Applies To: Cloud-managed Fireboxes
System policies are Firewall policies that allow or deny specific types of traffic required for Fireware features and WatchGuard services to operate. By default, the system policies are not shown on the Firewall Policies page. To show the system policies, at the top of the Firewall policies page, enable Show System Policies.
You cannot remove System policies, and you can only disable or edit specific System policies. For more information about which System policies you can disable, see Disable System Policies.
High Priority System Policies
High priority System policies appear above the First Run policies. These policies allow specific types of traffic regardless of other configured policies.
The high priority system policies are:
Allows SSL-VPN traffic from external networks to the Firebox. This policy allows Mobile VPN with SSL connections to the Firebox. This policy is created automatically when you configure Mobile VPN with SSL on the Firebox.
Allows IKE, ESP, and AH traffic from any source to the Firebox. This policy allows Mobile VPN with IKEv2 and BOVPN connections to the Firebox. This policy is created automatically when you configure a BOVPN or Mobile VPN with IKEv2 on the Firebox.
Any From Firebox
Allows all traffic from the Firebox itself to any destination.
WatchGuard Authentication Portal
Allows connections from internal networks to the Authentication Portal on the Firebox. This policy is created automatically when you enable the Authentication Portal in the Firebox Authentication settings.
WatchGuard Threat Detection and Response
Allows all traffic from internal networks to WatchGuard Threat Detection and Response servers.
Allows all traffic from internal networks to WatchGuard Cloud.
Ping To Firebox
Allows ping traffic to the Firebox from internal networks that have the Ping Advanced option enabled.
WatchGuard Web UI
Allows connections to Fireware Web UI from internal networks that have the Web UI Access option enabled.
For internal networks, the Ping and Web UI Access options are enabled by default. For information about how to change these settings, see Configure Advanced Network Settings.
Low Priority System Policies
Low priority system policies appear below the Last Run policies.
These policies are:
Allows traffic from any BOVPN to any destination. This policy is created automatically when you configure a BOVPN on the Firebox.
Allows traffic from any source to any BOVPN. This policy is created automatically when you configure a BOVPN on the Firebox.
Allows traffic from users in the Mobile VPN with SSL configuration to all networks. This policy is created automatically when you configure Mobile VPN with SSL on the Firebox.
Allows traffic from users in the Mobile VPN with IKEv2 configuration to all networks. This policy is created automatically when you configure Mobile VPN with IKEv2 on the Firebox.
Unhandled Internal Packet
Denies traffic from any internal network to any destination.
Unhandled External Packet
Denies traffic from any source to any destination.
Allows traffic DNS traffic from internal networks to the Firebox.
When these policies deny traffic through the Firebox, the policy names appear in Firebox log messages.
You can disable specific system policies if a default system policy is not restrictive enough for your needs. These are the system policies you can disable in WatchGuard Cloud:
- WatchGuard SSLVPN
- WatchGuard Cloud
- WatchGuard Threat Detection and Response
- Allow SSLVPN-Users
- Allow IKEv2-Users
- Allow RADIUS SSO Service
- Allow RADIUS SSO Users
- Allow DNS-Forwarding
To disable a system policy, from WatchGuard Cloud:
- Select Configure > Devices.
- Select a cloud-managed Firebox.
Status and settings for the selected Firebox appear.
- Select Device Configuration.
The Device Configuration page opens.
- In the Firewall tile, click Firewall Policies..
The Firewall Policies page opens.
- Enable Show System Policies.
- Click the system policy name you want to disable.
- Disable the toggle next to the policy name.
- Click Save.
The policy remains in the Firebox configuration but is disabled.
- For the change to take effect on the Firebox, you must deploy the configuration update to the Firebox. For more information, see Manage Device Configuration Deployment.