Configure Firewall Policies in WatchGuard Cloud

Applies To: Cloud-managed Fireboxes

Some of the features described in this topic are only available to participants in the WatchGuard Cloud Beta program. If a feature described in this topic is not available in your version of WatchGuard Cloud, it is a beta-only feature.

Overview

Firewall policies control when a cloud-managed Firebox allows or denies connections. The Firebox matches each connection to a policy based on the traffic source, destination, and traffic type.

On the Firewall Policies page, you can:

You can configure policies for individual Fireboxes and for Firebox templates. If a Firebox subscribes to a template with a policy configured, a lock icon shows next to the policy in the Firebox configuration, and you cannot configure the policy in the Firebox configuration for that device. To view the name of the template where the policy is configured, hover over the lock icon. For more information about Firebox templates, go to About Firebox Templates.

Screenshot of the Firewall Policies page with a policy inherited from a Firebox template

Your operator role determines what you can see and do in WatchGuard Cloud. Your role must have the Devices permission to view or configure this feature. For more information, go to Manage WatchGuard Cloud Operators and Roles.

View Firewall Policies

To view configured firewall policies, open the Firewall Policies page in the Device Configuration.

To view firewall policies, from WatchGuard Cloud:

  1. Select Configure > Devices.
  2. Select the cloud-managed Firebox.
  3. Click Device Configuration.
  4. Click the Firewall Policies widget.
    The Firewall Policies page opens.

    Screenshot of the Firewall Policies page in WatchGuard Cloud.

By default, the Firebox automatically determines the order of firewall policies by priority (Automatic Policy Order mode). If necessary, you can switch to Manual Policy Order mode and set the policy order manually. For more information about policy order, go to Firewall Policy Priority on Cloud-Managed Fireboxes.

Add a Firewall Policy

To create new rules for specific types of traffic through the Firebox, you can add firewall policies to the Firebox configuration. After you add or update a policy, you must deploy the configuration to the Firebox for your changes to take effect.

For information about best practices for firewall policy configuration, go to Firewall Policies Best Practices.

To add a firewall policy, from WatchGuard Cloud:

  1. On the Firewall Policies page, click Add Firewall Policy.
    The Add Firewall Policy page opens.

    Screen shot of the Add Firewall Policy page, policy types selection

  2. Select the policy type. For information about policy types, go to Firewall Policy Types on Cloud-Managed Fireboxes.
  3. Click Next.
    Settings for the selected policy type open.

    Screen shot of the Add Outbound Policy page

  4. In the Name text box, type a name for this policy.
  5. From the Action drop-down list, select the policy action:
    • Allow — Allows traffic that matches the policy settings.
    • Deny — Denies traffic that matches the policy settings.
  6. Configure other policy settings described in these topics:
  7. To save configuration changes to the cloud, click Save.

For configuration changes to take effect on a cloud-managed Firebox, you must deploy the configuration update to the Firebox. For more information, go to Manage Device Configuration Deployment for Fireboxes.

Copy a Firewall Policy

You can copy existing policies, including System policies, to add firewall policies to the Firebox configuration. After you copy a policy, you must deploy the configuration to the Firebox for your changes to take effect.

You can copy a System policy, but you cannot create a new System policy from a copy. For more information, go to System Firewall Policies on Cloud-Managed Fireboxes.

To copy a firewall policy, from WatchGuard Cloud:

  1. On the Firewall Policies page, in the row for the policy you want to copy, click the The Options menu icon icon.
  2. From the drop-down list, select Copy.
    The Copy Firewall Policy page opens.

    Screenshot of the Copy Firewall Policy page.

  3. Select the policy type for the new policy. For information about policy types, go to Firewall Policy Types on Cloud-Managed Fireboxes.

    Custom policies can be bidirectional. If you copy a custom bidirectional policy as a type other than Custom, you must review the traffic direction for the new policy and update as necessary. For more information, go to Step 7.

  4. Click Next.
    The policy type settings open.

    Screenshot of policy settings.

  5. In the Name text box, enter a name for this policy.
  6. From the Action drop-down list, select the policy action:
    • Allow — Allows traffic that matches the policy settings.
    • Deny — Denies traffic that matches the policy settings.
  7. In the Source and Destination section, select the source and destination for this policy. For more information, go to Source and Destination.

    If you copy a bidirectional custom policy, you must select the traffic direction for the new policy. If you want to reverse the traffic for the policy, click Swap Source and Destination.

  8. Configure other policy settings described in these topics:
  9. To save configuration changes to the cloud, click Save.

For configuration changes to take effect on a cloud-managed Firebox, you must deploy the configuration update to the Firebox. For more information, go to Manage Device Configuration Deployment for Fireboxes.

Move a Firewall Policy

You can move firewall policies from one policy type category to another in the Firebox configuration. After you move a policy, you must deploy the configuration to the Firebox for your changes to take effect.

