I am sure this is answered already, but I am confused on the order of security policy organization. ( and I am confused on the naming convention of what is a global, etc.)
So we have a zone:
NOC {
security {
policies {
from-zone <*> to-zone NOC-zone
bunch of permits with no deny
But we have inter zone policies, like
polices {
from-zone untrust to-zone NOC-zone {
bunch of permit and at the end of that is a deny all.
My question is what is the order of application. Does the <*> get evaluated and then it drop to the more specific policy?
Or does the <*> one override the more specific? It seems to be that the <*> permits are evaluated even without a corresponding one in the more specific one. For instance, an allow for http in the <*> works, even if there is no http permit in the more specific.
I am sure I am over analyzing this, but I want to know the exact rule.
...