Firewall Policy Types

Applies To: Cloud-managed Fireboxes

When you add a policy to a cloud-managed Firebox, you specify the policy type. The policy type determines which settings you can configure in the policy and which services the policy supports.

These are the different types of policies:

The policy type also determines overall policy priority. For policies of the same type, policy priority depends on the policy source, destination, and traffic type. For more information, see Firewall Policy Priority.

Core Policies

Core policies allow or deny traffic based on both packet header information and content. The policy type controls which security services and policy settings are available. Core policies have normal priority and are appropriate for most traffic.

Core policy types:

Outbound — For connections from an internal network to an external network

Outbound policies support settings appropriate for connections from internal networks to external networks. Outbound policies support all security services. You can optionally configure an Outbound policy to decrypt HTTPS traffic to enable the Content Scanning services for HTTPS connections.

Inbound — For connections from an external network to an internal network

Inbound policies support settings and services appropriate for connections from external networks to internal networks. Inbound policies do not support HTTPS decryption or Content Scanning for HTTPS. They also do not support Content Filtering services.

Custom — For connections between private networks

Custom policies include settings appropriate for connections between private networks. Unlike other policies, you can configure a Custom policy to apply to connections that originate from either a policy source or destination address.

First Run and Last Run Policies

First Run and Last Run policies allow or deny traffic based only on packet header information, such as:

  • Source
  • Destination
  • Port
  • Protocol

These policy types do not examine the content of the traffic, and do not support Content Scanning services, or the WebBlocker Content Filtering service.

Add a First Run or Last Run policy as an exception when you want the policy to apply before or after the Core policies, and you do not want to use Content Scanning or WebBlocker services.

First Run

First Run policies have higher priority than all Core and Last Run policies. Configure a First Run policy when you want to always allow or deny specific types of traffic as an exception to the Core policies.

For example, you could add a First Run policy to:

  • Deny outbound connections from security cameras on your network
  • Allow outbound VPN connections from network clients to an external VPN endpoint.

Last Run

Last Run policies have a lower priority than all Core and First Run policies. A Last Run policy applies only to traffic that does not match configured Core or First Run policies.

The Firebox denies connections that do not match a policy. It is not necessary to add a Last Run policy to deny connections that do not match a configured policy.

System Policies

The Firebox configuration also includes system policies, which are not editable. System policies are hidden by default.

You cannot remove System policies, and you can only disable or edit specific System policies. For more information about which System policies you can disable or edit, see System Firewall Policies.

Related Topics

Default Firewall Policies

Configure Firewall Policies in WatchGuard Cloud