Netscreen – Rule Processing Order

Rule Processing Order

The general processing order is as follows,

  1. Look for a policy between the ingress and egress zones
  2. If no policy is found (in step 1), search for a Global policy
  3. If no Global policy is found and if the ingress zone is same as the egress zone, apply the intra-zone block i.e if intra-zone block is enabled, drop the packet unless an intra-zone rule permits.
  4. Implied deny all (also known as the Default Policy) 

So to summarize the above,

  1. Policy for Ingress > Egress Zone
  2. Global Policy
  3. Intra-Zone Policy
  4. Implied deny all


Taking the above into account. The following will apply,

  • Denied traffic which has a source or destination of any of the the firewalls own interface IP addresses will be logged under the log-self logs. (log-self will need enabling).
  • All other traffic that will be denied will be dropped by the implied deny all and not logged. So you will require a deny all policy for the Ingress / Engress Zones to allow logging on the dropped traffic.

To enable log-self traffic on your firewall you can use the command – set firewall log-self

The following commands will allow you to view the logs on the Command Line,

  • View logs of traffic trying to pass through the FW – get log traffic
  • View logs of traffic  to the FW itself  – get log self
  • View system and generic security events – get log event
Rick Donato

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial