Manualshelf

User guide

ManualsBrandsWatchguard ManualsComputer equipmentFirebox X4500
121122123124125126127128129130
User Guide 111
7
Firewall Policies
About policies
The security policy of your organization is a set of definitions for protecting your computer network and the
information that goes through it. The Firebox denies all packets that are not specifically allowed. When you
add a policy to your Firebox configuration file, you add a set of rules that tell the Firebox to allow or deny traffic
based upon factors such as source and destination of the packet or the TCP/IP port or protocol used for the
packet.
As an example of how a policy might be used, suppose the network administrator of a company wants to
activate a Windows terminal services connection to the company’s public web server on the optional interface
of the Firebox. He or she manages the web server with a Remote Desktop connection. At the same time, he or
she wants to make sure that no other network users can use the Remote Desktop Protocol terminal services
through the Firebox. To create this setup, the network administrator adds a policy that allows RDP
connections only from the IP address of his or her own desktop computer to the IP address of the public
web server.
A policy can also give the Firebox more instructions on how to handle the packet. For example, you can define
logging and notification parameters that apply to the traffic or use NAT to change a packet’s source IP address
to an IP address and port behind the firewall.
Packet filter and proxy policies
The Firebox uses two categories of policies to filter network traffic: packet filters and proxies. A packet filter
examines each packet’s IP and TCP/UDP header. If the packet header information is legitimate, then the
Firebox allows the packet. Otherwise, the Firebox drops the packet.
A proxy also examines the header information, but it also examines the content. When you activate a proxy,
the Firebox uses deep packet inspection to make sure that connections are secure. It opens each packet in
sequence, removes the network layer header, and examines the packet’s payload. Finally, the proxy puts the
network information back on the packet and sends it to its destination.