Skip to main content
Cisco SD-WAN
Support
Product Documentation
Viptela Documentation

Configuring Zone-Based Firewalls

This article provides procedures for configuring zone-based firewalls on vEdge routers. You provision zone-based firewalls to direct traffic between two zones, which are referred to as a source zone and a destination. Each zone consists of one or more VPNs in the overlay network.

In vManage NMS, you configure zone-based firewalls from the Configuration ► Security screen, using a policy configuration wizard. In the CLI, you configure these firewalls on the vEdge router.

Configuration Components

For a zone-based firewall, you configure zones and a policy to apply to those zones.

Each zone consists of one of more VPNs in the overlay network. You define a source zone, which identifies the VPNs from which data traffic originates, and a destination zone, which identifies the VPNs to which the traffic is being sent.

The zone-base policy consists of a series of numbered (ordered) sequences of match–action pairs that are evaluated in order, from lowest sequence number to highest sequence number. When a data packet matches the match conditions, the associated action or actions are taken and policy evaluation on that packet stops. Keep this process in mind as you design your policies to ensure that the desired actions are taken on the items subject to policy.

If a packet matches no parameters in any of the policy sequences, you define a default action to be taken on the packet.

The following figure illustrates the configuration components for zone-based firewalls:

S00219.png

To create a zone-based firewall, you include the following components in the configuration for a vEdge router:

Component

Description

vManage Configuration

CLI Configuration Command

Lists

Groupings of related items that you reference in the match portion of the zone-based firewall configuration.

Configuration ► Security ► Add Policy ► Create Groups of Interest

or

Configuration ► Security ► Custom Options ► Lists

policy lists

policy zone

Zone-based policy

Container for a zone-based policy.

Configuration ► Security ► Add Policy ► Configure Zone-Based Firewall

or

Configuration ► Security ► Custom Options ► Zone-Based Firewall

policy zone-based-policy

Numbered sequences of match–action pairs

Sequences establish the order in which the policy components are applied.

Configuration ► Security ► Add Policy ► Configure Zone-Based Firewall

or

Configuration ► Security ► Custom Options ► Zone-Based Firewall

policy zone-based-policy sequence

Match parameters

Conditions that packets must match to be considered for a data policy.

Configuration ► Security ► Add Policy ► Zone-Based Firewall

or

Configuration ► Security ► Custom Options ► Zone-Based Firewall

policy zone-based-policy sequence match

Actions

Whether to accept or reject matching packets, and how to process matching items.

Configuration ► Security ► Add Policy ► Zone-Based Firewall

or

Configuration ► Security ► Custom Options ► Zone-Based Firewall

policy zone-based-policy sequence action

Default action

Action to take if a packet matches none of the match parameters in any of the sequences. By default, nonmatching packets are dropped.

Configuration ► Security ► Add Policy ► Zone-Based Firewall

or

Configuration ► Security ► Custom Options ► Zone-Based Firewall

policy zone-based-policy default-action

Application of zone-based firewall to a zone pair

For a zone-based firewall to take effect, you include it in the definition of a zone pair.

Configuration ► Security ► Add Policy ►
Apply Policy

policy zone-pair

Application of zone-based firewall to a configuration template To use a zone-based firewall, you include it in a configuration template. Configuration ► Templates ► Additional Templates ► Security Policy policy zone-pair

General vManage Configuration Procedure

To configure zone-based firewalls, use the vManage policy configuration wizard. The wizard is a UI policy builder that consists of three screens to configure policy components:

  • Create Groups of Interest, also called lists—Create lists that group together related items and that you call in the match condition of a zone-based firewall.
  • Zone-Based Firewall—Define the match and action conditions of the zone-based firewall.
  • Apply Configuration—Define zone pairs..

You must configure all these components depending to create a zone-based firewall. If you are modifying an existing firewall, you can skip a component by clicking the Next button at the bottom of the screen. To return to a component, click the Back button at the bottom of the screen.

Step 1: Start the Policy Configuration Wizard

To start the policy configuration wizard:

  1. In vManage NMS, select the Configure ► Security screen.
  2. Click Add Policy.

The policy configuration wizard opens, and Create Groups of Interest displays.

Step 2: Create Groups of Interest

In Create Groups of Interest, create lists of groups to use in zone-based firewalls:

G00470.png

  1. Select the list type to create. The following table describes the lists you can create.
List Type Procedure
Data Prefix
  1. In the left pane, click Data Prefix.
  2. Click New Data Prefix List.
  3. Enter a name for the list.
  4. Enter one or more IP prefixes.
  5. Click Add.
Zones
  1. In the left pane, click Zones.
  2. Click New Zone List.
  3. Enter a name for the zone list.
  4. In the Add VPN field, enter the number or numbers of the VPN in the zone. Separate numbers with commas.
  5. Click Add.
  1. Click Next to move to Zone-Based Firewall in the wizard.

Step 3: Configure Zone-Based Firewall Policy

In Zone-Based Firewall, create policies to use with zone-based firewalls:

G00472.png

  1. To create a new zone-based firewall policy:
    1. Click the Add Configuration drop-down.
    2. Select Create New.
  2. To import an existing zone-based firewall policy:
    1. Click Import. The Import Existing Zone-based Firewall Policy dialog box appears.
    2. In the Policy field, select the policy to import.
    3. Click Import.
    4. To modify the policy, continue with Step 3. Otherwise, click Next to move to Apply Configuration in the configuration wizard.
  3. Enter a name and description for the policy.
  4. In the left pane, click Add Sequence. A Zone-Based List box is displayed in the left pane.

    G00473.png
  5. Double-click the Zone-Based List box, and type a name for the policy.
  6. In the right pane, click Add Sequence Rule to create a single sequence in the zone-based firewall policy. The Match tab is selected by default.
  7. Click a match condition.
  8. On the left, enter the values for the match condition.
  9. On the right enter the action or actions to take if the policy matches.
  10. Repeat Steps 6 through 8 to add match–action pairs to the zone-based firewall policy.
  11. To rearrange match–action pairs in the policy, in the right pane drag them to the desired position.
  12. To remove a match–action pair from the policy, click the X in the upper right of the condition.
  13. Click Save Match and Actions to save a sequence rule.
  14. To rearrange sequence rules in an policy, in the left pane drag the rules to the desired position.
  15. To copy, delete, or rename a policy sequence rule, in the right pane, click More Options next to the rule's name and select the desired option.
  16. If no packets match any of the policy sequence rules, the default action is to drop the packets. To change the default action:
    1. Click Default Action in the left pane.
    2. Click the Pencil icon.
    3. Change the default action to Inspect or Pass.
    4. Click Save Match and Actions.
  17. Click Save Zone-Based Policy to save the policy.
  18. Click Next to move to Apply Configuration in the wizard.

Step 4: Apply Zone-Based Policy to a Zone Pair

In Apply Configuration, apply a zone-based policy to a zone pair:

G00474.png

  1. Enter a name and description for the zone-based firewall.
  2. Click Add Zone Pair.
  3. In the Source Zone field, select the zone that is the source of the data packets.
  4. In the Destination Zone field, select the zone that is the destination of the data packets.
  5. Click Add.
  6. To edit or delete a zone-based policy, in the right pane, click More Options next to the policy's name and select the desired option.
  7. Click Preview to view the full policy in CLI format.
  8. Click Save Policy.

Step 5: Apply a Zone-Based Firewall to a vEdge Router

  1. In vManage NMS, select the Configuration ► Templates screen.
  2. If you are creating a new device template:
    1. In the Device tab, click Create Template.
    2. From the Create Template drop-down, select From Feature Template.
    3. From the Device Model drop-down, select one of the vEdge devices.
    4. In the Template Name field, enter a name for the device template. This field is mandatory and can contain only uppercase and lowercase letters, the digits 0 through 9, hyphens (–), and underscores (_). It cannot contain spaces or any other characters.
    5. In the Description field, enter a description for the device template. This field is mandatory, and it can contain any characters and spaces.
    6. Continue with Step 4.
  3. If you are editing an existing device template:
    1. In the Device tab, click the More Actions icon to the right of the desired template, and click the pencil icon.
    2. Click the Additional Templates tab. The screen scrolls to the Additional Templates section.
    3. From the Policy drop-down, select the name of a policy that you have configured.
  4. Click the Additional Templates tab located directly beneath the Description field. The screen scrolls to the Additional Templates section.
  5. From the Security Policy drop-down, select the name of the zone-based firewall you configured in the above procedure.
  6. Click Create (for a new template) or Update (for an existing template).

