Edge Policy Package
To create the Edge Policy Package interactively:
-
In Policy & Objects, navigate to Policy Packages, and click Policy Package > New. Create a package named Edge:
-
Under Installation Targets of the newly created Edge package, click Edit and assign the package to the Edge device group:
-
Under Firewall Policy, click Create New to create the following firewall rules. For all rules, set Action to Accept:
Name
From
To
Src
Dst
Service
NAT
Corporate
lan_zone
overlay
lan_zone
overlay
CORP_LAN
CORP_LAN
ALL
No Internet (DIA)
lan_zone
underlay
all
all
ALL
Yes Internet (RIA) lan_zone
overlay
all all ALL No Health-Check overlay Lo all all ALL No 
Notes:
-
The Normalized Interfaces for SD-WAN Zones underlay and overlay were automatically created when we configured SD-WAN Templates.
-
The Normalized Interface for the LAN Zone (
lan_zone) was created by us manually, and our Jinja Templates will create the corresponding System Zone on the Spokes. -
The Firewall Policies distinguish between Direct Internet Access (DIA from the Spoke itself) and Remote Internet Access (RIA through the Hub) and potentially apply different security features in each case. One common example shown above is Source NAT, which is only applied to the traffic using DIA.
-
In the "BGP on Loopback" design, Spokes will probe each other's loopback interfaces (for ADVPN Shortcut Monitoring feature). This must be explicitly permitted by Firewall Policies, as we do in the Health-Check rule.
In the "BGP per Overlay" design, this rule is not required.
-
It is highly recommended to enable Application Control, especially on the Firewall Policy controlling Internet traffic. For accurate application identification, it is also highly recommended to enable SSL Inspection. This is for both for security reasons and for the SD-WAN functionality. Remember that Application Control is required for SD-WAN Application-aware traffic steering and is also used to populate SD-WAN widgets and reports.