Why in 4.0 fw Network Security Policy< global rules there is the rule " Allow IP any destination address…" ?? (I don’t remember well the name, I came back to 3.14 for the moment ).
The default Global Rules changed with v4. They are now the same as the Global Rules for the Proactive Security in v3.x.
That means that all unsolicited incoming traffic will be blocked by default.
Outgoing traffic is allowed as we want to connect to the web in the first place. Blocking/handling outgoing traffic is done with application rules.
Outgoing traffic will first go through Application Rules and then through Global Rules.
I hope this explains it for you.