Creating the Hub policy package
Complete the following tasks to configure the policy package for Hub devices:
- Create an policy package named Hub, and assign it to the Hubs device group. See Creating a Hub policy package.
- Create firewall policy rules for the Hub policy package. See Creating firewall policy rules .
See also Notes about the Hub policy package.
Creating a Hub policy package
Create a policy package named Hub, and assign the policy package to the Hubs device group.
To create an Edge policy package:
- In Policy & Objects, click Policy Package > New, and create a package named Hubs:
- Select Policy Packages > Hub > Installation Targets, and click Edit to assign the package to the Hubs device group.
Creating firewall policy rules
Create firewall policy rules for the Hub policy package.
To create firewall policy rules:
- Go to Select Policy Packages > Hub > Firewall Policy.
- Click Create New to create the following firewall policy rules. All the rules should have Action set to Accept:
Name
From
To
Src
Dst
Service
NAT
Edge-Edge
overlay hub2hub_overlay
overlay hub2hub_overlay
CORP_LAN
CORP_LAN
ALL
No
Edge-Hub
lan_zone overlay
hub2hub_overlay
lan_zone overlay
hub2hub_overlay
CORP_LAN
CORP_LAN
ALL
No
Internet (DIA)
lan_zone
underlay
all
all
ALL
Yes
Internet (RIA)
overlay
underlay
all
all
ALL
Yes
Health-Check
overlay
Lo-HC
all
all
PING
No
Peering
overlay
hub2hub_overlay
Lo
all
all
PING
BGP
No
- In the Edge-Edge rule, configure the following Advanced Options:
Parameter
Value
anti-replay off tcp-session-without-syn all Keep in mind that the Edge devices will secure the Edge-to-Edge traffic. Hence, there is no need to repeat the same inspection on the Hub. Especially considering that most of the Edge-to-Edge traffic will not even transit the Hub—it will use direct ADVPN shortcuts instead!
Furthermore, if network conditions change, the traffic can switch to another overlay and reach the Hub in the middle of the TCP session. In order to avoid traffic drop in this situation, the above Advanced Options are necessary. The advanced options do not compromise the security, because this Edge-to-Edge traffic is already fully inspected by the Edge devices both when the traffic flows through the Hub and when it doesn't.
Notes about the Hub policy package
- Just like on the Edge policy package, we are using System Zones and SD-WAN Zones to keep the policy package generic. There is one additional System Zones here named hub2hub_overlay for the Hub-to-Hub overlays that interconnect different regions. Our Jinja CLI Template (Hub-MultiRegion) will configure it on the Hub devices.
- This Policy Package is ready to support Remote Internet Access, which is traffic arriving from the Edge devices through the overlays and directed to the Internet (underlay).
- This Firewall Policy also allows Direct Internet Access for the workloads hosted behind the Hub itself.
- We must explicitly allow health-check probes that the Edge devices will send to the Hub devices, as it is done in the Health-Check rule.
- We must also explicitly allow incoming BGP sessions from the Edges and from the Hubs serving remote regions. (In the BGP on loopback design method, all these BGP sessions will be terminated on the main loopback interface named Lo). This is done in the Peering rule.
In the BGP per overlay design method, only the inter-regional (Hub-to-Hub) BGP peering is terminated on the loopback interface. Hence, only the hub2hub_overlay zone is required in this rule. |