Policy and Firewall Clarification

[jayinva]

I'm looking for some clarification on how the firewall rules work if you have multiple policies.

As an example:

I have a VLAN and the default internal interface. I have a policy setup for the VLAN and a rule to apply the policy to the VLAN (Source Interface = VLAN). The VLAN policy also uses the default policy as it's parent. It doesn't have any of it's own apps installed.

Now say I set a firewall rule in the default policy's firewall that blocks Source Interface = VLAN and Destination = Any non-WAN interface. At this point all traffic from VLAN to Internal interface is blocked.

Now I add a firewall to the VLAN's policy with no rules. At this point traffic will freely flow between the VLAN and the internal interface even though the firewall in the default policy is set to block it?

If a rule applies only the apps for that policy get applied even if the destination (in this case the internal interface) has it's own policies/firewall rules? I'd like to make sure I understand how this works so I set up my firewall rules correctly. I had expected that both firewalls would run (the default and the one for the VLAN) because the traffic is coming from the VLAN and going to the internal interface. But that doesn't appear to be the case.

I know I can use the filters to block access between interfaces/VLANs. The reason I am using the firewall instead is I like seeing in the report what is getting blocked.

[jcoffin]

Only apps in the policy of the session will be applied. If the VLAN is send to the second policy which has a separate Firewall app, only the rules of the second rack Firewall app will apply.

[jayinva]

Only apps in the policy of the session will be applied. If the VLAN is send to the second policy which has a separate Firewall app, only the rules of the second rack Firewall app will apply.

Thank you for the quick response. That makes sense.