IWAN design guide for Firewall on the remote branch routers

carl_townshend · ‎01-16-2018

Hi All

I cannot see any info on the IWAN design guide around using a zone based firewall on the branch Internet routers.

Does anyone have any info, or best practice for implementing rules on this?

For example, if I have 20 branches that will use the dmvpn site to site, would you have to add all the individual ip addresses of each branch? or would you just allow the IPSEC protocols from anywhere to each router etc?

Many thanks

Carl

Francesco Molino · ‎01-16-2018

Hi

Yes you can do zbf with dmvpn on hub and spoke and I highly recommend that.
In terms of best practice is to have the tunnel interface on a dmvpn zone and not in the same zone as the inside interface.
Then in terms of rules, it's based on your business traffic but i will allow icmp to be able to do some tests (you can filter source and destination for icmp).
In terms of IPSEC, it depends on the security level you want versus the management effort.
I mean that if you don't want to manage public IPs that are allowed to build an ipsec tunnel, then go with any to any. Personally i always convince customers to create an object group which has all public IPs that are allowed to build ipsec tunnel.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question