Firewall policies should govern which aspects?

Firewall policies define what traffic should be allowed or blocked and specify how the firewall should be configured to enforce that behavior, as well as how to verify it works. Because the policy lays out both the intended security posture and the means to implement and check it, it must govern both configuration details (rule sets, interfaces, zones, NAT, logging) and testing activities (verification, audits, validation tests, ongoing monitoring). If you focus only on configuration, you might deploy the right rules but not prove they actually enforce the policy; if you focus only on testing, you might validate behavior without ensuring the device is configured to enforce it. In practice, the policy guides both how the firewall is set up and how it is tested to ensure compliance.