Now that you defined some zones and attached
them to interfaces, you are ready to begin creating your
Security
Policy. The firewall will not allow any traffic to flow from
one zone to another unless there is a Security policy rule that
allows it. When a packet enters a firewall interface, the firewall
matches the attributes in the packet against the Security policy
rules to determine whether to block or allow the session based on
attributes such as the source and destination security zone, the
source and destination IP address, the application, user, and the
service. The firewall evaluates incoming traffic against the Security
policy rulebase from left to right and from top to bottom and then
takes the action specified in the first Security rule that matches
(for example, whether to allow, deny, or drop the packet). This
means that you must order the rules in your Security policy rulebase
so that more specific rules are at the top of the rulebase and more
general rules are at the bottom to ensure that the firewall is enforcing
policy as expected.
Even though a Security policy rule allows
a packet, this does not mean that the traffic is free of threats.
To enable the firewall to scan the traffic that it allows based on
a Security policy rule, you must also attach
Security
Profiles—including URL Filtering, Antivirus, Anti-Spyware,
File Blocking, and WildFire Analysis—to each rule (the profiles
you can use depend on which
Subscriptions you purchased).
When creating your basic Security policy, use the predefined security
profiles to ensure that the traffic you allow into your network
is being scanned for threats. You can customize these profiles later
as needed for your environment.
Use the following workflow
set up a very basic Security policy that enables access to the network
infrastructure, to data center applications, and to the internet. This
enables you to get the firewall up and running so that you can verify
that you have successfully configured the firewall. However, this
initial policy is not comprehensive enough to protect your network.
After you verify that you successfully configured the firewall and
integrated it into your network, proceed with creating a
Best Practice Internet Gateway Security Policy that
safely enables application access while protecting your network
from attack.