Solved: Consultation on Internet Firewall Policy in SDWAN Network

haininghuang3185 · ‎08-03-2023

In the sdwan network, in addition to allowing the edge and controller communication ports to establish tunnels on the Internet firewall, do you also need to allow the client ports on the user's LAN side, such as FTP client ports?

mohspate · ‎08-06-2023

Hi,

The previous post noted that the routers at SITE A and SITE B will create an SD-WAN IPsec tunnel automatically. In addition, the Cisco SD-WAN router must establish DTLS or TLS tunnels with SD-WAN controllers on designated ports specified in the following link this needs to be allowed on the firewall in front SITE A router.

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/security/ios-xe-17/security-book-xe/configure-security-param.html

If you need to manage traffic between two SD-WAN routers, you can activate ZBFW or enterprise firewall to regulate traffic that moves through the same VPN.

https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/sdwan-firewall-compliance-deploy-guide-2020sep.pdf

Br,

Mohseen

View solution in original post

Flavio Miranda · ‎08-03-2023

Hi @haininghuang3185

It will depend on where to where the client is communicating and if there is a firewall in between. SDWAN router have built in firewall ZBFW but you need to configure it. By default they will not block the traffic.

haininghuang3185 · ‎08-03-2023

The following is the topology diagram. I want to know whether the Internet FW needs to pass through the address of the user client on the LAN side. Because I checked the information, the SDWAN is encrypted by IPsec. The SDWAN router at the other end is only decrypted, so it should be impossible for the Internet FW to decrypt the data packets, so is it only necessary to open the communication port between the Edge and the controller on the Internet FW?

Flavio Miranda · ‎08-03-2023

Yes, this firewall will see only encrypted packets. As per my knowledge, it is not necessary to open the communication on the Edge. The communication between application from Users should work without problem unless some Access List was applied.

There is a infinitude of possibilities but by default the cEdge should only route traffic based on layer3 information and the encrypted tunnel is only a secure path to build the control plane.

Once the tunnel is stablished, you should be able to pass traffic over it not having to permit or deny if you dont want to.

As I mentioned before, cEdge comes with built-in firewall but you need to configure it previously.

Kanan Huseynli · ‎08-05-2023

Hi,

1) Site A router TLOC interface should reach controllers => you should allow this traffic

2) Site A router TLOC interface should reach Site B router TLOC interface => you should allow this traffic

3) Where do you configure NAT for SiteA users for internet access? If you do NAT on router and user uses router IP for internet => you should allow this traffic

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

mohspate · ‎08-06-2023

Hi,

The previous post noted that the routers at SITE A and SITE B will create an SD-WAN IPsec tunnel automatically. In addition, the Cisco SD-WAN router must establish DTLS or TLS tunnels with SD-WAN controllers on designated ports specified in the following link this needs to be allowed on the firewall in front SITE A router.

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/security/ios-xe-17/security-book-xe/configure-security-param.html

If you need to manage traffic between two SD-WAN routers, you can activate ZBFW or enterprise firewall to regulate traffic that moves through the same VPN.

https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/sdwan-firewall-compliance-deploy-guide-2020sep.pdf

Br,

Mohseen