Custom policies can be bidirectional. If you move a custom bidirectional policy, you must review the traffic direction for the moved policy and update as necessary. For more information, go to Move a Bidirectional Firewall Policy.

The Move option is not available in Manual Policy Order mode because you manually reorder the policy list. For more information, go to Firewall Policy Priority on Cloud-Managed Fireboxes.

To move a firewall policy, from WatchGuard Cloud:

  1. On the Firewall Policies page, in the row for the policy you want to move, click the The Options menu icon icon.
  2. From the drop-down list, select Move.
    The Move Firewall Policy page opens.

    Screenshot of the Move Firewall Policy page.

  3. Select the policy type category you want to move the policy to. For example, if you want to move a Core policy, select First Run or Last Run.
  4. Click Move.
    The Firewall Policy page opens and shows the moved policy in the new policy type category.

For configuration changes to take effect on a cloud-managed Firebox, you must deploy the configuration update to the Firebox. For more information, go to Manage Device Configuration Deployment for Fireboxes.

Move a Bidirectional Firewall Policy

When you move a bidirectional custom policy, the policy is no longer bidirectional. You must review and select the traffic direction for the moved policy.

To move a bidirectional custom policy, from WatchGuard Cloud:

  1. On the Firewall Policies page, in the row for the bidirectional policy you want to move, click the The Options menu icon icon.
  2. From the drop-down list, select Move.
    The Move Firewall Policy page opens.

    Screenshot of the Move Firewall Policy page for a bidirectional policy.

  3. Select the policy type category you want to move the policy to.
  4. Click Next.
  5. In the Source and Destination section, select the source and destination for the moved policy. If you want to reverse the traffic direction for the policy, click Swap Source and Destination.

    Screenshot of the Move Policy Settings page with the Source and Destination section highlighted.

  6. Click Move.
    The Firewall Policy page opens and shows the moved policy in the new policy type category.

For configuration changes to take effect on a cloud-managed Firebox, you must deploy the configuration update to the Firebox. For more information, go to Manage Device Configuration Deployment for Fireboxes.

Enable or Disable a Firewall Policy

You can enable or disable a policy from the Firewall Policies page or when you edit a policy.

You cannot remove System policies, and you can only disable or edit specific System policies. For more information about which System policies you can disable or edit, go to System Firewall Policies on Cloud-Managed Fireboxes.

To enable or disable a policy from the Firewall Policies page:

  1. On the Firebox Device Configuration page, click the Firewall Policies widget.
    The Firewall Policies page opens.
  2. To disable or enable the policy in the list, click the toggle next to the policy name.

    Screenshot of the Firewall Policies page with the enable/disable toggle highlighted in the list.

  3. If Manual Policy Order mode is enabled, click Save. If Automatic Policy Order mode is enabled, the change is saved automatically.

For configuration changes to take effect on a cloud-managed Firebox, you must deploy the configuration update to the Firebox. For more information, go to Manage Device Configuration Deployment for Fireboxes.

To enable or disable a policy when you edit the policy:

  1. On the Firebox Device Configuration page, click the Firewall Policies widget.
    The Firewall Policies page opens.
  2. Click a policy name to open the policy settings.
  3. To disable or enable the policy, click the toggle next to the policy name.

    Screenshot of the policy page with the enable/disable toggle highlighted.

  4. Click Save.
    The change is saved to the Firebox configuration in the cloud.

For configuration changes to take effect on a cloud-managed Firebox, you must deploy the configuration update to the Firebox. For more information, go to Manage Device Configuration Deployment for Fireboxes.

Edit a Firewall Policy

You can update any policy that you added for a cloud-managed Firebox.

To edit a policy, from WatchGuard Cloud:

  1. On the Firebox Device Configuration page, click the Firewall Policies widget.
    The Firewall Policies page opens.
  2. Click the policy name.
  3. Edit the policy settings.
  4. Click Save.
    The change is saved to the Firebox configuration in the cloud.

For configuration changes to take effect on a cloud-managed Firebox, you must deploy the configuration update to the Firebox. For more information, go to Manage Device Configuration Deployment for Fireboxes.

Delete a Firewall Policy

To remove a policy from the configuration for a cloud-managed Firebox, you can delete it.

To delete a policy, from WatchGuard Cloud: 

  1. On the Firebox Device Configuration page, click the Firewall Policies widget.
    The Firewall Policies page opens.
  2. In the row for the policy you want to delete, click the The Options menu icon icon.
  3. From the drop-down list, select Delete.
  4. To confirm the deletion, click Delete.
    The policy is deleted from the Firebox configuration in the cloud.

For configuration changes to take effect on a cloud-managed Firebox, you must deploy the configuration update to the Firebox. For more information, go to Manage Device Configuration Deployment for Fireboxes.

Related Topics

Firewall Policy Types on Cloud-Managed Fireboxes