Access policies define the rules that traffic must meet to pass
through an interface. When you define rules for incoming traffic,
they are applied to the traffic before any other policies are
You can use access policies, or rules, in routed and transparent firewall mode to
control IP traffic. An access rule permits or denies traffic based
on the protocol, a source and destination IP address or network,
and optionally the users and user groups.
that arrives at an interface is examined to determine whether to
forward or drop the packet based on criteria you specify. If you
define access rules in the out direction, packets are also analyzed
before they are allowed to leave an interface.
Access policies are applied in order. That is, when the
device compares a packet to the rules, it searches from top to
bottom of the access policies list, and applies the policy for the first matched rule, ignoring all subsequent rules (even if a later rule is a better
match). Thus, you should place specific rules above more general
rules to ensure those rules are not skipped.
Carefully consider the other types of firewall
rules you intend to create when you define access rules. Do not
create a blanket denial in an access rule for traffic that you
really want to inspect. On the other hand, if you know that you
will never allow a service from or to a specific host or network,
use an access rule to deny that traffic.
Default behavior is to permit traffic from a higher-security interface to a
lower-security interface. Otherwise, all traffic is denied.
If an access rule allows TCP/UDP traffic in one direction, the
appliance automatically allows return traffic (you do not need to
configure a corresponding rule for the return traffic), except for
ICMP traffic, which does require a return rule (where you permit
the reverse source and destination).
Universal Access Policies
Traditionally, access rules are applied to device interfaces.
However, you also can create global, or “universal,” access policies that are applied to all devices in the repository.
Universal rules are best used for rules that you want to apply to
all traffic on a device regardless of interface. For example, there might be a specific host or subnet that
you always want to deny or permit. You can create these as universal
rules, so they are configured once on the device instead of
being configured individually on each device.
You can add universal rules to the “Universal Top” or “Universal Bottom” policy sets. These are then assigned and applied before or after the policies specific to each device.
See Managing Policies for general information about working with policies and policy sets.