Add and Manage Security Policy Rules
Security policies apply security policy rules to the network traffic within a context, such as the from-zone to the to-zone.
The network traffic is classified by matching the security policy rules match criteria—the source and destination zones, the source and destination addresses, and the application that the traffic carries in its protocol headers with the policy database.
You can also enable advanced security protection by specifying these security profiles:
-
Content Security profile
-
Decrypt profile
-
Flow-based antivirus profile
-
Intrusion prevention system (IPS) profile
-
Anti-malware profile
-
Secintel profile group
-
Secure Web proxy profile
Add Security Policy Rules
Creating a security policy rule involves setting conditions for traffic between network zones. Ensure the policy rules align with your network's security strategy.
Consider the following key differences to decide whether to create zone-based rules or global rules:
|
Feature |
Zone-Based Rules |
Global Rules |
|---|---|---|
|
Scope |
Specific zone-to-zone traffic
|
All traffic
|
|
Zone requirement |
Mandatory |
Not required |
|
Granularity |
High, context-aware |
Broad, policy-wide |
|
Use cases |
Segmentation, directional control |
Baseline enforcement, global restrictions |
Before creating security policy rules:
-
Clearly define what traffic the rule should allow or deny.
-
Define clear, consistent zone definitions that reflect logical traffic boundaries, such as trust levels or deployment areas.
-
Verify the source zone from which traffic originates.
-
Verify the destination zone to which traffic is directed.
-
Determine whether traffic should be matched using applications, addresses, or a combination of both.
-
Identify any specific traffic that must be evaluated before broader conditions.
-
Determine the rule placement sequence. Place more specific and restrictive rules before broader allow or deny rules to ensure predictable policy evaluation.
The new security policy rule is saved and a confirmation message is displayed. Based on the source and destination endpoints, the rules are categorized as zone-based rules or global rules.
Copy and Paste an Object to a Security Policy Rule
Use Copy-Paste Objects to add shared objects like Addresses, Services, Applications, and URL Categories directly into security policy rules. The Copy-Paste Objects tab enables you to browse, select, copy, and paste objects into rule cells, and create new ones without leaving the page. You can also add, edit, delete, filter, and search objects conveniently.
To copy and paste an object to firewall policy rules:
Manage Security Policy Rules
-
Edit—Click the policy, select the rule, then click the pencil icon (
).
-
Clone—Click the policy, select the rule, then click .
-
Delete—Click the policy, select the rule, then click the trash can icon (
).
