Policy
Policies allow you to enforce rules and take action.
The different types of policy rules that you can create on the firewall
are: Security, NAT, Quality of Service (QoS), Policy Based Forwarding
(PBF), Decryption, Application Override, Authentication, Denial
of Service (DoS), and Zone protection policies. All these different
policies work together to allow, deny, prioritize, forward, encrypt,
decrypt, make exceptions, authenticate access, and reset connections
as needed to help secure your network.
It is important to understand that in firewall policy rules,
the set of IPv4 addresses is treated as a subset of the set of IPv6
addresses. However, the set of IPv6 addresses is not a subset of
the set of IPv4 addresses. An IPv4 address can match a set or range
of IPv6 addresses; but an IPv6 address cannot match a set or range
of IPv4 addresses.
In all policy types, the keyword any for
a source or destination address means any IPv4 or IPv6 address.
The keyword any is equivalent to ::/0. If
you want to express "any IPv4 address", specify 0.0.0.0/0.
During policy matching, the firewall converts an IPv4 address
into an IPv6 prefix where the first 96 bits are 0. An address of
::/8 means, match the rule if the first 8 bits are 0. All IPv4 addresses
will match ::/8, ::/9, ::/10, ::/11, ... ::/16, ... ::/32, ...
through ::/96.
If you want to express "any IPv6 address, but no IPv4 addresses",
you must configure two rules. The first rule denies 0.0.0.0/0 to
deny any IPv4 address (as the source or destination address), and
the second rule has ::/0 to mean any IPv6 address (as the source
or destination address), to satisfy your requirement.
The following topics describe how to work with policy: