Updating firewall policies
Let’s now add firewall policies to permit Internet traffic. Different treatment is required, depending whether it is DIA or RIA:
- For DIA, since the traffic leaves our network directly from the Branch, we must ensure advanced protection. In this lab, we are going to apply full SSL inspection (while this alone is not particularly advanced, it is enough to demonstrate our point). In addition, this traffic must be NATed on the Spokes.
- For RIA, the traffic will be backhauled via the DC, hence advanced security can be applied there, as it would happen in a legacy network. In this lab, DIA traffic will leave our network via the Hub, so we are going to apply full SSL inspection on the Hub, but not on Spokes. In addition, this traffic must be NATed on the Hubs, but not on the Spokes.
After you update the policy packages, install them.
We must enable Application Control on all these firewall rules, since our SD-WAN rules rely on it! |
To create a policy package and firewall policy rules for spokes:
- Go to Policy & Objects > Policy Packages.
- In the tree menu, select the policy package for spokes, for example, Branches-PP. The firewall policies in the policy package are displayed.
- Add policies to the firewall policy:
- In the toolbar, click Create New. The Create New Firewall Policy pane is displayed.
- Create the following policy for spokes, and click OK.
Name
From
To
Service
NAT
Action
DIA
vl_lan
underlay
All
Yes
Accept + App Control + SSL deep-inspection
RIA
vl_lan
overlay
ALL
No
Accept + App Control
SD-WAN Zones on Spokes are used to configure different treatment for the traffic flowing to underlay versus overlay. Remember that this will be exactly the same type of traffic, and the actual path for each session will be determined by the SD-WAN rules
The rules are added to the firewall policy.
- Install the policy package.
To create a policy package and firewall policy rules for hubs:
- Go to Policy & Objects > Policy Packages.
- In the tree menu, select the policy package for hubs, for example, DataCenter-PP. The firewall policies in the policy package are displayed.
- Add policies to the firewall policy:
- In the toolbar, click Create New. The Create New Firewall Policy pane is displayed.
- Create the following policy for spokes, and click OK.
Name
From
To
Service
NAT
Action
Branch RIA
OL_MPLS
port1
All
Yes
Accept + App Control + SSL deep-inspection
- Install the policy package.