The following is the topology diagram. I want to know whether the Internet FW needs to pass through the address of the user client on the LAN side. Because I checked the information, the SDWAN is encrypted by IPsec. The SDWAN router at the other end is only decrypted, so it should be impossible for the Internet FW to decrypt the data packets, so is it only necessary to open the communication port between the Edge and the controller on the Internet FW?

 Yes, this firewall will see only encrypted packets. As per my knowledge, it is not necessary to open the communication on the Edge. The communication between application from Users should work without problem unless some Access List was applied. 

  There is a infinitude of possibilities but by default the cEdge should only route traffic based on layer3 information and the encrypted tunnel is only a secure path to build the control plane.  

 Once the tunnel is stablished,  you should be able to pass traffic over it not having to permit or deny if you dont want to. 

 As I mentioned before, cEdge comes with built-in firewall but you need to configure it previously. 

Hi,

1) Site A router TLOC interface should reach controllers => you should allow this traffic

2) Site A router  TLOC interface should reach Site B router TLOC interface => you should allow this traffic

3) Where do you configure NAT for SiteA users for internet access? If you do NAT on router and user uses router IP for internet => you should allow this traffic