Showing results for 
Search instead for 
Did you mean: 

IWAN design guide for Firewall on the remote branch routers

Frequent Contributor
Frequent Contributor

Hi All

I cannot see any info on the IWAN design guide around using a zone based firewall on the branch Internet routers.

Does anyone have any info, or best practice for implementing rules on this?

For example, if I have 20 branches that will use the dmvpn site to site, would you have to add all the individual ip addresses of each branch? or would you just allow the IPSEC protocols from anywhere to each router etc?


Many thanks


1 Reply 1


Yes you can do zbf with dmvpn on hub and spoke and I highly recommend that.
In terms of best practice is to have the tunnel interface on a dmvpn zone and not in the same zone as the inside interface.
Then in terms of rules, it's based on your business traffic but i will allow icmp to be able to do some tests (you can filter source and destination for icmp).
In terms of IPSEC, it depends on the security level you want versus the management effort.
I mean that if you don't want to manage public IPs that are allowed to build an ipsec tunnel, then go with any to any. Personally i always convince customers to create an object group which has all public IPs that are allowed to build ipsec tunnel.

PS: Please don't forget to rate and select as validated answer if this answered your question
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers