Skip to main content
Cisco SD-WAN
Support
Product Documentation
Viptela Documentation

Security

Use the Security screen to create and activate zone-based firewalls vEdge routers.

Screen Elements

  • Top bar—On the left are the menu icon, for expanding and collapsing the vManage menu, and the vManage product name. On the right are a number of icons and the user profile drop-down.
  • Title bar—Includes the title of the screen, Security, and the following:
    • Custom Options—Click to display, create, and edit a components for use in zone-based firewalls
  • Add Policy—Click to create a zone-based firewall using a policy configuration wizard.
  • Search box—Includes the Search Options drop-down, for a Contains or Match string.
  • Refresh icon—Click to refresh data in the policies table with the most current data.
  • Show Table Columns icon—Click to display or hide columns from the policies table. By default, all columns are displayed.
  • Zone-based firewalls table—To re-arrange the columns, drag the column title to the desired position.

G00469.png

Configure Zone-Based Firewalls

You configure zone-based firewalls with a configuration wizard. The wizard is a UI policy builder that consists of three screens to configure and modify the following zone-based firewall components:

  • Groups of interest, also called lists
  • Zone-based firewall match and action policy conditions
  • Applying firewalls to zones

You must configure all these components depending to create a zone-based firewall. If you are modifying an existing firewall, you can skip a component by clicking the Next button at the bottom of the screen. To return to a component, click the Back button at the bottom of the screen.

For more information about zone-based firewall components, see Configuring Zone-Based Firewalls.

To start the policy configuration wizard, click Add Policy. The Create Groups of Interest screen displays.

Configure Groups of Interest

To Create Groups of Interest:

  1. Click Add Policy to start the policy configuration wizard. The Create Groups of Interest screen displays:

    G00470.png
  2. In the left pane, select the type of list to use with the zone-based policy. It can be one of the following:
  • Data Prefix
  • Zones
  1. In the right pane, click the New button. The New List portion of the screen displays:

    G00471.png
  2. Enter a name for the list, and enter or select the components to include in the list.
  3. Click Add to create the new list.
  4. Repeat Steps 2 through 5 to create additional lists.
  5. To edit, copy, or delete an existing list, click the Edit, Copy, or Trash Bin icon in the Action column.
  6. Click Next to move to Zone-Based Firewall in the wizard.

Configure Zone-Based Firewall Policy

To configure the sequences of match and action policy conditions for zone-based firewalls:

  1. Start the policy configuration wizard. The Create Groups of Interest screen is displayed.
  2. Click Next. The Zone-Based Firewall screen is displayed:

    G00472.png
  3. Click Add Configuration.
  4. To import an existing set of policy sequences, select Import Existing. In the Import Existing Zone-Based Firewall Policy popup, select the name of the file containing the policy. Then click Import.
  5. To create a new policy, select Create New.
  6. In the left pane, click Add Sequence:

    G00473.png
  7. Click Add Sequence Rule.
  8. Add the match and action conditions.
  9. Add additional sequences as needed. Drag and drop sequences to re-order them
  10. Click Save Zone-Based Policy.
  11. Click Next to move to Apply Configuration in the wizard.

Apply Zone-Based Firewall Policy to a Zone Pair

In the Apply Configuration screen:

  1. Start the policy configuration wizard. The Create Groups of Interest screen is displayed.
  2. Click Next. The Zone-Based Firewall screen is displayed.
  3. Click Next. The Apply Configuration screen is displayed:

    G00474.png
  4. Enter a name for the policy. This field is mandatory and can contain only uppercase and lowercase letters, the digits 0 through 9, hyphens (–), and underscores (_). It cannot contain spaces or any other characters.
  5. Enter a description of the policy. This field is mandatory, and it can contain any characters and spaces. It can contain up to 2048 characters.
  6. Locate the desired zone-based firewall policy.
  7. Click Add Zone Pair.
  8. In the Source Zone drop-down, select the zone from which data traffic originates.
  9. In the Destination Zone drop-down, select the zone to which data traffic is sent.
  10. Click Add.
  11. To edit or delete a zone pair, click the Edit or Trash Bin icon in the Action column.
  12. Click Preview to view the configured policy. The policy is displayed in CLI format.
  13. Click Save Policy. The Configuration ► Security screen is then displayed, and the zone-based firewalls table includes the newly created policy.

Apply a Zone-Base Firewall to a vEdge Router

  1. In vManage NMS, select the Configuration ► Templates screen.
  2. If you are creating a new device template:
    1. In the Device tab, click Create Template.
    2. From the Create Template drop-down, select From Feature Template.
    3. From the Device Model drop-down, select one of the vEdge devices.
    4. In the Template Name field, enter a name for the device template. This field is mandatory and can contain only uppercase and lowercase letters, the digits 0 through 9, hyphens (–), and underscores (_). It cannot contain spaces or any other characters.
    5. In the Description field, enter a description for the device template. This field is mandatory, and it can contain any characters and spaces.
    6. Continue with Step 4.
  3. If you are editing an existing device template:
    1. In the Device tab, click the More Actions icon to the right of the desired template, and click the pencil icon.
    2. Click the Additional Templates tab. The screen scrolls to the Additional Templates section.
    3. From the Policy drop-down, select the name of a policy that you have configured.
  4. Click the Additional Templates tab located directly beneath the Description field. The screen scrolls to the Additional Templates section.
  5. From the Security Policy drop-down, select the name of the zone-based firewall you configured in the above procedure.
  6. Click Create (for a new template) or Update (for an existing template).

View a Zone-Based Firewall

  1. In the zone-based firewalls table, locate the desired policy
  2. Click the More Actions icon to the right of the column and click View. Policies created with the UI policy builder are displayed in graphical format. Policies created using the CLI are displayed in text format.
  3. Click Cancel to return to the zone-based firewalls table.

For a policy created using the vManage policy configuration wizard, you can view the policy in CLI format:

  1. In the zone-based firewalls table, locate the desired policy.
  2. Click the More Actions icon to the right of the column, and click Preview.
  3. Click OK to return to the zone-based firewalls table.

Edit a Policy

  1. In the zone-based firewalls table, locate the desired policy.
  2. Click the More Actions icon to the right of the column and click Edit.
  3. Edit the policy as needed.
  4. Click Save Policy Changes.

Edit or Create a Zone-Based Firewall Component

You can create individual zone-based firewall components directly and then use them or import them when you are using the policy configuration wizard:

  1. In the Title bar,click the Custom Options drop-down.
  2. Select the policy component type:
  • Lists—Create groups of interest to import in the Group of Interest screen in the policy configuration wizard.
  • Zone-Based Firewall—Create a policy sequence to import in the Zone-Based Policy screen in the policy configuration wizard.

Delete a Policy

  1. In the zone-based firewalls table, locate the desired policy.
  2. Click the More Actions icon to the right of the column and click Delete.
  3. Click OK to confirm deletion of the policy.
  • Was this article helpful?