Zone Policy Settings

This page lets you assign security policies to the Management Zone. When determining the effective policies to be enforced on a device, the Zone policies are evaluated after all other assigned policies. Consider the following situations:

No Firewall policies are assigned to a device or the device’s user (either directly or through a group or folder). The Zone Firewall policy becomes the effective policy for the device and is enforced on the device.
Firewall policies are assigned to a device and the device’s user. Both policies are evaluated and manipulated to determine the effective Firewall policy to apply to the device. After the effective policy is determined from the user-assigned and device-assigned policies, the Zone Firewall policy is used to supply any values that 1) are unset in the effective Firewall policy and 2) are additive (such as the multi-valued Port/Protocol Rules tables).

You can define Zone policies at three levels. This enables you to assign different Zone policies to different devices within your Management Zone.

Management Zone: The policies you define at the Management Zone become the Zone policies for all devices, unless you specify different Zone policies at the device folder or device level.
Device Folder: The policies you define at a device folder override the Management Zone (and any parent device folders) and become the Zone policies for all devices contained within the folder structure, unless you specify different Zone policies for a subfolder or an individual device.
Device: The policies you define for an individual device override the Management Zone and device folder and become the Zone policies for the device.

The following table provides instructions for adding and removing Zone policies:

Task	Steps	Additional Details
Add a policy	If you are adding Zone policies to a device or folder, click Override settings to activate the panel. Click Add, browse for and select the policy you want to add as a default policy, then click OK to add it to the list. Only published security policies are listed. You cannot add a sandbox version of a policy. After you finish adding default policies, click Apply to save the settings.	While you are on the Zone Policy Settings page, you cannot view or modify a default policy. To view or modify a policy, you must go to the Policies tab. If you modify a policy that you add as a default policy, the change is not reflected in the default policy. This is true even if you increment the policy version. To force the change to be recognized in the default policy, you must remove the default policy and add it again.
Reorder policies	Select the check box next to the policy you want to move. Click Move Up to move it up in the list. or Click Move Down to move it down in the list.	If you have two or more policies of the same type (for example, two Firewall policies) in the list, the order of the policies is important when determining the effective policy applied to a device. The first policy listed has a higher priority than the second, the second a higher priority than the third, an so on. When inheritance rules are applied, the first policy’s settings take precedence over the second policy’s settings and so on.
Remove a policy	Select the check box next to the policy name, then click Remove. Click OK to confirm removal of the policy.

Task

Steps

Additional Details

Add a policy

If you are adding Zone policies to a device or folder, click Override settings to activate the panel.
Click Add, browse for and select the policy you want to add as a default policy, then click OK to add it to the list.

Only published security policies are listed. You cannot add a sandbox version of a policy.
After you finish adding default policies, click Apply to save the settings.

While you are on the Zone Policy Settings page, you cannot view or modify a default policy. To view or modify a policy, you must go to the Policies tab.

If you modify a policy that you add as a default policy, the change is not reflected in the default policy. This is true even if you increment the policy version. To force the change to be recognized in the default policy, you must remove the default policy and add it again.

Reorder policies

Select the check box next to the policy you want to move.
Click Move Up to move it up in the list.

or

Click Move Down to move it down in the list.

If you have two or more policies of the same type (for example, two Firewall policies) in the list, the order of the policies is important when determining the effective policy applied to a device.

The first policy listed has a higher priority than the second, the second a higher priority than the third, an so on. When inheritance rules are applied, the first policy’s settings take precedence over the second policy’s settings and so on.

Remove a policy

Select the check box next to the policy name, then click Remove.
Click OK to confirm removal of the policy.