Configuring a Zone-Based Firewall
The purpose of this Use Case, based on "Use Case 1", is to create a zone-based firewall in order to:
| • | provide you with the possibility to strengthen the segmentation of your private network (communication between sites/subnets) |
| • | manage the Internet traffic, i.e. the connection from a site/subnet to any application (through backhauling (bh) via the Data Center, directly to the Internet (dti), via a web security gateway (wsg) or the traffic may be simply dropped). |
Zone-based firewall policies are configured globally for the network; the SD-WAN Orchestrator then translates each global policy into a local routing/firewalling rule for each involved ip|engine.
Warning: all the Network spoke ip|engines must have at least one WAN interface that is eligible to DTI or backhauling to be able to access Applications and Monitoring functions.
The zone-based firewall Internet Access management function impacts on DWS since this service must choose an interface that is eligible for strengthening the policy (for example, the system cannot select an MPLS interface if the traffic is Direct to Internet). Refer to "Internet Access Policies".
"Setting VPN Segmentation Policies"
"Setting Internet Access Policies"
Accessing the Zone-Based Firewall function
Select Network -> Zone-Based Firewall from the Orchestrator main menu.
On the displayed windows, VPN Segmentation Policies and Internet Access Policies, click the Add buttons to display the forms. To create a zone-based firewall, you must define:
| 1 | the VPN zones for organizing your private sites and/or subnets; a subnet must be part of the private IP address range |
| 2 | the segmentation policies of the VPN zones, i.e. the ability of these zones to communicate with one another |
| 3 | the application sets for organizing your collection of Internet applications based on the SaaS dictionary or on Protocol and Port |
| 4 | the Internet Access policies that manage the communication between the VPN zones and the application sets (ability to communicate and used method - DTI, WSG or backhauling). |
Refer to the following sections for detailed explanations.