Firewall policy ID and the priority

Publication Date:  2014-09-30 Views:  354 Downloads:  0
Issue Description
The current policy setting is as below:

policy interzone trust untrust outbound
policy 1
  action permit
  policy service service-set icmp
  policy service service-set http
  policy source address-set “172.21.15.0/24”

policy 2
  action permit
  policy service service-set http
  policy service service-set https
policy service service-set smtp
  policy source address-set "172.21.4.0/24"

policy 50
  action deny

Customer controls the service when the traffic is from trust zone to untrust zone. Now, customer. Now, customer add new policy to controls the service of new subnet. The configuration is as below:

policy 3
  action permit
  policy service service-set http
  policy service service-set https
policy service service-set smtp
  policy source address-set "172.21.16.0/24"

Customer finds that the policy configured doesn’t match their requirement. No service control occurs in this network. I find that the configuration is out of expect:

policy interzone trust untrust outbound
policy 1
  action permit
  policy service service-set icmp
  policy service service-set http
  policy source address-set “172.21.15.0/24”

policy 2
  action permit
  policy service service-set http
  policy service service-set https
policy service service-set smtp
  policy source address-set "172.21.4.0/24"

policy 50
  action deny

policy 3
  action permit
  policy service service-set http
  policy service service-set https
policy service service-set smtp
  policy source address-set "172.21.16.0/24"

Handling Process
Policy 50 is prior to policy 3. After searching the information of the document, it was found that the priority of policy isn’t related to its policy ID. 
Solution
Solution:
Use the command “policy move 3 before 50” to revise the problem. The final setting is:

policy interzone trust untrust outbound
policy 1
  action permit
  policy service service-set icmp
  policy service service-set http
  policy source address-set “172.21.15.0/24”

policy 2
  action permit
  policy service service-set http
  policy service service-set https
policy service service-set smtp
  policy source address-set "172.21.4.0/24"

policy 3
  action permit
  policy service service-set http
  policy service service-set https
policy service service-set smtp
  policy source address-set "172.21.16.0/24"

policy 50
  action deny



END