Configure Firewall Policies in WatchGuard Cloud

Applies To: Cloud-managed Fireboxes

Overview

Firewall policies control when a cloud-managed Firebox allows or denies connections. The Firebox matches each connection to a policy based on the traffic source, destination, and traffic type.

On the Firewall Policies page, you can:

You can configure policies for individual Fireboxes and for Firebox templates. If a Firebox subscribes to a template with a policy configured, a lock icon shows next to the policy in the Firebox configuration, and you cannot configure the policy in the Firebox configuration for that device. To view the name of the template where the policy is configured, hover over the lock icon. For more information about Firebox templates, go to About Firebox Templates.

Screenshot of the Firewall Policies page with a policy inherited from a Firebox template

Your operator role determines what you can see and do in WatchGuard Cloud. Your role must have the Devices permission to view or configure this feature. For more information, go to Manage WatchGuard Cloud Operators and Roles.

View Firewall Policies

To view configured firewall policies, open the Firewall Policies page in the Device Configuration.

To view firewall policies, from WatchGuard Cloud:

  1. Select Configure > Devices.
  2. Select the cloud-managed Firebox.
  3. Click Device Configuration.
  4. Click the Firewall Policies widget.
    The Firewall Policies page opens.

    Screenshot of the Firewall Policies page in WatchGuard Cloud.

By default, the Firebox automatically determines the order of firewall policies by priority (Automatic Policy Order mode). If necessary, you can switch to Manual Policy Order mode and set the policy order manually. For more information about policy order, go to Firewall Policy Priority on Cloud-Managed Fireboxes.

Add a Firewall Policy

To create new rules for specific types of traffic through the Firebox, you can add firewall policies to the Firebox configuration.

For information about best practices for firewall policy configuration, go to Firewall Policies Best Practices.

To add a firewall policy, from WatchGuard Cloud:

  1. On the Firewall Policies page, click Add Firewall Policy.
    The Add Firewall Policy page opens.

    Screen shot of the Add Firewall Policy page, policy types selection

  2. Select the policy type. For information about policy types, go to Firewall Policy Types on Cloud-Managed Fireboxes.
  3. Click Next.
    Settings for the selected policy type open.

    Screen shot of the Add Outbound Policy page

  4. In the Name text box, type a name for this policy.
  5. From the Action drop-down list, select the policy action:
    • Allow — Allows traffic that matches the policy settings.
    • Deny — Denies traffic that matches the policy settings.
  6. Configure other policy settings described in these topics:
  7. To save configuration changes to the cloud, click Save.

For configuration changes to take effect on a cloud-managed Firebox, you must deploy the configuration update to the Firebox. For more information, go to Manage Device Configuration Deployment for Fireboxes.

Copy a Firewall Policy

You can copy existing policies, including System policies, to add firewall policies to the Firebox configuration.

You can copy a System policy, but you cannot create a new System policy from a copy. For more information, go to System Firewall Policies on Cloud-Managed Fireboxes.

To copy a firewall policy, from WatchGuard Cloud:

  1. On the Firewall Policies page, in the row for the policy you want to copy, click the The Options menu icon icon.
  2. From the drop-down list, select Copy.
    The Copy Firewall Policy page opens.

    Screenshot of the Copy Firewall Policy page.

  3. Select the policy type for the new policy. For information about policy types, go to Firewall Policy Types on Cloud-Managed Fireboxes.

    Custom policies can be bidirectional. If you copy a custom bidirectional policy as a type other than Custom, you must review the traffic direction for the new policy and update as necessary. For more information, go to Step 7.

  4. Click Next.
    The policy type settings open.

    Screenshot of policy settings.

  5. In the Name text box, enter a name for this policy.
  6. From the Action drop-down list, select the policy action:
    • Allow — Allows traffic that matches the policy settings.
    • Deny — Denies traffic that matches the policy settings.
  7. In the Source and Destination section, select the source and destination for this policy. For more information, go to Source and Destination.

    If you copy a bidirectional custom policy, you must select the traffic direction for the new policy. If you want to reverse the traffic for the policy, click Swap Source and Destination.

  8. Configure other policy settings described in these topics:
  9. To save configuration changes to the cloud, click Save.

For configuration changes to take effect on a cloud-managed Firebox, you must deploy the configuration update to the Firebox. For more information, go to Manage Device Configuration Deployment for Fireboxes.

Change the Firewall Policy Type

You can change a firewall policy from one policy type to another policy type in the Firebox configuration. For example, you can change an outbound policy to custom policy.

Custom policies can be bidirectional. If you change a custom bidirectional policy to another policy type, you must review the traffic direction for the policy and update as necessary. For more information, go to Change the Firewall Policy Type of a Bidirectional Policy.

