Setting Internet Access Control Lists
By default, VPN Zones cannot reach Internet applications (
) except the Default Zone which can access the Internet in backhaul (BH) mode (see below). Indeed, Internet access is by default authorized in the LAN, either through the underlay (MPLS) or through the overlay.
To change the default status, click the icon for each VPN Zone/Application Set pair in the Security matrix and select one option among BH, DTI, DTI+, SWG, SWG+ and DENY. This configuration is kept after any ExtremeCloud SD-WAN upgrade.
The following diagram illustrates the Internet Access Control List that has been defined for the Agencies VPN zone to access the applications in the Business, Communication, Marketing, Development, Call Center and Default Internet application sets (see "VPN Segmentation Use Case").
|
DENY |
The traffic is dropped. |
||||||
|
BH |
Backhaul: the traffic is routed to the Data Center appliance (through underlay or overlay according to the current deployment) which must be able to route it to a firewall or proxy.
Backhauling can be activated on hub appliances (in Router or Bridge-Router mode) and on appliances in Bridge mode. |
||||||
|
DTI |
Direct to Internet: the traffic is directly sent to the Internet. This policy is only available for Internet interfaces. With an interface which is not eligible for DTI (for example, MPLS interface), the traffic is dropped. You may activate eligibility to DTI globally or individually on any Internet L3 interface. As a consequence, NAT is automatically enabled since DTI traffic must be NATted by the WAN interface. Also, Local Port Forwarding parameters may be specified for this interface. |
||||||
|
DTI+ |
Direct to Internet or Backhauling: the traffic is either sent in DTI if the interface authorizes it (Internet interface), or backhauled to the Data Center (for a MPLS interface). To activate this policy, refer to the BH and DTI options. |
||||||
|
SWG |
EdgeSentry or Secure Web Gateway: the traffic is routed via an IPsec tunnel to EdgeSentry or to a Secure Web Gateway in the Cloud. This policy is only available with Internet interfaces when EdgeSentry is activated or when there is a configured Secure Web Gateway. The traffic is dropped on an interface if either EdgeSentry is not activated on it or this interface is not eligible for SWG (there is no configured SWG tunnel). |
||||||
|
SWG+ |
EdgeSentry or Secure Web Gateway or Backhauling: the traffic is either routed to EdgeSentry (with an interface where EdgeSentry is activated) or to a secure web gateway, or the traffic is backhauled to the Data Center (EdgeSentry is not activated and there is no configured SWG tunnel). To activate this policy, refer to the SWG and BH options. |
Policy Behavior by Interface type and configuration
|
Interface/Policy |
DTI |
DTI+ |
SWG |
SWG+ |
BH |
DENY |
|---|---|---|---|---|---|---|
|
L2 |
drop |
allow |
drop |
allow |
allow |
drop |
|
L2 + eligible DTI |
not available |
|
|
|
|
|
|
L3 |
drop |
tunnel to dc |
drop |
tunnel to dc |
tunnel to dc |
drop |
|
L3 + eligible DTI |
dti |
dti |
drop |
tunnel to dc |
tunnel to dc |
drop |
|
L3 + SWG |
drop |
tunnel to dc |
tunnel to gateway |
tunnel to gateway |
tunnel to dc |
drop |
|
L3 + DTI + SWG |
dti |
dti |
tunnel to gateway |
tunnel to gateway |
tunnel to dc |
drop |
Impact on the Network Services
If at least one appliance within the VPN Zone has no WAN interface that supports 'DTI', a yellow exclamation mark is displayed on the Internet Access Policy icon. When positioning your cursor over the exclamation mark, you may know which appliance(s) are involved.
The same rule applies to 'SWG'.
In these error cases, the traffic is dropped and all the ExtremeCloud SD-WAN services are deactivated.