Default Policy and Matching Conditions
The firewall has an explicit default policy default, which denies all interzone traffic by default. The default policy is always at the end of the policy list and cannot be deleted.
By default, security policies created by users are displayed from top to bottom in ascending order of creation time, and the newest security policy is displayed preceding the default security policy. After receiving traffic, the firewall matches the traffic against security policies from top to bottom. Once a security policy is matched successfully, the firewall stops matching and processes the traffic according to the action specified in the security policy. If none of the manually created security policies is matched, the default security policy is used.
Pay attention to the following two points:
- Do not change the deny action in the default security policy. The default security policy aims to ensure that all traffic that is not explicitly permitted is denied, which is a basic design of security products.
- The sequence for matching security policies is important. After creating a security policy, you need to manually adjust the sequence of security policies based on service requirements.
For example, the security policy list contains security policy 101 named Block high-risk ports, which blocks all high-risk services. Now, you need to enable the Remote Desktop Protocol (RDP) service for the management terminal in the Trust zone to access servers in the DMZ. You need to add security policy 201 named RDP for admin.
No. |
Name |
Source Security Zone |
Destination Security Zone |
Source Address/Region |
Destination Address/Region |
User |
Service |
Action |
|---|---|---|---|---|---|---|---|---|
101 |
Block high-risk ports |
any |
any |
any |
any |
any |
Customized service: High-risk ports |
deny |
... |
||||||||
201 |
Allow RDP for admin |
Trust |
dmz |
Customized address group: Management terminal |
Customized address group: Server farm |
any |
rdp-tcp rdp-udp |
permit |
202 |
default |
any |
any |
any |
any |
any |
any |
deny |
Because the matching conditions of security policy 101 include those of security policy 201 and security policy 101 takes precedence over security policy 201, security policy 201 will never be matched according to the security policy matching rule. When remote desktop access traffic from the Trust zone matches security policy 101, it will be blocked. Therefore, after security policy 201 is created, you need to move it preceding security policy 101. After the adjustment, the sequence numbers of security policies change automatically.
No. |
Name |
Source Security Zone |
Destination Security Zone |
Source Address/Region |
Destination Address/Region |
User |
Service |
Action |
|---|---|---|---|---|---|---|---|---|
101 |
Allow RDP for admin |
Trust |
dmz |
Customized address group: Management terminal |
Customized address group: Server farm |
any |
rdp-tcp rdp-udp |
permit |
102 |
Block high-risk ports |
any |
any |
any |
any |
any |
Customized service: High-risk ports |
deny |
... |
||||||||
202 |
default |
any |
any |
any |
any |
any |
any |
deny |