03-03-2022 01:29 AM
I work at the service desk and I'm just curious about this.
We get a lot of firewall opening request that we pass to the network team responsible for firewalls in DC, I look at the forms, and sometimes it's traffic from/to some server in DC - make sense, but sometimes it's just a request to open traffic from branch office server to some amazon services on the internet.
Why does such a thing need an opening on the firewall on the data center? I guess the traffic goes through there but why? I don't get why it can't go directly from the branch office to the internet, this and it really annoys me.
If someone can explain that would be really great!!
03-03-2022 01:36 AM
Hi there,
It is a common WAN architecture to have all branch sites connected to a central location (typically a Data Center) via MPLS or VPN carried over public internet. Since a branch site will most likely be accessing resources located in the DC this make sense.
Regarding accessing the internet from a branch office, in the interest of security and policy enforcement it makes sense both logically and economically to do this at a single location instead of at each branch site. This is why internet bound traffic will be routed via your DC before reaching the internet.
cheers,
Seb.
03-03-2022 02:53 AM
This common security practice, Open ports where it is required to protect the network.
So we do this kind of work day to day basis major request come new build new service on, they need to contact other servers.
By Default FW rules are Deny any any
03-03-2022 03:12 AM
If branch do have fw and dc adverts default route toward branch,this make branch send data to fw of dc and fw resend it to internet.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide