fir3net
PPS-Firenetbanner-780.5x190-30-03-17

Netscreen - Rule Processing Order

Rule Processing Order

The general processing order is as follows,

  1. Look for a policy between the ingress and egress zones
  2. If no policy is found (in step 1), search for a Global policy
  3. If no Global policy is found and if the ingress zone is same as the egress zone, apply the intra-zone block i.e if intra-zone block is enabled, drop the packet unless an intra-zone rule permits.
  4. Implied deny all (also known as the Default Policy) 

So to summarize the above,

  1. Policy for Ingress > Egress Zone
  2. Global Policy
  3. Intra-Zone Policy
  4. Implied deny all

Logging

Taking the above into account. The following will apply,

  • Denied traffic which has a source or destination of any of the the firewalls own interface IP addresses will be logged under the log-self logs. (log-self will need enabling).
  • All other traffic that will be denied will be dropped by the implied deny all and not logged. So you will require a deny all policy for the Ingress / Engress Zones to allow logging on the dropped traffic.

To enable log-self traffic on your firewall you can use the command - set firewall log-self

The following commands will allow you to view the logs on the Command Line,

  • View logs of traffic trying to pass through the FW - get log traffic
  • View logs of traffic  to the FW itself  - get log self
  • View system and generic security events - get log event

Tags: Netscreen

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001