There are a lot of ways you can write policies for your firewall. When it comes to passing traffic, a lot of your decisions will come down to the particular access you’re trying to achieve. However, there is one common theme amongst all WatchGuard firewalls, and that has to do with policy order.
WatchGuard firewalls are capable of two modes of operation in regards to policy order: Auto-Order mode and Manual-Order mode. With Auto-Order mode, the firewall will place the policy into its order automatically. With Manual-Order mode, we as the firewall’s operator have the ability to determine where the policy goes.
You can easily determine if your policy is in Auto-Order mode or Manual-Order mode. If the numbers of your policies are white, it is Auto-Order; if they are grey, it is Manual-Order.
Why is this so important? The basic reason has to do with how the firewall reads its configuration. When we pass traffic through our device, the firewall will look at its configuration, starting at policy number 1. It then reads down through the configuration until it finds a pathway for that traffic. So if our configuration is not set in the correct order, the firewall might be passing through through the wrong policy.
Determining Policy Order with Auto-Order Mode
When we have our firewall set in Auto-Order mode, the firewall determines the order of our policies for us. The method it uses for this is very simple. The more specific the policy, the higher in the order it will go. First, it looks at the ports open on the policy. The fewer the ports, the more specific the policy, therefore, the higher in the configuration.
Let’s use the example of passing HTTP (port 80) web traffic. When we add this policy, it is only open on one port. Therefore, it will end up higher in our configuration, giving this policy the preferred access for passing fort 80 traffic. Even though the Outgoing policy would also allow port 80 out because it will allow all TCP or UDP traffic, the HTTP proxy comes first.
What if we have two policies with the same ports? Then the firewall looks at the From and the To field. The more specific the entry, the higher in the list.
Let’s say we add an HTTP proxy specifically for our server. It is also open on port 80, but because we are only allowing from a single IP address, it is more specific and therefore higher than the original HTTP-proxy. This means that our server traffic would flow through its own policy, while all other HTTP traffic coming from the Trusted network would flow through the HTTP-proxy policy.
Manual-Order Mode Process
When we put our firewall into Manual-Order mode, the device loses the ability to determine policy order for us. Instead, we can add the policy to whichever order we want. While it seems like this would be useful, this actually can put us in a bad position if we move a policy without paying attention to the details.
If we were to either accidentally or intentionally move the original HTTP-proxy before the new Server policy, this would override the server’s dedicated acess. Therefore, our server would be using the same access as the rest of our Trusted network, and the HTTP-proxy-Server policy would be useless.
Manual-Order Mode Ramifications
While Manual-Order mode might seem preferable because it gives us more direct control over our policies, there are several significant downsides. The biggest is that, as we continue to add new policies, the firewall has no idea where to properly add them. So it will typically just add next to whatever policy we have highlighted. This not only leads to a messy configuration, but very likely would mean traffic is not flowing through the intended policy. Can you spot the problem?
What if My Firewall is in Manual-Order Mode?
If your firewall is currently in Manual-Order mode, our recommendation would be to take steps to get it configured to Auto-Order mode. This will ultimately ensure your policies are being processed in the correct order. The first step to this is to do a thorough review of your configuration. One of the tricks is that you can do is open up simultaneous copies of your policy through Policy Manager. Leave one as it is, and set the other to Auto-Order mode. This way you can compare your policies to determine what changes would be implemented if you were to switch modes. Don’t be afraid to rewrite your policies if needed. If you have policies that have a lot of ports in them and would be overwritten while in Auto-Order mode, break them down into multiple policies. There’s no worry in having more policies on your configuration if it means your order is correct. And if you run into trouble, Contact Us! JSCM Group has done a lot of work in helping get firewalls back into Auto-Order mode, and we are happy to help you tackle it.