Deploying Application Aware Firewall

Deploying Application Aware Enterprise Firewall

The enterprise firewall with application awareness is a localized security policy that enables stateful inspection of the traffic flows. The firewall policy consists of one or more rules with match conditions to match specific traffic and an action that applies to the matched traffic.

The match criteria include source and destination data prefix, source and destination ports, protocol, and application or application family. Based on the defined policy, the firewall either blocks or allows the traffic between different network segments within a firewall zone or between firewall zones.

Traffic that matches a firewall rule is subject to one of these actions:

• Inspect: The Inspect action performs stateful inspection of the traffic flow and creates a session. The session tracking enables you to forward the return traffic correctly without defining a specific rule for the return traffic.
• Pass: The Pass action allows traffic without stateful inspection. As a result, there is no session tracking, therefore you must configure a firewall rule to handle the return traffic.
• Drop: The Drop action simply drops the packets that match the firewall rule.

By using Cisco vManage, you configure the firewall policy from the Configuration > Security dashboard by using a policy configuration wizard. The wizard is a user interface-based policy builder that enables you to define all the components required by the firewall policy.

These are components required by the firewall policy:

• Rules or rulesets: Used to define the match conditions and the action for a firewall rule or ruleset.
• Policy order: Used to determine the priority of a rule. Firewall evaluates the policies sequentially, the rules at the top have a higher priority.
• Zone Pairs: Used to define the source and destination zone that a firewall rule or ruleset applies to. A single VPN can belong to one zone, but a single zone may hold multiple VPNs.

Cisco SD-WAN 20.4.1 and onwards support rulesets as part of the firewall policy. Rulesets enable you to create multiple rules that have the same intent and apply the same action. When defining the firewall policy, using rulesets optimizes the policy and creates a smaller policy. When defining firewall rules, each rule creates a new class map on the device. Rulesets add multiple rules to one class map with multiple object groups and the ruleset applies a common action such as Inspect, Pass, or Drop.

Based on the flow of traffic between zones, this firewall feature is further divided into Intra-Zone and Inter-Zone security.

Intra-Zone Firewall Policy

The enterprise firewall with application awareness uses a flexible zone-based model for traffic inspection. Each defined firewall zone consists of one or more VPNs. As stated before, a single VPN can be a member of a single firewall zone, but a single firewall zone may consist of multiple VPNs.

Zone configuration includes these components:

• Source Zone: A group of one or more VPNs where the traffic flows originate.
• Destination Zone: A group of one or more VPNs where the traffic flows terminate.
• Firewall Policy: A policy consisting of one or more rules or rulesets defining the match conditions and applying an action to traffic flows matching a specific rule.
• Zone Pair: A combination of a source zone, a destination zone, and a firewall policy

You can apply a firewall policy to traffic flows between different VPNs within the same zone, or possibly between different network segments within the same VPN. This policy is an Intra-Zone policy.

You may apply the Intra-Zone policy to traffic flows within a single site, where multiple VPNs are part of a single zone. If you require a firewall policy to inspect traffic within the same VPN within a single site, that traffic must pass through the Cisco SD-WAN device for inspection. In this case, the source and destination endpoints must be in different IP segments within the same service-side VPN. If the two endpoints are part of the same IP segment, then traffic flows directly between the endpoints, and firewall inspection is not possible.

Inter-Zone Firewall Policy

When you apply a firewall policy to traffic flows between different VPNs within different firewall zones, the policy is called an Inter-Zone policy. An example would be defining a firewall policy that inspects traffic between the Employee VPN attached to Zone Employees and a Vendor VPN attached to Zone Vendors. The source and destination endpoints of a certain traffic flow may be local to the SD-WAN router, at the same site, or you can have the devices located at different sites.