In Fireware v12.2 or higher, you can add policies to control Firebox-generated traffic. For a description of Firebox-generated traffic, go to About Policies for Firebox-Generated Traffic.
Before the policy can take effect, you must enable the Enable configuration of policies for traffic generated by the Firebox global setting. If you do not enable this global setting, any policies you create for Firebox-generated traffic do not take effect. For an explanation of how to configure this setting, go to Define Firebox Global Settings.
In the policy you add, you must specify the alias Firebox or an alias that includes the Firebox alias.
Proxy actions are not supported for Firebox-generated traffic.
As a best practice, we recommend that you do not create deny policies for Firebox-generated traffic.
- Select Firewall > Firewall Policies.
- Click Add Policy.
- Do one of the following:
- From the Packet Filter drop-down list, select an option.
- From the Custom drop-down list, select a custom policy template.
You can add a custom policy template to specify more than one port number in a policy. For an explanation of how to add custom policy templates, go to Create or Edit a Custom Policy Template.
- Click Add Policy.
- In the Name text box, type a name for the policy.
- In the From list, select Any-Trusted. Click Remove.
- After the From list, select Add.
- From the Member Type list, select Alias.
- Select Firebox or an alias that includes the Firebox alias.
- Click Add.
- Click OK.
- From the To list, click Add.
- From the Available Members list, select a destination.
- (Optional) To configure SD-WAN:
- Select the SD-WAN tab.
- Select an SD-WAN action that you previously created, or select Create new.
For information about creating a new SD-WAN action, go to Configure SD-WAN.
- (Optional) To set the source IP address for Firebox-generated traffic:
- Select the Advanced tab.
- In the NAT section, select Dynamic NAT.
- Select All Traffic in this Policy.
- In the adjacent text box, type the source IP address.
- Click Save.
- Click
.
Or, select Edit > Add Policies.
The Add Policy dialog box appears. - From the Packet Filters drop-down list, select an option.
- Do one of the following:
- Click Add Policy.
- Expand Custom, select a custom policy template, and click Add Policy.
You can add a custom policy template to specify more than one port number in a policy. For an explanation of how to add custom policy templates, go to Create or Edit a Custom Policy Template.
- In the Name text box, type a name for the policy.
- In the From list, select Any-Trusted. Click Remove.
- After the From list, select Add.
- From the Available Members list, select Firebox or an alias that includes the Firebox alias.
- Click Add.
- Click OK.
- After the To list, click Add.
- Select a destination.
You can select a member from the Available Members list, or select Add SNAT, Add User, or Add Other. - To add more To destinations, repeat these steps.
- Click OK.
- (Optional) To configure SD-WAN:
- Select Route outbound traffic using.
- From the drop-down list, select SD-WAN Based Routing.
- To select an SD-WAN action that you previously created, select it from the SD-WAN action drop-down list.
- To add a new SD-WAN action, click the New SD-WAN action button.
- To edit an SD-WAN action, click the Edit SD-WAN action button.
- (Optional) To set the source IP address for Firebox-generated traffic:
- Select the Advanced tab.
- In the NAT section, select Dynamic NAT.
- Select All Traffic in this Policy.
- In the adjacent text box, type the source IP address.
- Click Save.
For configuration examples, go to Configuration Examples for Control of Firebox-Generated Traffic.
About Policies for Firebox-Generated Traffic
Configuration Examples for Control of Firebox-Generated Traffic