Policy Rules; Incoming And Outgoing Traffic - Watchguard Firebox X15 User Manual

Firewall Policies
As an example of how a policy might be used, suppose the network administrator of a company wants to
activate a Windows terminal services connection to the company's public web server on the optional interface
of the Firebox. He or she routinely administers the web server with a Remote Desktop connection. At the same
time, he or she wants to make sure that no other network users can use the Remote Desktop Protocol terminal
services through the Firebox. The network administrator would add a policy that allows RDP connections only
from the IP address of his or her own desktop computer to the IP address of the public web server.

Policy rules

A Firebox X Edge policy is one or more rules that together monitor and control traffic. These rules set the
firewall actions for a policy:
Allow lets data or a connection through the Edge.
Deny stops data or a connection from going through the Edge, and sends a response to the source.
No Rule sets a rule to off, or disables the rule.
It is not always easy to decide if you should select Deny or No Rule for a policy. When you set the rule to No
Rule, the action the Edge takes for that packet is dependent on lower precedence rules for the policy. If there
are no other rules for the policy, then the Edge denies the packet by default.
Use the Deny rule when you have a lower precedence rule set to Allow, but you want to deny packets from a
specific IP address or network. For example, if you want to allow most HTTP traffic, you set the common packet
filter policy to Allow. If you want to deny HTTP traffic from one IP address, create a custom packet filter for that
IP address and set the rule to Deny. When you select Deny, the policy uses slightly more network resources.
One or two Deny rules does not affect system performance, but if you set all common packet filter rules to
Deny instead of the default No Rule, it can dramatically affect system performance.

Incoming and outgoing traffic

Traffic that comes from the external network is incoming traffic. Traffic that goes to the external network is
outgoing traffic. By default, the Firebox X Edge e-Series denies incoming traffic to protect your trusted and
optional networks.
The default configuration of the Edge allows this traffic:
From the trusted network to the external network
From the trusted network to the optional network
From the optional network to the external network
The default configuration of the Edge denies this traffic:
From the external network to the trusted network
From the optional network to the trusted network
From the external network to the optional network
Packet filters are set separately for incoming and outgoing policies.
116 Firebox X Edge e-Series