Applies To: Cloud-managed Fireboxes
Firewall policies specify rules for how a cloud-managed Firebox allows or denies connections. When you configure firewall policies, consider these best practices.
Select the Appropriate Policy Type
When you add a firewall policy, select the policy type based on the source, destination and purpose of the policy.
Use Core policies for most traffic
Core policies allow or deny traffic based on both header information and connection content. Core policies support all security services and are appropriate for most traffic.
Select the Core policy type based on the source and destination
Some policy settings and services apply differently to inbound or outbound connections. Select the Core policy type based on the source and destination of the traffic the policy applies to:
- Outbound ─ For traffic from internal network devices to an external network
- Inbound ─ For traffic that enters the internal networks through the Firebox
- Custom ─ For traffic between private networks through the Firebox
Use First Run and Last Run policies for exceptions
First Run and Last Run policies allow or deny traffic based only on header information such as the source, destination, port, and protocol. These policy types do not support content scanning or WebBlocker content filtering services.
- First Run — Highest priority. Select this policy type if you always want to allow or deny a connection as an exception to the configured Core policies.
- Last Run — Lowest priority. Select this policy type if you always want to allow or deny a connection that does not match any configured Core policy.
Enable Security Services
To enable security services to protect your networks:
- Enable security services in the policy settings.
- Enable security services in the global Security Services settings.
Security services are enabled in the default configuration of a cloud-managed Firebox.
You can enable and disable security services in the Security Services section of a policy. The security services you can enable in the policy depend on the policy type:
| Policy Type | Content Filtering | Geolocation | Content Scanning | Tor Exit Node Blocking |
|---|---|---|---|---|
| Outbound |
|
|
|
|
| Inbound |
|
|
|
|
| Custom |
|
|
|
|
| First Run | Application Control only |
|
|
|
| Last Run | Application Control only |
|
|
On the Device Configuration page for a Firebox, the Security Services section shows a summary of settings for configured services.
On the Firewall Policies page, icons in the Security column shows which services are enabled for each policy. To see the security service name, hover over each icon.
For more information about how to configure services in policies, see Configure Security Services in a Firewall Policy.