Rule Processing Order
The general processing order is as follows,
- Look for a policy between the ingress and egress zones
- If no policy is found (in step 1), search for a Global policy
- If no Global policy is found and if the ingress zone is same as the egress zone, apply the intra-zone block i.e if intra-zone block is enabled, drop the packet unless an intra-zone rule permits.
- Implied deny all (also known as the Default Policy)
So to summarize the above,
- Policy for Ingress > Egress Zone
- Global Policy
- Intra-Zone Policy
- Implied deny all
Logging
Taking the above into account. The following will apply,
- Denied traffic which has a source or destination of any of the the firewalls own interface IP addresses will be logged under the log-self logs. (log-self will need enabling).
- All other traffic that will be denied will be dropped by the implied deny all and not logged. So you will require a deny all policy for the Ingress / Engress Zones to allow logging on the dropped traffic.
To enable log-self traffic on your firewall you can use the command – set firewall log-self
The following commands will allow you to view the logs on the Command Line,
- View logs of traffic trying to pass through the FW – get log traffic
- View logs of traffic to the FW itself – get log self
- View system and generic security events – get log event
Rick Donato is a Network Automation Architect/Evangelist and the founder of Packet Coders.
Latest posts by Rick Donato (see all)
- How to Configure a BIND Server on Ubuntu - March 15, 2018
- What is a BGP Confederation? - March 6, 2018
- Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018
Want to become an IT Security expert?
Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial