Security policy FAQ

Q.     What is the default security policy between two security zones?

A.     By default, packets are denied between two security zones.

Q.     What are policy types between two security zones?

A.     The policy types are mainly packet filtering, ASPF, object policy, and security policy.

Q.     How many object group hierarchy layers are supported?

A.     The system supports a maximum of five object group hierarchy layers.

Q.     What is the operating order for security policy matching and NAT?

A.     The operating order is NAT server translation, security policy matching, and outbound dynamic NAT in sequence.

Q.     What should I pay attention to when configuring security policies for GRE and L2TP tunnel traffic?

A.     In the decapsulation direction, the following two policies are required:

·     Security policy between the security zone to which the physical inbound interface belongs and Local zone.

·     Security policy between the security zone to which the Tunnel or VT belongs and the security zone to which the physical inbound interface belongs.

In the encapsulation direction, the following two policies are required:

·     Security policy between the security zone to which the physical inbound interface belongs and Local zone.

·     Security policy between Local zone and the security zone to which the physical inbound interface belongs.

Q.     Can I use security policies and object policies on the device at the same time?

A.     No. Security policies cannot be used together with object polices because object policies lose effect the first time you enter security policy view.

Q.     Will packet filtering lose effect after I configure security policies?

A.     When both security policies and packet filtering are configured, packet filtering is performed only on packets that do not match any security policy rule. For packet filtering to take effect, configure packet filtering and security policies reasonably.

Q.     What is the configuration principle for security policies?

A.     Follow the depth-first order during rule creation to create rules with stricter match criteria first because the system matches packets against rules in the order the rules were created.

Q.     What should I pay attention to when configuring security policies?

A.     Make sure you switch object policies to security policies before configuring security policies for the first time because object policies lose effect the first time you enter security policy view.

Q.     What is the action for the matched packets when a security policy uses empty object groups?

A.     If a security policy uses empty address and service object groups, the security policy cannot match any packet. The action for the packets depends on whether the packets can match other security policies, object policies, and packet filtering rules.

Q.     In an inter-VLAN bridge forwarding network, how does hit statistics collection work for security policies?

A.     In an inter-VLAN bridge forwarding network, hit statistics collection for security policies only collects statistics about packets that are dropped by security policies and content moderation.

Q.     Will the activation failure of newly created or edited security policies affect security policies that already take effect?

A.     No.

Q.     What should I pay attention to when configuring security policies in a multi-context scenario?

A.     In a multi-context scenario, before configuring content security services for a non-default context, you must first activate the application layer detection engine for the default context. You can click Submit on the security policy page of the default context for activation.

Q.     Is rule matching acceleration required when the content of object groups used by a security policy changes?

A.     Rule matching acceleration for security policy is enabled by default and cannot be disabled manually.

After the content of object groups used by a security policy changes, you must use the accelerate enhanced enable command to activate rule matching acceleration for security policy again.