Creating the Hub policy package

Complete the following tasks to configure the policy package for Hub devices:

1. Create an policy package named Hub, and assign it to the Hubs device group. See Creating a Hub policy package.
2. Create firewall policy rules for the Hub policy package. See Creating firewall policy rules .

See also Notes about the Hub policy package.

Creating a Hub policy package

Create a policy package named Hub, and assign the policy package to the Hubs device group.

To create an Edge policy package:

1. In Policy & Objects, click Policy Package > New, and create a package named Hubs:

   

2. Select Policy Packages > Hub > Installation Targets, and click Edit to assign the package to the Hubs device group.

Creating firewall policy rules

Create firewall policy rules for the Hub policy package.

To create firewall policy rules:

1. Go to Select Policy Packages > Hub > Firewall Policy.
2. Click Create New to create the following firewall policy rules. All the rules should have Action set to Accept:

   Name	From	To	Src	Dst	Service	NAT
   Edge-Edge	overlay hub2hub_overlay	overlay hub2hub_overlay	CORP_LAN	CORP_LAN	ALL	No
   Edge-Hub	lan_zone overlay hub2hub_overlay	lan_zone overlay hub2hub_overlay	CORP_LAN	CORP_LAN	ALL	No
   Internet (DIA)	lan_zone	underlay	all	all	ALL	Yes
   Internet (RIA)	overlay	underlay	all	all	ALL	Yes
   Health-Check	overlay	Lo-HC	all	all	PING	No
   Peering	overlay hub2hub_overlay	Lo	all	all	PING BGP	No

3. In the Edge-Edge rule, configure the following Advanced Options:

   Parameter	Value
   anti-replay	off
   tcp-session-without-syn	all

   Keep in mind that the Edge devices will secure the Edge-to-Edge traffic. Hence, there is no need to repeat the same inspection on the Hub. Especially considering that most of the Edge-to-Edge traffic will not even transit the Hub—it will use direct ADVPN shortcuts instead! Furthermore, if network conditions change, the traffic can switch to another overlay and reach the Hub in the middle of the TCP session. In order to avoid traffic drop in this situation, the above Advanced Options are necessary. The advanced options do not compromise the security, because this Edge-to-Edge traffic is already fully inspected by the Edge devices both when the traffic flows through the Hub and when it doesn't.

Notes about the Hub policy package

• Just like on the Edge policy package, we are using System Zones and SD-WAN Zones to keep the policy package generic. There is one additional System Zones here named hub2hub_overlay for the Hub-to-Hub overlays that interconnect different regions. Our Jinja CLI Template (Hub-MultiRegion) will configure it on the Hub devices.
• This Policy Package is ready to support Remote Internet Access, which is traffic arriving from the Edge devices through the overlays and directed to the Internet (underlay).
• This Firewall Policy also allows Direct Internet Access for the workloads hosted behind the Hub itself.
• We must explicitly allow health-check probes that the Edge devices will send to the Hub devices, as it is done in the Health-Check rule.
• We must also explicitly allow incoming BGP sessions from the Edges and from the Hubs serving remote regions. (In the BGP on loopback design method, all these BGP sessions will be terminated on the main loopback interface named Lo). This is done in the Peering rule.

In the BGP per overlay design method, only the inter-regional (Hub-to-Hub) BGP peering is terminated on the loopback interface. Hence, only the hub2hub_overlay zone is required in this rule.