EMAIL SUPPORT
dclessons@dclessons.comLOCATION
USZone Based Firewalls
Zone Based Firewalls
Zone based firewall is feature which is used to allow or deny traffic from one Zone to another.
Any zone has following components:
- Source zone—A VPN or group of VPN from where the data traffic flows originate.
- Destination zone— A VPN or group of VPN to where the data traffic flows terminate. A VPN can be part of only one zone
- Zone-based firewall policy—A data policy, similar to a localized data policy, which is a conditions that must be permitted for data traffic flow from the source zone to the destination zone. Zone-based firewalls can match IP prefixes, IP ports, and the protocols TCP, UDP, and ICMP. Matching flows can be accepted or dropped, and the packet headers can be logged. Non matching flows are dropped by default.
- Zone pair—a container that associates a source zone with a destination zone and that applies a zone-based firewall policy to the traffic that flows between the two zones.
When flows are match based on Zone pair, it can be processed in following ways:
- Inspect—The packet's header can be inspected to determine its source address and port.
- Pass—allow the packet to pass or sent to the destination zone without inspecting the packet's header at all.
Below figure explains the scenario:
Above figure describes three VPNs which are configured on a vEdge router. VPN 3, has shared resources to which restriction is needed. And users in VPN 1, are allowed to access the resources in VPN 3, while users in VPN 2 are not allowed to access to these resources in VPN 3. We also want data traffic flow from VPN 1 to VPN 3, but not from VPN 3 to VPN 1
Zone-based firewalls perform stateful inspection of TCP, UDP, and ICMP flows between zones. They examine the source and destination IP addresses and ports in the packet headers, as well as the packet's protocol. Then, based on the configured zone-based policy, they allow traffic to pass between the zones or they drop the traffic
Comment
TABLE OF CONTENTS
- Onboarding & Provisioning Configuring Templates
- Authentication between vSmart & vBond
- Authentication between vSmart Controller
- Authentication between vBond & vEdge Router
- Authentication between vEdge Router & vManage NMS
- Authentication between vSmart Controller & vEdge Router
- Viptela Specific Port Terminology
- Configure vManage & Generate Certificate
- Configure vBond & Generate Certificate
- Configure vSmart & Generate Certificate
- Configure vEdge & Generate Certificate
- Secure DataPlane Bringup
- Control Plane & Data Plane Operation - Unicast Routing Overview
- Configuring OMP & Its attributes
- Configure Unicast Overlay Routing
- Routing Configuration Example
- Segmentation Overview
- Configuring Segmentation
- Segmentation Configuration Example
- Data Traffic across Private WANs
- NAT in SDWAN & Data Encryption
- SD-WAN Viptela Policy Overview
- SD-WAN Centralized & Localized Control Policy Overview
- SD-WAN Centralized & Localized Data Policy
- Application – Aware Routing Overview
- Service Chaining
- Traffic Flow Monitoring
- vEdge Router as NAT Device
- Zone Based Firewalls
- Configuring Application Aware Routing
- Configure Centralized Control Policy
- Configuring Centralized Data Policy
- Configuring Cflowd Traffic Monitoring
- Configuring Zone based Firewall
- Service Chaining Configuration Example
- Configuring Service Side NAT
- Configuring Transport side NAT
RECENT POSTS
- What is Docker and Why is It Important?
- Learn Python 3.0 Programming for Network Automation
- Cisco ACI Data Centre: A Comprehensive Overview
- How to Prepare for the Microsoft Azure AZ-305 Exam
- AWS Training Certification Course for Solutions Architect
- Cisco SASE Architecture
- SASE vs SD-WAN
- What is SASE
- Accessing Amazon S3 using AWS private Link in Secure hybrid method.
- Cisco Smart Licensing Policy
LEAVE A COMMENT
Please login here to comment.