Configuring firewall policies
While SD-WAN rules define where the traffic should flow, the firewall policy defines whether the traffic is permitted to flow and how traffic should be inspected.
This topic describes how to create the following policy packages with firewall policies:
- A policy package named Branches-PP for spoke devices
- A policy package named DataCenter-PP for hub devices
After you create the policy package, assign it to the target devices, and install the policy packages.
With the introduction of SD-WAN Zones concept, it is no longer possible to use individual tunnel interfaces in firewall policies! We must group them into SD-WAN Zones and use these zones in the policies. We have assigned all our SD-WAN members to the newly created zone named overlay, which automatically created a corresponding normalized interface. Use the normalized interface in the policies. |
To create a policy package and firewall policy rules for spokes:
- Go to Policy & Objects > Policy Packages.
- Create a policy package for spoke devices:
- Click Policy Package > New. The Create New Policy Package dialog box is displayed.
- In the Name box, type a name, such as Branches-PP.
- Leave Central NAT toggled OFF.
- Beside NGFW Mode, select Profile-based.
- Click OK. The policy package is created.
- In the tree menu, select the policy package for spokes named, for example, Branches-PP. The firewall policies in the policy package are displayed.
- Add policies to the firewall policy:
- In the toolbar, click Create New. The Create New Firewall Policy pane is displayed.
- Create the following policy for spokes, and click OK.
Name
From
To
Src
Dst
Service
NAT
Action
Corporate
vl_lan overlay
overlay vl_lan
CORP_LAN
CORP_LAN
All
No
Accept The rule is added to the firewall policy.
- Set the installation targets to spoke devices, and install the policy package.
To create a policy package and firewall policy rules for hubs:
- Go to Policy & Objects > Policy Packages.
- Create a policy package for spoke devices:
- Click Policy Package > New. The Create New Policy Package dialog box is displayed.
- In the Name box, type a name, such as DataCenter-PP.
- Leave Central NAT toggled OFF.
- Beside NGFW Mode, select Profile-based.
- Click OK. The policy package is created.
- In the tree menu, select the policy package for spokes named, for example, DataCenter-PP. The firewall policies in the policy package are displayed.
- Add policies to the firewall policy:
- In the toolbar, click Create New. The Create New Firewall Policy pane is displayed.
- Create the following policy for spokes, and click OK.
Name
From
To
Src
Dst
Service
NAT
Action
Branch to Branch
OL_INET
OL_MPLS
OL_INET
OL_MPLS
all
all
All
No
Accept Branch to DC
OL_INET
OL_MPLS
vl_lan
all
all
All
No
Accept Health-check
OL_INET
OL_MPLS
any
all
HC
PING
NO
Accept On the Hub devices, individual interfaces are used in the firewall policy because SD-WAN is not configured on the Hub devices. As a result, there are no SD-WAN zones either.
Also incoming health probes must be explicitly permitted. Traffic towards loopback is not permitted by default.
- Set the installation targets to hub devices, and install the policy package.