Rule Processing Order
The general processing order is as follows,
- Look for a policy between the ingress and egress zones
- If no policy is found (in step 1), search for a Global policy
- If no Global policy is found and if the ingress zone is same as the egress zone, apply the intra-zone block i.e if intra-zone block is enabled, drop the packet unless an intra-zone rule permits.
- Implied deny all (also known as the Default Policy)
So to summarize the above,
- Policy for Ingress > Egress Zone
- Global Policy
- Intra-Zone Policy
- Implied deny all
Logging
Taking the above into account. The following will apply,
- Denied traffic which has a source or destination of any of the the firewalls own interface IP addresses will be logged under the log-self logs. (log-self will need enabling).
- All other traffic that will be denied will be dropped by the implied deny all and not logged. So you will require a deny all policy for the Ingress / Engress Zones to allow logging on the dropped traffic.
To enable log-self traffic on your firewall you can use the command – set firewall log-self
The following commands will allow you to view the logs on the Command Line,
- View logs of traffic trying to pass through the FW – get log traffic
- View logs of traffic to the FW itself – get log self
- View system and generic security events – get log event
Rick Donato is a Network Automation Architect/Evangelist and the founder of Packet Coders.
Latest posts by Rick Donato (see all)
- NETCONF & YANG: Automate Network Configs via Python - April 2, 2026
- Palo Alto – How to Configure Your Next-Generation Firewall - April 2, 2026
- How to Harden Linux SSH: Keys, Fail2ban & Ciphers - March 1, 2026
Want to become an IT Security expert ?
Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
Delta Practice Tests