Enterprise Firewall with Application Awareness

Cisco’s Enterprise Firewall with Application Awareness uses a flexible and easily understood zone-based model for traffic inspection, compared to the older interface-based model.

A firewall policy is a type of localized security policy that allows stateful inspection of TCP, UDP, and ICMP data traffic flows. Traffic flows that originate in a given zone are allowed to proceed to another zone based on the policy between the two zones. A zone is a grouping of one or more VPNs. Grouping VPNs into zones allows you to establish security boundaries in your overlay network so that you can control all data traffic that passes between zones.

Zone configuration consists of the following components:

  • Source zone—A grouping of VPNs where the data traffic flows originate. A VPN can be part of only one zone.

  • Destination zone—A grouping of VPNs where the data traffic flows terminate. A VPN can be part of only one zone.

  • Firewall policy—A security policy, similar to a localized security policy, that defines the conditions that the data traffic flow from the source zone must match to allow the flow to continue to the destination zone. Firewall policies can match IP prefixes, IP ports, the protocols TCP, UDP, and ICMP, and applications. Matching flows for prefixes, ports, and protocols can be accepted or dropped, and the packet headers can be logged. Nonmatching flows are dropped by default. Matching applications are denied.

  • Zone pair—A container that associates a source zone with a destination zone and that applies a firewall policy to the traffic that flows between the two zones.

Matching flows that are accepted can be processed in two different ways:

  • Inspect—The packet's header can be inspected to determine its source address and port. 

  • Pass—Allow the packet to pass to the destination zone without inspecting the packet's header at all. 

The following figure shows a simple scenario in which three VPNs are configured on a XE SD-WAN Router. One of the VPNs, VPN 3, has shared resources that you want to restrict access to. These resources could be printers or confidential customer data. For the remaining two VPNs in this scenario, only users in one of them, VPN 1, are allowed to access the resources in VPN 3, while users in VPN 2 are denied access to these resources. In this scenario, we want data traffic to flow from VPN 1 to VPN 3, but we do not want traffic to flow in the other direction, from VPN 3 to VPN 1.

Firewall policies perform stateful inspection of TCP, UDP, and ICMP flows between zones. They examine the source and destination IP addresses and ports in the packet headers, as well as the packet's protocol. Then, based on the configured zone-based policy, they allow traffic to pass between the zones or they drop the traffic.

The implementation of firewall policies varies slightly to that of localized security policy. Where you configure and apply localized security policy based only on VPNs, you configure and apply firewall policies to one or more VPNs that have been grouped into a zone. You activate localized security policy by applying it to individual interfaces on the XE SD-WAN Routers. When you activate firewall policies, they apply to the specific VPNs in the zones, without regard to any specific interfaces.

Application Firewall

The Application Firewall inspects and blocks traffic based on applications or application-family. This application-aware firewall feature provides the following benefits:

  • Application visibility and granular control

  • Classification of 1400+ layer 7 applications

  • Blocks traffic by application or application-family

You can create lists of individual applications or application families. A sequence that contains a specified application or application family list can be inspected. This inspect action is a Layer 4 action. Matching applications are blocked/denied.

vEdge Router provides Application Layer Gateway (ALG) FTP support with Network Address Translation – Direct Internet Access (NAT-DIA), Service NAT, and Enterprise Firewall. Service NAT support is added for FTP ALG on the client and not on the FTP Server.

Configure Firewall Policies

In vManage NMS, you configure firewall policies from the Configuration > Security screen, using a policy configuration wizard. In the CLI, you configure these firewalls on the XE SD-WAN Router.

Configuration Components

For firewall policies, you configure zones and a policy to apply to those zones.

Each zone consists of one of more VPNs in the overlay network. You define a source zone, which identifies the VPNs from which data traffic originates, and a destination zone, which identifies the VPNs to which the traffic is being sent.

The firewall policy consists of a series of numbered (ordered) sequences of match–action pairs that are evaluated in order, from lowest sequence number to highest sequence number. When a data packet matches the match conditions, the associated action or actions are taken and policy evaluation on that packet stops. Keep this process in mind as you design your policies to ensure that the desired actions are taken on the items subject to policy.

If a packet matches no parameters in any of the policy sequences, you define a default action to be taken on the packet.

The following figure illustrates the configuration components for firewall policies:

To create an application firewall policy, you include the following components in the configuration for a XE SD-WAN Router:

Component

Description

vManage Configuration

CLI Configuration Command

Lists

Groupings of related items that you reference in the match portion of the firewall policy configuration.

Configuration ► Security ► Custom Options ► Lists ► Application

Configuration ► Security ► Custom Options ► Lists ► Zones 

policy lists

Firewall policy

Container for a firewall policy.

Configuration ► Security ► Add Security Policy ► <Scenario> ► Add Firewall Policy

policy zone-based-policy

Numbered sequences of match–action pairs

Sequences establish the order in which the policy components are applied.

Configuration ► Security ► Add Security Policy ► <Scenario> ► Add Firewall Policy ► Sequence Rule

policy zone-based-policy sequence

Application Match parameters

Conditions that packets must match to be considered for a security policy.

Configuration ► Security ► Add Security Policy ► <Scenario> ► Add Firewall Policy ► Sequence Rule ► Match ► Application/Application Family List

policy zone-based-policy sequence match app-list

Actions

For a sequence that contains an application or application family list, packets can be inspected. Matching applications are blocked/denied.

Configuration ► Security ► Add Security Policy ► <Scenario> ► Add Firewall Policy ► Sequence Rule ► Actions ►Inspect

policy zone-based-policy sequence action inspect

Default action

Action to take if a packet matches none of the match parameters in any of the sequences. By default, non matching packets are dropped.

Configuration ► Security ► Add Security Policy ► <Scenario> ► Add Firewall Policy ► Sequence Rule ► Actions

policy zone-based-policy default-action drop

Apply firewall policy to a zone pair

For a firewall policy to take effect, you include it in the definition of a zone pair.

Configuration ► Security ► Add Security Policy ►<Scenario> ►Apply Policy

policy zone-pair

General vManage Configuration Procedure

To configure firewall policies, use the vManage policy configuration wizard. The wizard is a UI policy builder that lets you configure policy components:

  • Create Lists—Create lists that group together related items and that you call in the match condition of a firewall policy.

  • Firewall Policy—Define the match and action conditions of the firewall policy.

  • Apply Configuration—Define zone pairs.

You must configure all these components to create a firewall policy. If you are modifying an existing firewall, you can skip a component by clicking the Next button at the bottom of the screen. To return to a component, click the Back button at the bottom of the screen.

Zone-Based Firewall Configuration Examples

This topic provides an example of configuring a simple zone-based firewall using the CLI or vManage.

Isolating Two VPNs

In this zone-based firewall configuration example, we have a scenario where a router is connected to three service-side networks:

  • Guest network that provides point-of-sale (PoS) services

  • Employee network

  • Network that provides shared services, including shared printers and the customer database

We want users in the employee and guest networks to be able to access the shared services, but we do not want any traffic to be exchanged between the employee and guest networks. Similarly, we do not want any traffic that originates in the shared services network to enter into either the employee network or the guest network. The following figure illustrates this scenario:

In this figure:

  • VPN 1 is the guest network used for PoS services.

  • VPN 2 is the network used by the enterprise's employees.

  • VPN 3 contains the shared services, including printers and customer databases.

The configuration consists of three sections:

  • Define the zones.

  • Define the zone-based firewall policy.

  • Apply the zone-based firewall policy to a source zone and destination zone pair.

CLI Configuration

First, we define the zones for this scenario:

vEdge(config)# policy
vEdge(config-policy)# zone pos-zone vpn 1
vEdge(config-policy)# zone employee-zone vpn 2
vEdge(config-policy)# zone services-zone vpn 3

In this simple example, each zone corresponds to a single VPN. If you were to later add a second VPN for a discrete group of employees (let's say this is VPN 20) and you wanted this VPN to be subject to the same firewall policy, you could simply add this VPN to the employee zone: 

vEdge(config-policy)# zone employee-zone vpn 20
vEdge(config-policy)# show full-configuration
policy zone employee-zone
  vpn 2
  vpn 20
 !
!

Next, we configure the zone-based firewall policy. The policy matches all traffic that is destined for VPN 3, which is the services zone, and which has an IP prefix of 10.2.2.0/24. Because we want the policy to allow traffic to flow from VPN 1 and VPN 2 to VPN 3, but we do not want traffic to flow in the reverse direction, we set the action to pass. 

vEdge(config-policy)# zone-based-policy vpn-isolation-policy(config-zone-based-policy)# sequence 10(config-sequence)# match destination-ip 10.2.2.0/24
vEdge(config-sequence)# action pass

We want to drop any traffic that does not match the zone-based filrewall policy:

vEdge(config-zone-based-policy)# default-action drop

In the final step of the configuration process, we apply the zone-based firewall policy to the zones. Here is the zone pairing between the guest and PoS zone and the services zone: 

vEdge(config-policy)# zone-pair pos-services-pairing
vEdge(config-zone-pair)# source-zone pos-zone
vEdge(config-zone-pair)# destination-zone services-zone
vEdge(config-zone-pair)# zone-policy vpn-isolation-policy

And here is the pairing between the employee zone and the services zone:

vEdge(config-policy)# zone-pair employee-services-pairing
vEdge(config-zone-pair)# source-zone employee-zone
vEdge(config-zone-pair)# destination-zone services-zone
vEdge(config-zone-pair)# zone-pair employee-services-pairing

Here is a view of the entire policy:

vEdge(config-policy)# show full-configuration
 policy
 zone employee-zone
  vpn 2 
! zone pos-zone
  vpn 1
 ! zone services-zone
  vpn 3 
! 
zone-pair employee-services-pairing
  source-zone      employee-zone
  destination-zone services-zone
  zone-policy      vpn-isolation-policy
 ! 
zone-pair services-pairing
  source-zone      pos-zone
  destination-zone services-zone
  zone-policy      vpn-isolation-policy
 ! 
zone-based-policy vpn-isolation-policy
  sequence 10
   match 
   destination-ip 10.2.2.0/24 
  !
   action pass 
  !  
! 
 default-action drop 
!
!

vManage Configuration

To configure this zone-based firewall policy in vManage NMS:

  1. Select Configuration > Security.

  2. Click Add Policy. The zone-based firewall configuration wizard opens.

Configure data prefix groups and zones in the Create Groups of Interest screen:

  1. In the left pane, select Data Prefix.

  2. In the right pane, click New Data Prefix List.

  3. Enter a name for the list.

  4. Enter the data prefix or prefixes to include in the list.

  5. Click Add.

Configure zones in the Create Groups of Interest screen:

  1. In the left pane, select Zones.

  2. In the right pane, click New Zone List.

  3. Enter a name for the list.

  4. Enter the number of the zone or zones to include in the list. Separate numbers with a comma.

  5. Click Add.

  6. Click Next to move to Zone-Based Firewall in the zone-based firewall configuration wizard.

Configure zone-based firewall policies:

  1. Click Add Configuration, and select Create New.

  2. Enter a name and description for the policy.

  3. In the left pane, click Add Sequence.

  4. In the right pane, click Add Sequence Rule.

  5. Select the desired match and action conditions.

  6. Click Same Match and Actions.

  7. In the left pane, click Default Action.

  8. Select the desired default action.

  9. Click Save Zone-Based Policy.

Click Next to move to the Apply Configuration in the zone-based firewall configuration wizard.

  1. Enter a name and description for the zone-based firewall zone pair.

  2. Click Add Zone Pair.

  3. In the Source Zone drop-down, select the zone from which data traffic originates.

  4. In the Destination Zone drop-down, select the zone to which data traffic is sent.

  5. Click Add.

  6. Click Save Policy. The Configuration > Security screen is then displayed, and the zone-based firewalls table includes the newly created policy.