Currently we have our own MPLS network managed by us, lot's of VRFs and everything is tunneled back to our DC firewalls and there we can do decisions what traffic to allow where. MPLS is cheap here so it's not an issue. But if we'd like to move to Aruba SD-branch solution we would need to forget VRFs as they are not supported, and either do lots of PBR rules or to just use user roles.
We have hundreds or in couple cases some virtual firewalls have more than thousand rules. Moving to user roles seems quite a lot work. Are there any best practices available how to use those?
And as it's Central based, it's quite impossible to have everything in one group. Amount of uplink is limited as we have several ISPs offering MPLS and internet connectivity. And it's not very easy to copy rules between groups, I guess we would need to do some sort of scripts to download user roles from the API and then copy those to other groups.
Adding and changing rules is also bit more work than it is with Fortigate firewalls. Amount of clicking everywhere and waiting for the Central page to load takes a lot of time.
We want to tunnel all the traffic via our DC internet firewalls anyways to have IPS/IDS capabilities, so just advertising "DC networks" towards branch isn't really an option.
I'm hoping to get insight how other people are using the roles and how they are managing those. Firewall rule management suites like Algosec are not working with Aruba SD-branch at the moment. At a single branch we currently might have 10 different VRFs for the workstations, printers, APs, surveillance cameras, different medical devices, elevators and even fridges
And please something else than "talk to your SE" We're of course talking with them but I'd like to get some ideas how other people are managing large networks with lots of policies.