The security policy of your organization is a set of definitions to protect your computer network and the information that goes through it. The Firebox denies all packets that are not specifically allowed. When you add a policy to your Firebox configuration file, you add a set of rules that tell the Firebox to allow or deny traffic based upon factors such as source and destination of the packet or the TCP/IP port or protocol used for the packet.
As an example of how a policy could be used, suppose the network administrator of a company wants to log in remotely to a web server protected by the Firebox. The network administrator manages the web server with a Remote Desktop connection. At the same time, the network administrator wants to make sure that no other network users can use Remote Desktop. To create this setup, the network administrator adds a policy that allows RDP connections only from the IP address of the network administrator's desktop computer to the IP address of the web server.
A policy can also give the Firebox more instructions on how to handle the packet. For example, you can define logging and notification settings that apply to the traffic, or use NAT (Network Address Translation) to change the source IP address and port of network traffic.
Packet Filter and Proxy Policies
Your Firebox uses two categories of policies to filter network traffic: packet filters and proxies. A packet filter examines each packet’s IP and TCP/UDP header. If the packet header information is legitimate, then the Firebox allows the packet. Otherwise, the Firebox drops the packet.
A proxy examines both the header information and the content of each packet to make sure that connections are secure. This is also called content inspection. If the packet header information is legitimate and the content of the packet is not considered a threat, then the Firebox allows the packet. Otherwise, the Firebox drops the packet.
Add Policies to Your Firebox
The Firebox includes many pre-configured packet filters and proxies that you can add to your configuration. For example, if you want a packet filter for all Telnet traffic, you add a pre-defined Telnet policy that you can modify for your network configuration. You can also make a custom policy for which you set the ports, protocols, and other parameters.
When you configure the Firebox with the Quick Setup Wizard, the wizard adds several packet filters: Outgoing (TCP-UDP), FTP, ping, and up to two WatchGuard management policies. If you have more software applications and network traffic for the Firebox to examine, you must:
- Configure the policies on your Firebox to let the necessary traffic through
- Set the approved hosts and properties for each policy
- Balance the requirement to protect your network against the requirements of your users to get access to external resources
We recommend that you set limits on outgoing access when you configure your Firebox.
In all documentation, we refer to both packet filters and proxies as policies. Information on policies refers to both packet filters and proxies unless otherwise specified.