WSM User Guide - WatchGuard Technologies
WSM User Guide - WatchGuard Technologies WSM User Guide - WatchGuard Technologies
Setting Policy Precedence2 Traffic rules of the To field3 Traffic rules of the From field4 Firewall action5 Schedule6 Alphanumeric sequence based on policy type7 Alphanumeric sequence based on policy nameComparing policy typePolicy Manager uses these criteria in sequence to compare two policies until it finds that the policies areequal or that one is more detailed than the other:1 An Any policy always has the lowest precedence. For more information about the Any policy, see“Any” on page 379.2 Check the number of TCP 0 (any) or UDP 0 (any) protocols. The policy with the smaller number hashigher precedence.3 Check the number of unique ports for TCP and UDP protocols. The policy with the smaller numberhas higher precedence.4 Count the number of unique ports for TCP and UDP protocols. The policy with the smaller numberhas higher precedence.5 Score the protocols based on their IP protocol value. The policy with the smaller score has higherprecedence.If Policy Manager cannot set the precedence when it compares the policy type, it examines traffic rules.Comparing traffic rulesPolicy Manager uses these criteria in sequence to compare the most general traffic rule of one policywith the most general traffic rule of a second policy. It assigns higher precedence to the policy with themost detailed traffic rule. The list of traffic rules from most detailed to the most general is:1 Host address2 IP address range (smaller than the subnet being compared to)3 Subnet4 IP address range (larger than the subnet being compared to)5 Authentication user6 Authentication group7 Interface, Firebox8 Any-External, Any-Trusted, Any-Optional9 AnyFor example, compare these two policies:HTTP-1From: Trusted, user1HTTP-2From: 10.0.0.1, Any-Trusted“Trusted” is the most general entry for HTTP-1. “Any-Trusted” is the most general entry for HTTP-2.Because “Trusted” is within “Any-Trusted,” HTTP-1 is the more detailed traffic rule. This is correct despitethe fact that HTTP-2 includes an IP address. This is because Policy Manager uses these criteria in158 WatchGuard System Manager
Setting Policy Precedencesequence to compare the most general traffic rule of one policy with the most general traffic rule of asecond policy.If Policy Manager cannot set the precedence when it compares the traffic rules, it examines the firewallactions.Comparing firewall actionsPolicy Manager compares the firewall actions of two policies to set precedence. Precedence of firewallactions from highest to lowest is:1 Denied or Denied (send reset)2 Allowed proxy3 Allowed filterIf Policy Manager cannot set the precedence when it compares the firewall actions, it examines theschedules.Comparing schedulesPolicy Manager compares the schedules of two policies to set precedence. Precedence of schedulesfrom highest to lowest is:1 Always off2 Sometimes on3 Always onIf Policy Manager cannot set the precedence when it compares the schedules, it examines the policynames.Comparing type and namesIf the two policies do not match any other precedence criteria, Policy Manager sorts the policies inalphanumeric sequence. First it uses the policy type. Then it uses the policy name. Because no two policiescan be the same type and have the same name, this is the last criteria for precedence.Setting precedence manuallyTo switch to manual-order mode, select View > Auto-order mode so that the checkmark disappears.You are asked to confirm if you want to switch to auto-order mode.To change the order of policies:• Select the policy whose order you want to change. Click the up or down arrow on the far rightside of the Policy Manager toolbar.or• Select the policy whose order you want to change and drag it to its new location.User Guide 159
- Page 126 and 127: Configuring Dynamic DNSMake sure th
- Page 128 and 129: Configuring RoutesFor more informat
- Page 130 and 131: Configuring Related Hostsfor that I
- Page 132 and 133: Using Dynamic NATUsing Dynamic NATD
- Page 134 and 135: Using 1-to-1 NAT4 Click OK. Save th
