. System policies are hidden by default.
You cannot remove System policies, and you can only disable or edit specific System policies. For more information about which System policies you can disable or edit, go to System Firewall Policies on Cloud-Managed Fireboxes.