General CLI Configuration Procedure

Following are the high-level steps for configuring a zone-based firewall using the CLI:

  1. Create lists of IP prefixes, as needed:
    vEdge(config)# policy
    vEdge(config-policy)# lists data-prefix-list list-name
    vEdge(config-data-prefix-list)# ip-prefix prefix/length
  2. Configure a source zone. For the zone-base policy, this is a group of VPNs from which data traffic flows. Each zone can contain one or more VPNs.
    vEdge(config)# policy zone source-zone-name
    vEdge(config-zone)# vpn vpn-id
  3. Configure a destination zone. For the zone-base policy, this is a group of VPNs to which data traffic flows. Each zone can contain one or more VPNs.
    vEdge(config)# policy zone destination-zone-name
    vEdge(config-zone)# vpn vpn-id
  4. Create a zone-based firewall policy:
    vEdge(config)# policy zone-based-policy policy-name
    vEdge(config-policy-zone-based-policy)#
  5. Create a series of match–action pair sequences:
    vEdge(config-zone-based-policy)# sequence number
    vEdge(config-sequence)#

    The match–action pair sequencess are evaluated in order, by sequence number, starting with the lowest numbered pair and ending when the route matches the conditions in one of the pairs. Or if no match occurs, the default action is taken.
  6. Define match parameters for the data traffic:
    vEdge(config-sequence-number)# match match-parameter
  7. Define actions to take when a match occurs:
    vEdge(config-sequence)# action drop
    vEdge(config-sequence)# action inspect
    vEdge(config-sequence)# action log
    vEdge(config-sequence)# action pass
  8. Create additional numbered sequences of match–action pairs within the zone-based firewall policy, as needed.
  9. Define the default action, which is the action to take when data traffic does not match the conditions in one of the sequences:
    vEdge(config-policy-name)# default-action (drop | inspect | pass)
  10. If you do not include VPN 0 in any of the zones that you configure in a zone-based firewall, by default, packets are able to reach destination zones that are accessible only over the public internet. You can also disallows this traffic
    vEdge(config)# policy zone-to-no-zone-internet (allow | deny)
  11. Create a zone pair, and define the source and destination zones in that pair and the zone-based firewall policy to apply to the flows between those two zones:
    vEdge(config)# policy zone-pair pair-name
    vEdge(config-zone-pair)# source-zone source-zone-name
    vEdge(config-zone-pair)# destination-zone destination-zone-name
    vEdge(config-zone-pair)# zone-policy policy-name
  12. Optionally, configure the number of TCP SYN packets that the router can receive while establishing a TCP connection to use for a zone-based firewall before the router shuts down the connection. The default is 2000 SYN packets. The value can be from 1 through 2147483647.
    vEdge(config)# policy tcp-syn-flood-limit number

Structural Components of Configuration for Zone-Based Firewalls

Following are the structural components required to configure zone-based firewalls, shown as they appear in the CLI and when you click Preview in the vManage zone-based firewall wizard. Each component is explained in the sections below.

policy
  lists
    data-prefix-list list-name
      ip-prefix prefix/length
  zone source-zone-name
    vpn vpn-id
  zone destination-zone-name
    vpn vpn-id
  zone-to-no-zone-internet (allow | deny)
  zone-pair pair-name
    source-zone source-zone-name
    destination-zone destination-zone-name
    zone-policy policy-name
  zone-based-policy policy-name
    sequence number
      match
        match-parameters
      action
        drop
        inspect
        log
        pass
    default-action (drop | pass | inspect)

Lists

Zone-based firewalls use prefix lists to group related prefixes. You configure lists under the policy lists command hierarchy on vEdge routers.

List Type

Description

Command

Data prefixes

List of one or more IP prefixes. You can specify both unicast and multicast addresses. To configure multiple prefixes in a single list, include multiple ip-prefix options, specifying one prefix in each option.

data-prefix-list list-name
  ip-prefix prefix/length

In vManage NMS:

  • Configuration ► Security ► Add Policy ► Create Groups of Interest ► Data Prefix ► New Data Prefix List
  • Configuration ► Security ► Custom Options ► Lists ► Data Prefix ► New Data Prefix List

Zones

For zone-based firewalls, you group one or more VPNs together to form a zone. You configure lists under the policy command hierarchy on vEdge routers.

Item

Description

Command

Zones

Group of one or more VPNs in the overlay network that form a zone. A VPN can be a member of only one zone. For the zone-based firewall, you need at least two zones, a source zone and a destination. If desired, you can use the same zone for both the source and the destination.

zone source-zone-name
  vpn vpn-id
zone destination-zone-name
  vpn vpn-id

In vManage NMS:

  • Configuration ► Security ► Add Policy ► Create Groups of Interest ► Zones ► New Zone List
  • Configuration ► Security ► Custom Options ► Lists ► Zones ► New Zone List

TCP SYN Packets

By default, the router can receive up to 2000 TCP SYN packets while establishing the TCP connection to use for a zone-based firewall before the router shuts down the connection. You can modify this limit:

vEdge(config)# policy tcp-syn-flood-limit number

Sequences

A zone-based firewall contains sequences of match–action pairs. The sequences are numbered to set the order in which a packet is analyzed by the match–action pairs in the access lists. You configure sequences with the policy zone-based-firewall sequence command.

Each sequence in a zone-based firewall can contain one match command and one action command.

In vManage NMS:

  • Configuration ► Security ► Add Policy ► Zone-Based Firewall ► Add Configuration ► Add Sequence
  • Configuration ► Security ► Custom Options Zone-Based Firewall ► Add Configuration ► Add Sequence

Match Parameters

Zone-based firewalls can match IP prefixes, fields in the IP headers, and IP protocols. You configure the match parameters under the policy zone-based-firewall sequence match command.

Each sequence in a zone-based firewall must contain one match command.

For zone-based firewalls, you can match these parameters:

Description

Command

Value or Range

Group of destination prefixes

destination-data-prefix-list list-name

Name of a data-prefix-list list.

Individual destination prefix

destination-ip prefix/length

IP prefix and prefix length

Destination port number.

destination-port number

0 through 65535; specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-])

Internet Protocol number

protocol number

0 through 255

Group of source prefixes

source-data-prefix-list list-name

Name of a data-prefix-list list.

Individual source prefix

source-ip prefix/length

IP prefix and prefix length

Source port number.

source-port address

0 through 65535; specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-])

In vManage NMS:

  • Configuration ► Security ► Add Policy ► Zone-Based Firewall ► Add Configuration ► Add Sequence ► Add Sequence Rule ► Match
  • Configuration ► Security ► Custom Options ► Zone-Based Firewall ► Add Configuration ► Add Sequence ► Add Sequence Rule ► Match

Action Parameters

When a packet matches the conditions in the match portion of a zone-based firewall, the packet can be inspected, passed through without inspection, or dropped, and it can be logged.

Each sequence in a zone-based firewall can contain one action command.

In the action, you can specify these actions:

Description

Command

Value or Range

Discard the packet. This is the default action.

drop

Inspect the packet's header to determine its source address and port. The address and port are used by the NAT device to allow traffic to be returned from the destination to the sender. inspect

Log the packet headers into the messages and vsyslog system logging (syslog) files.

In addition to logging the packet headers, a syslog message is generated the first time a packet header is logged and then every 5 minutes thereafter, as long as the flow is active.

log To display logging information, use the show log command on the vEdge router.
Allow the packet to pass to the destination zone without inspecting the packet's header at all. With this action, the NAT device blocks return traffic that is addressed to the sender. pass


In vManage NMS:

  • Configuration ► Security ► Add Policy ► Zone-Based Firewall ► Add Configuration ► Add Sequence ► Add Sequence Rule ► Action
  • Configuration ► Security ► Custom Options ► Zone-Based Firewall ► Add Configuration ► Add Sequence ► Add Sequence Rule ► Action

Default Action

If a packet being evaluated does not match any of the match conditions in a zone-based firewall policy, you must configure a default action to apply to the packet. To configure this behavior, include the zone-based firewall default-action action command in the zone-based firewall. action can be drop, inspect, or pass.

In vManage NMS:

  • Configuration ► Security ► Add Policy ► Zone-Based Firewall ► Add Configuration ► Default Action
  • Configuration ► Security ► Custom Options ► Zone-Based Firewall ► Add Configuration ► Default Action

Control Whether Packets Can Be Sent to the Internet

If you do not include VPN 0 in any of the zones that you configure in a zone-based firewall, by default, packets are able to reach destination zones that are accessible only over the public internet. To configure this explicitly:

vEdge(config)# policy zone-to-nozone-internet allow

To restrict traffic from transiting the internet, change the option to deny:

vEdge(config)# policy zone-to-nozone-internet deny

You can add this command to the configuration only after you have configured at least one zone. If you remove all zones from a configuration, the value of this command returns to the default of allow. If you want to block internet access, you must configure the deny option again.

In vManage NMS:

  • Not available

Apply Zone-Based Firewalls

For zone-based firewall to take effect, you must include it in a zone pair:

vEdge(config)# policy zone-pair pair-name
vEdge(config-zone-pair)# source-zone source-zone-name
vEdge(config-zone-pair)# destination-zone destination-zone-name
vEdge(config-zone-pair)# zone-policy policy-name

pair-name is the name of the zone pairing.

source-zone-name and destination-zone-name are the names of zones that you created with the zone command. The source and destination zones can be different, or they can be the same.

policy-name is the name of a zone-based firewall that you created with the zone-based-firewall command.

In vManage NMS:

  • Configuration ► Security ► Add Policy ► Zone-Based Firewall ► Apply Configuration
  • Configuration ► Templates ► Device ► Additional Templates ► Security Policy
  • Was this article helpful?