A security policy applies security rules to transit traffic.
|
Before You Begin |
|---|
|
Before creating policies to control traffic between different security zones, you must first design the environment in which to apply those policies:
|
A packet is matched against policies to determine how it is to be treated. The packet is matched against a policy's source and destination zones, source and destination addresses, and the application or application sets that the policy specifies. If the packet matches all elements of a policy, that policy's action is applied to the packet. See Understanding Policy Rules.
The action of the first policy that the traffic matches is applied to the packet. If there is no matching policy, the packet is dropped. Policies are searched from top to bottom, so it is a good idea to place more specific policies near the top of the list. You should also place IPsec VPN tunnel policies near the top. Place the more general policies, such as one that would allow certain users access to all Internet applications, at the bottom of the list.
Policies are applied after the packet has passed through the firewall's screens and the system has looked up its route. The packet's destination address determines its destination zone.
Depending on the policies you create, any of the actions shown in Table 23 could be applied to the packet.
To define a policy, use either J-Web or the CLI configuration editor.
This topic covers: