Incoming And Outgoing Traffic; Policy Rules; Precedence - Watchguard Firebox X20E User Manual

Understanding Policies

Incoming and outgoing traffic

Traffic that comes from the external network is incoming traffic. Traffic that goes to the external net-
work is outgoing traffic. By default, the Firebox X Edge e-Series denies incoming traffic to protect your
trusted and optional networks.
The default configuration of the Edge allows this traffic:
- From the trusted network to the external network
- From the trusted network to the optional network
- From the optional network to the external network
The default configuration of the Edge denies this traffic:
- From the external network to the trusted network
- From the optional network to the trusted network
- From the external network to the optional network
Packet filters are set separately for incoming and outgoing policies. Proxies can be configured only for
outgoing policies.

Policy rules

A Firebox® X Edge policy is one or more rules that together monitor and control traffic. These rules set
the firewall actions for a policy:
Allow lets data or a connection through the Edge.
•
Deny stops data or a connection from going through the Edge, and sends a response to the
•
source.
No Rule sets a rule to off, or disables the rule.
•
It is not always easy to decide if you should select Deny or No Rule for a policy. When you set the rule
to No Rule, the action the Edge takes for that packet is dependent on lower precedence rules for the
policy. If there are no other rules for the policy, then the Edge denies the packet by default.
Use the Deny rule when you have a lower precedence rule set to Allow, but you want to deny packets
from a specific IP address or network. For example, if you want to allow most HTTP traffic, you set the
common packet filter policy to Allow. If you want to deny HTTP traffic from one IP address, create a
custom packet filter for that IP address and set the rule to Deny. When you select Deny, the policy uses
slightly more network resources. One or two Deny rules does not affect system performance, but if you
set all common packet filter rules to Deny instead of the default No Rule, it can dramatically affect sys-
tem performance.

Precedence

Precedence is the sequence in which the Firebox X Edge examines network traffic and applies a policy
rule. The Edge automatically sorts policies from the most detailed to the most general. The Edge com-
pares the information in the packet to the list of rules that the Edge has sorted. The first rule in the list
to match the conditions of the packet is applied to the packet. If the detail level in two policies is equal,
a proxy policy always takes precedence over a packet filter policy.
For example, if you want to deny most FTP traffic, but you want to allow it from one IP address, you set
the common packet filter for FTP to No Rule. Because there is no lower precedence, the default action
is to deny the packet. Then you create a new FTP packet filter that applies only to that IP address and
set the rule to Allow. Because the new packet filter applies only to one IP address, it is more detailed
and therefore a higher precedence.
92 Firebox X Edge e-Series