How block and allow Overlay policies interact

Understand how overlay policies behave when you combine block and allow policies.

Default deny
Trust policy follows a strict secure-by-default approach. For two devices to be allowed to communicate across the overlay, there must be at least one overlay network that has trust policy between the two devices. This policy can be either between the individual device IPs or policy between network objects that include the device IPs.
Overlay policies are additive among all overlay networks
The complete set of overlay policies for a Conductor deployment is the union of all policies from each overlay network ignoring disabled overlay networks as well as disabled Airwall Edge Services or Airwall groups and devices/device groups.
Bypass device policies work the same as policies for normal devices
The main difference between normal and bypass devices is that bypass devices have no fixed Airwall ownership. Any Airwall with a bypass port can become the egress point of a bypass device depending on the peer device that sends packets to it. For policy enforcement, it makes no difference.
Block policies override normal policies
Block policies take system-wide precedence over allow policies. If two devices have block policies in any overlay, the block policy overrides all allow policies that might exist for the same two devices. Note that this is true even if the block policy is using less-specific network objects.


  • Overlay 1 has allow policy between two network objects and
  • Overlay 2 has a block policy between and
  • This configuration results in traffic being blocked between all IPs from the block policy – including those from the more specific allow rule.
Policies are tied to the Airwall Gateways that own the respective network objects
This rule is intuitive if there are only allow policies, but it can lead to surprising results when allow- and block policies are present. As an example, consider the following scenario:
  • Airwall 1 has a device
  • Airwall 2 has a network object
  • Airwall 3 has a network object
  • Allow policy between and
  • Block policy between and

Result: Any traffic from to any IP included in will be allowed, because the Airwall that owns the network object (Airwall 3) associated with the block policy is different from the Airwall that has the allow policy (Airwall 2). If both network objects were owned by Airwall 2, the block policy would apply and prevent network communications.