To change the firewall policy type, from WatchGuard Cloud:

  1. On the Firewall Policies page, in the row for the policy you want to change, click the The Options menu icon icon.
  2. From the drop-down list, select Change Type.
    The Change Policy Type page opens.
  3. Select the policy type you want to change to.

    Screenshot of the Change Policy Type page.

  4. Click Change Type.
    The change is saved to the Firebox configuration in the cloud.

For configuration changes to take effect on a cloud-managed Firebox, you must deploy the configuration update to the Firebox. For more information, go to Manage Device Configuration Deployment for Fireboxes.

Change the Firewall Policy Type of a Bidirectional Policy

When you change the policy type of a bidirectional custom policy, the policy is no longer bidirectional. You must review and select the traffic direction for the policy.

To change the policy type of a bidirectional custom policy, from WatchGuard Cloud:

  1. On the Firewall Policies page, in the row for the bidirectional policy you want to change, click the The Options menu icon icon.
  2. From the drop-down list, select Change Type.
    The Change Policy Type page opens.
  3. Select the policy type you want to change to.

    Screenshot of the Move Firewall Policy page for a bidirectional policy.

  4. Click Next.
    The Change Policy Type page opens.
  5. In the Source and Destination section, select the source and destination for the policy. If you want to reverse the traffic direction for the policy, click Swap Source and Destination.

    Screenshot of the Firewall Policy settings page in the Change Policy Type workflow with the Source and Destination section highlighted.

  6. Click Save.
    The change is saved to the Firebox configuration in the cloud.

For configuration changes to take effect on a cloud-managed Firebox, you must deploy the configuration update to the Firebox. For more information, go to Manage Device Configuration Deployment for Fireboxes.

Enable or Disable a Firewall Policy

You can enable or disable a policy from the Firewall Policies page or when you edit a policy.

You cannot remove System policies, and you can only disable or edit specific System policies. For more information about which System policies you can disable or edit, go to System Firewall Policies on Cloud-Managed Fireboxes.

To enable or disable a policy from the Firewall Policies page:

  1. On the Firebox Device Configuration page, click the Firewall Policies widget.
    The Firewall Policies page opens.
  2. To disable or enable the policy in the list, click the toggle next to the policy name.

    Screenshot of the Firewall Policies page with the enable/disable toggle highlighted in the list.

  3. If Manual Policy Order mode is enabled, click Save. If Automatic Policy Order mode is enabled, the change is saved automatically.

For configuration changes to take effect on a cloud-managed Firebox, you must deploy the configuration update to the Firebox. For more information, go to Manage Device Configuration Deployment for Fireboxes.

To enable or disable a policy when you edit the policy:

  1. On the Firebox Device Configuration page, click the Firewall Policies widget.
    The Firewall Policies page opens.
  2. Click a policy name to open the policy settings.
  3. To disable or enable the policy, click the toggle next to the policy name.

    Screenshot of the policy page with the enable/disable toggle highlighted.

  4. Click Save.
    The change is saved to the Firebox configuration in the cloud.

For configuration changes to take effect on a cloud-managed Firebox, you must deploy the configuration update to the Firebox. For more information, go to Manage Device Configuration Deployment for Fireboxes.

Edit a Firewall Policy

You can update any policy that you added for a cloud-managed Firebox.

To edit a policy, from WatchGuard Cloud:

  1. On the Firebox Device Configuration page, click the Firewall Policies widget.
    The Firewall Policies page opens.
  2. Click the policy name.
  3. Edit the policy settings.
  4. Click Save.
    The change is saved to the Firebox configuration in the cloud.

For configuration changes to take effect on a cloud-managed Firebox, you must deploy the configuration update to the Firebox. For more information, go to Manage Device Configuration Deployment for Fireboxes.

Delete a Firewall Policy

To remove a policy from the configuration for a cloud-managed Firebox, you can delete it.

You cannot delete a policy that has a traffic shaping rule applied. Before you can delete the policy, you must edit the traffic shaping rule. For more information, go to Configure Traffic Shaping Rules for Policies.

To delete a policy, from WatchGuard Cloud: 

  1. On the Firebox Device Configuration page, click the Firewall Policies widget.
    The Firewall Policies page opens.
  2. In the row for the policy you want to delete, click the The Options menu icon icon.
  3. From the drop-down list, select Delete.
  4. To confirm the deletion, click Delete.
    The policy is deleted from the Firebox configuration in the cloud.

For configuration changes to take effect on a cloud-managed Firebox, you must deploy the configuration update to the Firebox. For more information, go to Manage Device Configuration Deployment for Fireboxes.

Related Topics

Firewall Policy Types on Cloud-Managed Fireboxes