Firewall Policies; Understanding Policies - Watchguard Firebox X20E User Manual
Firmware version 8.6 all firebox x edge e-series standard and wireless models
Hide thumbs
Also See for Firebox X20E:
- Reference manual (78 pages) ,
- Quick start manual (12 pages) ,
- User manual (314 pages)
Table of Contents
Advertisement
7
Firewall Policies
The Firebox® X Edge e-Series uses policies and other firewall options to control the traffic between the
trusted, optional, and external networks. Usually the external network is the Internet. When your pri-
vate network is connected to the Internet, you must be able to control that connection. The configura-
tion of allowed policies and firewall options sets the level of security the Edge applies to your network.
This chapter shows you how to configure common and custom packet filter policies. The subsequent
chapters show you in more detail how to use advanced policy features such as proxies, and other fire-
wall options such as the Blocked Sites feature.
You do not have to create a policy to allow traffic through a VPN tunnel to your Firebox X Edge e-Series.
The Edge automatically allows all traffic through VPN tunnels. No other configuration is necessary after
the VPN tunnel is set up. For more information on VPNs, see Chapter 16, "Configuring Virtual Private
Networks". For information on Mobile User VPNs, see Chapter 17, "Configuring the MUVPN Client".
Understanding Policies
When the Edge receives a packet, it looks for a policy in its configuration that matches the port and
protocol in the packet header. There are two categories of policies: packet filters and proxies.
A packet filter examines each packet's IP header and is the most basic feature of a firewall. It controls
the network traffic in and out of your Edge. The packet filter examines the sender IP address and the
recipient IP address and either allows it or denies it, depending on the action you have configured for
that packet filter rule. If it does not find a rule that matches the packet, it denies it. The packet filter can
also record a log message or send an error message to the source.
A proxy monitors and scans connections. It examines the commands used in the connection to make
sure they are in the correct syntax and order. It looks at the content that is sent back and forth during
the connection. If the content does not match the criteria you set, it denies the packet. A proxy oper-
ates at the application layer, while a packet filter operates only at the network and transport protocol
layers. It uses deep packet inspection to make sure that connections are secure.
If the Edge cannot find a policy that matches the packet, it denies it by default.
User Guide
91
Hide quick links:
Advertisement
Table of Contents
