Policies contain the rules that control how the firewall inspects, allows, or denies network traffic.

Each firewall is associated with a single policy, but a policy can be associated with many firewalls. Policies are empty when you create them. After you create a policy, create lists of addresses, URLs, applications, and services that you can use to create rules. See Policy Components for more information.


Although creating policy components and rules is optional, a policy must have at least one rule or any associated firewall denies all network traffic.

To create a network firewall, you must have at least one network firewall policy that you can attach to the firewall. If you're using the Console, you can create a policy as part of the create firewall workflow. You can configure the policy's rule components and rules after you create it. If you're using the API or CLI, you must create a policy first, and then create the firewall.