EMAIL SUPPORT

dclessons@dclessons.com

LOCATION

NZ

Configuring Zone based Firewall

Configuring Zone based Firewall

Posted on Jan 27, 2020 (0)

Configuring Zone based Firewall

Below is the steps defined for CLI.

CLI Configuration Procedure:

Create lists of IP prefixes:

vEdge(config)# policy
vEdge(config-policy)# lists data-prefix-list list-name
vEdge(config-data-prefix-list)# ip-prefix prefix/length

Configure a source zone ,this is a group of VPNs from which data traffic flows.

vEdge(config)# policy zone source-zone-name
vEdge(config-zone)# vpn vpn-id

Configure a destination zone, this is a group of VPNs to which data traffic flows.

vEdge(config)# policy zone destination-zone-name
vEdge(config-zone)# vpn vpn-id

Create a zone-based firewall policy:

vEdge(config)# policy zone-based-policy policy-name
vEdge(config-policy-zone-based-policy)#

Create a series of match–action pair sequences:

vEdge(config-zone-based-policy)# sequence number
vEdge(config-sequence)#

Define match parameters for the data traffic:

vEdge(config-sequence-number)# match match-parameter

Define actions to take when a match occurs:

vEdge(config-sequence)# action drop
vEdge(config-sequence)# action inspect
vEdge(config-sequence)# action log
vEdge(config-sequence)# action pass

Define the default action, when data traffic does not match the conditions:

vEdge(config-policy-name)# default-action (drop | inspect | pass)

If you do not include VPN 0 in any of the zones that you configure in a zone-based firewall, by default, packets are able to reach destination zones that are accessible only over the public internet. You can also disallow this traffic.

vEdge(config)# policy zone-to-no-zone-internet (allow | deny)

Create a zone pair, and define the source and destination zones in that pair and the zone-based firewall policy to apply to the flows between those two zones:

vEdge(config)# policy zone-pair pair-name
vEdge(config-zone-pair)# source-zone source-zone-name
vEdge(config-zone-pair)# destination-zone destination-zone-name
vEdge(config-zone-pair)# zone-policy policy-name

Example 1 isolating two VPNs

Here let see the topology, which describes the following and also defines the flow between different VPNs.

  • VPN1 used for Guest network
  • VPN 2 for enterprise employee network
  • VPN 3 for shared services.

Steps:

Define the Zone for these above VPNs.

vEdge(config)# policy
vEdge(config-policy)# zone guest-zone vpn 1
vEdge(config-policy)# zone enterprise-employee-zone vpn 2
vEdge(config-policy)# zone shared-services-zone vpn 3

Now lets configure zone based policy in such a way that traffic from VPN 1 and VPN2 is allowed to VPN 3 which has subnet 10.10.10.0/24. But traffic should not go in reverse direction.

vEdge(config-policy)# zone-based-policy vpn-isolation-policy
vEdge(config-zone-based-policy)# sequence 10
vEdge(config-sequence)# match destination-ip 10.10.10.0/24
vEdge(config-sequence)# action pass

Any traffic that does not match the zone-based firewall policy drop it.

vEdge(config-zone-based-policy)# default-action drop

Apply the zone-based firewall policy to the zones. Here is the zone pairing between the guest and the services zone:

vEdge(config-policy)# zone-pair guest-services-pairing
vEdge(config-zone-pair)# source-zone guest-zone
vEdge(config-zone-pair)# destination-zone shared-services-zone
vEdge(config-zone-pair)# zone-policy vpn-isolation-policy

And here is the pairing between the employee zone and the services zone:

vEdge(config-policy)# zone-pair enterprise-employee-services-pairing
vEdge(config-zone-pair)# source-zone enterprise-employee-zone
vEdge(config-zone-pair)# destination-zone shared-services-zone
vEdge(config-zone-pair)# zone-pair enterprise-employee-services-pairing


Comment

    You are will be the first.

LEAVE A COMMENT

Please login here to comment.