Applies To: Cloud-managed Fireboxes
Some of the features described in this topic are only available to participants in the WatchGuard Cloud Beta program. If a feature described in this topic is not available in your version of WatchGuard Cloud, it is a beta-only feature.
Firewall policies specify rules for how a cloud-managed Firebox allows or denies connections. When you configure firewall policies, consider these best practices.
Use Automatic Policy Order Mode
When Automatic Policy Order mode is enabled, the Firebox applies the highest priority policy that matches the source, destination, and traffic type. We recommend Automatic Policy Order mode for most configurations. Enable Manual Policy Order mode only for troubleshooting or if necessary for highly complex configurations.
When you add a firewall policy, make sure you select the policy type based on the source, destination, and purpose of the policy. For more information about policy types, go to Firewall Policy Types on Cloud-Managed Fireboxes.
Use Core Policies for Most Traffic
Core policies allow or deny traffic based on both header information and connection content. Core policies support all security services and are appropriate for most traffic.
Select the Core Policy Type Based on the Source and Destination
Some policy settings and services apply differently to inbound or outbound connections. Select the Core policy type based on the source and destination of the traffic the policy applies to:
- Outbound ─ For traffic from internal network devices to an external network
- Inbound ─ For traffic that enters the internal networks through the Firebox
- Custom ─ For traffic between private networks through the Firebox
Use First Run and Last Run Policies for Exceptions
First Run and Last Run policies allow or deny traffic based only on header information such as the source, destination, port, and protocol. These policy types do not support content scanning or WebBlocker content filtering services.
- First Run — Highest priority. Select this policy type if you always want to allow or deny a connection as an exception to the configured Core policies.
- Last Run — Lowest priority. Select this policy type if you always want to allow or deny a connection that does not match any configured Core policy.
Enable Security Services
To enable security services to protect your networks:
- Enable security services in the policy settings.
- Enable security services in the global Security Services settings.
Security services are enabled in the default configuration of a cloud-managed Firebox.
You can enable and disable security services in the Security Services section of a policy. The security services you can enable in the policy depend on the policy type:
| Policy Type | Content Filtering | Geolocation | Content Scanning | Tor Exit Node Blocking |
|---|---|---|---|---|
| Outbound | Yes | Yes | Yes | Yes |
| Inbound | No | Yes | Yes | Yes |
| Custom | Yes | Yes | Yes | Yes |
| First Run | Application Control only | Yes | No | Yes |
| Last Run | Application Control only | Yes | No | Yes |
| Packet Filter | Application Control only | Yes | No | Yes |
For more information about policy types, go to Firewall Policy Types on Cloud-Managed Fireboxes.
For more information about how to configure services in policies, go to Configure Security Services in a Firewall Policy on a Cloud-Managed Firebox.