Firewall Policies Best Practices

Applies To: Cloud-managed Fireboxes

Firewall policies specify rules for how a cloud-managed Firebox allows or denies connections. When you configure firewall policies, consider these best practices.

Select the Appropriate Policy Type

When you add a firewall policy, select the policy type based on the source, destination and purpose of the policy.

Use Core policies for most traffic

Core policies allow or deny traffic based on both header information and connection content. Core policies support all security services and are appropriate for most traffic.

Select the Core policy type based on the source and destination

Some policy settings and services apply differently to inbound or outbound connections. Select the Core policy type based on the source and destination of the traffic the policy applies to:

  • Outbound ─ For traffic from internal network devices to an external network
  • Inbound ─ For traffic that enters the internal networks through the Firebox
  • Custom ─ For traffic between private networks through the Firebox

Use First Run and Last Run policies for exceptions

First Run and Last Run policies allow or deny traffic based only on header information such as the source, destination, port, and protocol. These policy types do not support content scanning or WebBlocker content filtering services.

  • First Run — Highest priority. Select this policy type if you always want to allow or deny a connection as an exception to the configured Core policies.
  • Last Run — Lowest priority. Select this policy type if you always want to allow or deny a connection that does not match any configured Core policy.

Enable Security Services

To enable security services to protect your networks:

  • Enable security services in the policy settings.
  • Enable security services in the global Security Services settings.

Security services are enabled in the default configuration of a cloud-managed Firebox.

The security services you can enable in a policy depend on the policy type:

Policy Type Content Filtering Geolocation Content Scanning
Outbound
Inbound  
Custom
First Run Application Control only  
Last Run Application Control only  

On the Device Configuration page for a Firebox, the Security Services section shows a summary of settings for configured services.

Screen shot of the Security Services section of the Device Configuration page

On the Firewall Policies page, icons in the Security column shows which services are enabled for each policy. To see the security service name, hover over each icon.

Screen shot of the Firewall Policies page with the default Outgoing policy

For more information about how to configure services in policies, see Configure Security Services in a Firewall Policy.

See Also

Configure Firewall Policies in WatchGuard Cloud

Download the Certificate for TLS Decryption