Matching priority of firewall packet-filter and policy interzone on the USG9000


policy interzone has a higher priority.

Other related questions:
Configure the ACL-based packet filtering firewall on an AR router
The packet filtering firewall filters packets based on a configured ACL. If data flows occur between two security zones, the packet filtering firewall implements filter policies according to ACL rules. In the system view: Run the acl [ number ] acl-number [ match-order { config | auto } ] command to create an ACL and access the ACL view. Note: The ACLs that can be used by the packet filtering firewall include basic ACLs and advanced ACLs. Run the rule command in the ACL view to configure ACL rules. Run the quit command to return to the system view. Run the firewall interzone zone-name1 zone-name2 command to access the interzone view. Run the packet-filter acl-number { inbound | outbound } command to configure the ACL-based packet filtering firewall. The ACL-based packet filtering firewall configured for the interzone can be specific to the inbound and outbound directions, respectively. For details about the commands for configuring the ACL-based packet filtering firewall of AR series routers, see the URL: The AR router configures the ACL packet filtering firewall.

What is the matching order of the firewall policy routes?
The matching order of the firewall policy routes is matched according to the node serial number following the policy-based-route policy from small to large.

Matching priority of the user-defined rule, whitelist, blacklist, and predefined filtering
The matching sequence is whitelist -> blacklist -> user-defined -> predefined. If a URL matches the whitelist, the access is permitted. Otherwise, the device searches for a match of the URL in the blacklist. If a match is found in the blacklist, the access is blocked. If no, the device continues to search for a match of this URL in the user-defined categories. If a match is found, and the action for the matched category is Block, the access is blocked. If no match is found, the device continues to search for a match of this URL in the predefined rules.

Configuring interzone packet filtering on the USG6000 series
Conditions and actions for configuring packet filtering

Security policy matching order on the USG9000 series
When multiple security policies are to be matched, they are matched in a specific order. Therefore, you are advised to configure more fine-grained security policies first.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top