System Policy Rules are hidden rules that lie beneath the cover on ISA and TMG firewalls. These rules are hidden by default, although you can unhide them by pressing the “show/hide System Policy” button in the firewall console.
System Policy rules are processed before any other firewall policy rules. The key thing about System Policy Rules is that they’re processed before any other rules. While you can’t create your own System Policy Rules, you can configure them.
Sometimes System Policy Rules are configured for you, based on specific tasks you carry out in the firewall console. For example, if you configure VPN networking on the firewall, System Policy Rules are configured to allow connections for the VPN protocols you specify.
That’s another key thing about System Policy Rules – they only apply to connections made to the firewall or from the firewall. System Policy Rules don’t apply to connections made through the firewall.
Richard Hicks did a good blog post on ISA 2006 firewall System Policies and serves as a nice introduction.
Check out Richard’s System Policy primer here:
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer