Configuration > Overlays & Security > Security > Firewall Zone Security Policies
This tab displays the Security Policies, which manage traffic between firewall zones.
Zones are created on the Orchestrator. A zone is applied to an Interface.
By default, traffic is allowed between interfaces labeled with the same zone. Any traffic between interfaces with different zones is dropped. Users can create exception rules (Security Policies) to allow traffic between interfaces with different zones.
When Routing Segmentation (VRF) is enabled, by default, traffic is allowed between interfaces labeled with the same zone and the same segment. Any traffic between different zones or between different segments is dropped.
When segmentation is enabled, define your security policies from the Routing Segmentation (VRF) tab.
When segmentation is enabled, do not use templates. If a security policy template is applied while segmentation is enabled, it will only apply within the default segment. It will override the default-default security policy defined on the Routing Segmentation (VRF) tab. This behavior is designed to prevent a disruption in traffic when segmentation is enabled for the first time, and during a migration to segments. After the migration process is complete, the security policy template should be removed.
If segments are disabled, define your security policies by creating templates. You can then apply template groups to appliances.
Clicking the edit icon opens the Security Policy that has been applied. Any changes made here are local to that appliance. Making changes from this tab is not recommended.
Logging: In table view, you can specify the log level when adding and editing a rule. Select the appropriate level from the options in the list.
Define your Security Policies by creating templates. You can then apply templates to Interfaces or Overlays.
Clicking the edit icon opens the Security Policy that has been applied. Any changes made here are local to that appliance.
Click Firewall Drops to see statistics on various flows, packets, and bytes dropped or allowed by a zone-based firewall for a given time range.
Click Manage Security Policies with Templates to define policies on all appliances within your network. You can use the matrix and table view to further specify your policies. If segmentation is enabled, do not use templates. Manage from the Routing Segmentation (VRF) tab instead.
When using a range or a wildcard, the IPv4 address must be specified in the 4-octet format, separated by the dot notation. For example, A.B.C.D.
Range is specified using a dash. For example, 128-129.
Wildcard is specified as an asterisk (*).
Range and Wildcard can both be used in the same address, but an octet can only contain one or the other. For example, 10.136-137.*.64-95.
A wildcard can only be used to define an entire octet. For example, 10.13*.*.64-95 is not supported. The correct way to specify this range is 10.130-139.*.64-94.
The same rules apply to IPv6 addressing.
CIDR notation and (Range or Wildcard) are mutually exclusive in the same address. For example, use either 192.168.0.0/24 or 192.168.0.1-127.
These prefix-matching rules only apply to the following policies: Router, QoS, Optimization, NAT, Security, and ACLs.