Netscreen - Rule Processing Order
Rule Processing Order
The general processing order is as follows,
- Look for a policy between the ingress and egress zones
- If no policy is found (in step 1), search for a Global policy
- If no Global policy is found and if the ingress zone is same as the egress zone, apply the intra-zone block i.e if intra-zone block is enabled, drop the packet unless an intra-zone rule permits.
- Implied deny all (also known as the Default Policy)
So to summarize the above,
- Policy for Ingress > Egress Zone
- Global Policy
- Intra-Zone Policy
- Implied deny all
Taking the above into account. The following will apply,
- Denied traffic which has a source or destination of any of the the firewalls own interface IP addresses will be logged under the log-self logs. (log-self will need enabling).
- All other traffic that will be denied will be dropped by the implied deny all and not logged. So you will require a deny all policy for the Ingress / Engress Zones to allow logging on the dropped traffic.
To enable log-self traffic on your firewall you can use the command - set firewall log-self
The following commands will allow you to view the logs on the Command Line,
- View logs of traffic trying to pass through the FW - get log traffic
- View logs of traffic to the FW itself - get log self
- View system and generic security events - get log event