Configuring Network Security
The Security panel of the Policy Configuration window enables you to create a zone-based firewall in order to:
| • | strengthen the segmentation of your private network (communication between sites/subnets) |
| • | manage the Internet traffic, i.e. the connection from a site/subnet to any application (through backhauling (bh) via the Data Center, directly to the Internet (dti), via a web security gateway (swg) or the traffic may be simply dropped). |
Security policies are configured globally for the network; the SD-WAN application then translates each global policy into a local routing/firewalling rule for each involved SD-WAN appliance.
Warning: all the Network spoke appliances must have at least one WAN interface that is eligible to DTI or backhauling to be able to access Applications and Monitoring functions.
The Internet Access Control Lists function impacts on DWS since this service must choose an interface that is eligible for strengthening the policy (for example, the system cannot select an MPLS interface if the traffic is Direct to Internet). Refer to "Internet Access Policies".
"Setting VPN Segmentation Policies"
"Setting Internet Access Control Lists"
To create a Security firewall, you must define:
| 1 | the VPN zones for organizing your private sites and/or subnets; a subnet must be part of the private IP address range |
| 2 | the segmentation policies of the VPN zones, i.e. the ability of these zones to communicate with one another |
| 3 | the application sets for organizing your collection of Internet applications based on the SaaS dictionary or on Protocol and Port |
| 4 | the Internet Access policies that manage the communication between the VPN zones and the application sets (ability to communicate and used method - DTI, SWG or backhauling). |
Refer to the following sections for detailed explanations.