Managing Firewall Rules with Tags

Create Tags that represent Firewall policies. Add rules to the Tags. After you set up a Tag, it functions as a policy - a set of rules in a specific order.

When you make a change to a rule with a tag, or change the order of rules that include rules with tags, all scopes that subscribe to the tag get the change.

Best Practice: Using tags to manage Firewall rules:

  1. Plan the primary Firewall Control policies that you want to enforce across your environment. Make a name for each policy. These names will be your tags.
  2. Create one catalog of rules in the highest scope that you have (usually Account or Site).
  3. Create tags.
  4. Review the rules and add tags to them.
  5. For each Site or Group select a the most appropriate Rule inheritance mode.
    • If all the Groups in a Site use the same firewall policy, put the rules at the Site level and and choose the Auto subscription Rule inheritance mode for the Groups.
    • If different Groups in a Site use different firewall policies, manage the policies with different tags in the catalog, choose the Manual Subscription Rule inheritance mode for each Group. Then select the tags that each Group inherits.
  6. Manage all rules and rule order from the catalog. All changes will be applied to the relevant Groups and Sites based on their tags.

Tag Behavior:

  • Users can manage tags in their scopes: edit, delete, add to rules.
  • Tags are per scope and cannot be linked to rules from different scopes.
  • The name of the tag must be unique per scope. For example, Site A and Site B in Account 1 can each have a tag called "Strict".
  • A tag name can be 2- 256 characters. It can include spaces and special characters
  • Creating Tags
  • Adding and Removing Tags from Rules
  • Managing Tags in the Firewall Settings