Predefined rules for firewall policies

When you create a hierarchical firewall policy, a global network firewall policy, or a regional network firewall policy, Cloud NGFW adds predefined rules to the policy. The predefined rules that Cloud NGFW adds to the policy depend on how you create the policy.

Types of predefined rules

If you create a firewall policy using the Cloud de Confiance console, Cloud NGFW adds the following rules to the new policy:

  1. Goto-next rules for private IPv4 ranges
  2. Predefined geolocation deny rules
  3. Lowest possible priority goto-next rules

If you create a firewall policy using the Google Cloud CLI or the API, Cloud NGFW adds only the lowest possible priority goto-next rules to the policy.

All predefined rules in a new firewall policy purposefully use low priorities (large priority numbers) so you can override them by creating ingress or egress rules with higher priorities. Except for the lowest possible priority goto-next rules, you can also customize the predefined rules.

Goto-next rules for private IPv4 ranges

  • An egress rule with destination IPv4 ranges 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, priority 1000, and goto_next action.

  • An ingress rule with source IPv4 ranges 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, priority 1001, and goto_next action.

Predefined geolocation deny rules

  • An ingress rule with source matching geolocations CU,IR, KP, SY, XC, and XD, priority 1005, and deny action.

To learn more about geolocations, see Geolocation objects.

Lowest possible priority goto-next rules

You cannot modify or delete the following rules:

  • An egress rule with destination IPv6 range ::/0, priority 2147483644, and goto_next action.

  • An ingress rule with source IPv6 range ::/0, priority 2147483645, and goto_next action.

  • An egress rule with destination IPv4 range 0.0.0.0/0, priority 2147483646, and goto_next action.

  • An ingress rule with source IPv4 range 0.0.0.0/0, priority 2147483647, and goto_next action.

What's next