- Page 136 and 137: Using 1-to-1 NATa VPN tunnel is con
- Page 138 and 139: Configuring Static NAT for a Policy
- Page 140 and 141: How User Authentication Worksvent a
- Page 142 and 143: Configuring the Firebox as an Authe
- Page 144 and 145: Configuring the Firebox as an Authe
- Page 146 and 147: Configuring SecurID Authentication6
- Page 148 and 149: Configuring LDAP Authentication3 In
- Page 150 and 151: Configuring a Policy with User Auth
- Page 152 and 153: Configuring a Policy with User Auth
- Page 154 and 155: Using Default Packet Handling Optio
- Page 156 and 157: Setting Blocked Sitesconfigure the
- Page 158 and 159: Setting Blocked SitesUsing an exter
- Page 160 and 161: Blocking PortsBlocking PortsYou can
- Page 162 and 163: Blocking Ports144 WatchGuard System
- Page 164 and 165: Adding Policies• Attacks that use
- Page 166 and 167: Adding Policies4 Click Add.The New
- Page 168 and 169: Configuring Policy Properties- ESP-
- Page 170 and 171: Configuring Policy Properties2 To a
- Page 172 and 173: Configuring Policy PropertiesRepeat
- Page 174 and 175: Configuring Policy PropertiesSettin
- Page 178 and 179: Setting Policy Precedence160 WatchG
- Page 180 and 181: Defining RulesThe fields you use fo
- Page 182 and 183: Customizing Logging and Notificatio
- Page 184 and 185: Configuring the SMTP ProxyConfiguri
- Page 186 and 187: Configuring the SMTP Proxyand 8-bit
- Page 188 and 189: Configuring the SMTP ProxyDefining
- Page 190 and 191: Configuring the FTP Proxy2 For info
- Page 192 and 193: Configuring the HTTP ProxyConfiguri
- Page 194 and 195: Configuring the HTTP ProxyBrowsers
- Page 196 and 197: Configuring the HTTP ProxyThis rule
- Page 198 and 199: Configuring the DNS ProxyConfigurin
- Page 200 and 201: Configuring the DNS ProxyAdding a n
- Page 202 and 203: Configuring the TCP Proxy184 WatchG
- Page 204 and 205: Creating and Editing ReportsStartin
- Page 206 and 207: Setting Report Properties“yesterd
- Page 208 and 209: Exporting ReportsSetting report pro
- Page 210 and 211: Using Report FiltersExcludeTo make
- Page 212 and 213: Report Sections and Consolidated Se
- Page 214 and 215: Report Sections and Consolidated Se
- Page 216 and 217: WatchGuard Management Server Passph
- Page 218 and 219: Changing the Management Server Conf
- Page 220 and 221: Configuring the Certificate Authori
- Page 222 and 223: Backing up or Restoring the Managem
- Page 224 and 225: Moving the WatchGuard Management Se
Setting Policy Precedencesequence to compare the most general traffic rule of one policy with the most general traffic rule of asecond policy.If Policy Manager cannot set the precedence when it compares the traffic rules, it examines the firewallactions.Comparing firewall actionsPolicy Manager compares the firewall actions of two policies to set precedence. Precedence of firewallactions from highest to lowest is:1 Denied or Denied (send reset)2 Allowed proxy3 Allowed filterIf Policy Manager cannot set the precedence when it compares the firewall actions, it examines theschedules.Comparing schedulesPolicy Manager compares the schedules of two policies to set precedence. Precedence of schedulesfrom highest to lowest is:1 Always off2 Sometimes on3 Always onIf Policy Manager cannot set the precedence when it compares the schedules, it examines the policynames.Comparing type and namesIf the two policies do not match any other precedence criteria, Policy Manager sorts the policies inalphanumeric sequence. First it uses the policy type. Then it uses the policy name. Because no two policiescan be the same type and have the same name, this is the last criteria for precedence.Setting precedence manuallyTo switch to manual-order mode, select View > Auto-order mode so that the checkmark disappears.You are asked to confirm if you want to switch to auto-order mode.To change the order of policies:• Select the policy whose order you want to change. Click the up or down arrow on the far rightside of the Policy Manager toolbar.or• Select the policy whose order you want to change and drag it to its new location.<strong>User</strong> <strong>Guide</strong> 159