View Only
last person joined: 10 hours ago 

Forum to discuss Silver Peak EdgeConnect SD-WAN and Aruba SD- Branch. This includes SD-WAN Orchestration WAN edge network functions including routing, security, zone-based firewall, segmentation and WAN optimization, micro-branch solutions, best practices, third party integrations, All things SD-WAN!
Expand all | Collapse all

Firewalling at DC - SD-WAN edge

This thread has been viewed 21 times
  • 1.  Firewalling at DC - SD-WAN edge

    Posted Apr 29, 2021 03:19 PM
    Please correct me if I'm wrong but I believe that usually when we create user roles on SD-Branch gateways and have traffic coming from the DC the path is the red one in this picture:

    So the traffic can enter the SD-WAN "fabric" and is denied at the branch gateway level if not allowed in the corresponding user role. Is it possible to have VPNCs block the traffic before it ever goes over to the SD-WAN, in this picture option 2? For example having all the roles on the VPNC level too?

    There are interface policies for VPNC but if we have hunders or maybe even thousands of rules for different roles it is really impossible to manage those in a single policy.

    Or is this something that people don't really care at all as it's just the first packets trying to knock on branch gateways door and there is not much traffic in the SD-WAN fabric for blocked sessions?

  • 2.  RE: Firewalling at DC - SD-WAN edge

    Posted May 04, 2021 08:41 AM
    Hi pubjohndoe,

    VPNC is a tunnel concentrator. The idea is that the traffic of users is generated in the branches towards the DC where the VPNC is located, and not the other way around. You can configure policies directly on the VPNC interface (You can check that there is one applied by default on the WAN interface, allowing only the necessary protocols for the construction of IPSEC tunnels).

    Don't you have a DMZ firewall in this topology? The best option would be for a DC firewall to do this control if there is traffic initiated on the DC to the branch offices.​

    Felipe Rodrigues

  • 3.  RE: Firewalling at DC - SD-WAN edge

    Posted May 04, 2021 08:53 AM

    There's usual traffic like SCCM, printer management, monitoring of different devices etc. In the end it's probably not that much, but still feels bit wasteful to pass it over the SD-WAN fabric before dropping it at the remote branch.

    All the Aruba documents show VPNC connected directly to the core switches and only firewall in the picture is DMZ firewall between internet and VPNC. So that is probably Aruba's best practice as I haven't see any other way in the documents. 

    What I was trying to drop was the enterprise's own traffic over the fabric to branches, not the traffic coming from internet. And as we've already had to do all the rules for the branches, it seems bit silly to do exactly the same rules again in the DC firewall :) Have to also draw it in Visio what DC firewalls in front of VPNC would look like, hopefully there will be no asymmetric traffic. But I guess that's usually managed with AS prepends.