Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Firewall Policy Examples

 

This topic provides information on how firewall policy intents that you define as part of your firewall policy is handled by Contrail Service Orchestration (CSO), using various examples. Each of the examples provide detailed explanation about how a firewall policy intent defined through the CSO GUI resolves into configuration in the system.

Note

For more information, see Firewall Policy Overview and Creating Firewall Policy Intents.

For easier understanding, all the examples have been defined to use the topology in illustrated in Figure 1. In this topology, there are two sites—site A and site B. Each site has two departments defined as follows:

  • Site A - IT (LAN segment LS1) and Finance (LAN segment LS2).

  • Site B - Finance (LAN segment LS3) and Sales (LAN segment LS4).

Figure 1: Topology Diagram
Topology Diagram

The following definitions are applicable to all the examples:

  • While creating a site, you can designate some of the WAN interfaces to be breakout interfaces. These WAN interfaces can carry both site-to-site traffic (through the trust zone) and breakout traffic (through the untrust zone). The WAN interfaces can also be designated exclusively for carrying breakout traffic.

  • A trust zone refers to the overlay interface that contains all the GRE tunnel interfaces, such as gr-0/0/0.1, gr-0/0/0.2, and IPSec interfaces, such as st0.1, st0.2 created between the sites.

  • An untrust zone refers to the underlay interfaces (underlying physical interfaces) such as ge-0/0/0, ge-0/0/1.

  • If you select an address or a service as a destination endpoint, CSO considers it as an address or service hosted on the Internet, unless the selected address or service is associated with a site.

  • Table 1 captures the addresses associated with the LAN segments used in the topology illustrated in Figure 1.

    Table 1: LAN Segments Definition

    Site

    Department

    LAN Segment

    LAN Segment Address

    site A

    IT

    LS1

    192.0.2.0/24

    site A

    Finance

    LS2

    192.168.1.0/24

    site B

    Finance

    LS3

    198.51.100.0/24

    site B

    Sales

    LS4

    203.0.113.0/24

The following examples help you understand the creation of intent-based firewall policies for various traffic scenarios across sources and destinations.

Example 1: Firewall Policy that Permits Traffic from Departments in Site A to the Departments in Site B

Define a firewall policy that permits traffic from the departments in site A to the departments in site B.

Table 2 shows the firewall policy intent that is defined:

Table 2: Firewall Policy Intent Definition for Example - 1

Source

Destination

Action

site A

site B

Permit

Table 3 shows how this firewall policy intent is resolved:

Table 3: Firewall Policy Intent Resolution for Example - 1

Site

Source Department

Source Address

Zone

Destination Address

Service

Intent Created

site A

Finance

[LS2]

Trust

[LS3, LS4]

Any

Intent 1__0

IT

[LS1]

Trust

[LS3, LS4]

Any

Intent 1__1

site B

Trust

[LS3, LS4]

Sales

[LS2]

Any

Intent 1__0

Trust

[LS3, LS4]

Finance

[LS1]

Any

Intent 1__1

Configuration Output Sample

Sample of configuration that permits traffic from departments in site A to the departments in site B.

The hierarchy level for the following configuration sample is [edit security policies].

Sample of configuration that permits traffic from departments in site B to the departments in site A.

The hierarchy level for the following configuration sample is [edit security policies].

Example 2: Firewall Policy that Permits Internet Access for all Departments in Site A and Site B

Define a firewall policy that permits all the department in site A and site B access to Internet.

Table 4 shows the firewall policy intent that is defined:

Table 4: Firewall Policy Intent Definition for Example - 2

Source

Destination

Action

site A

http, https, icmp-ping, dns

Permit

site B

http, https, icmp-ping, dns

Permit

Table 5 shows how this firewall policy intent is resolved:

Table 5: Firewall Policy Intent Resolution for Example - 2

Site

Source Department

Source Address

Zone

Destination Address

Service

Intent Created

site A

Finance

[LS2]

Untrust

Any

http, https, icmp-ping, dns

Intent 1__0

IT

[LSI]

Untrust

Any

http, https, icmp-ping, dns

Intent 1__1

site B

Sales

[LS4]

Untrust

Any

http, https, icmp-ping, dns

Intent 1__0

Finance

[LS3]

Untrust

Any

http, https, icmp-ping, dns

Intent 1__1

Configuration Output Sample

Sample of configuration that permits Internet access to all departments in site A.

The hierarchy level for the following configuration sample is [edit security policies].

Sample of configuration that permits Internet access to all departments in site B.

The hierarchy level for the following configuration sample is [edit security policies].

Example 3: Firewall Policy that Permits Any Public Internet Address to Access the Sales Department in Site B

Define a firewall policy that permits any public Internet address access to a sales application hosted by the Sales department in site B.

Note

For this example, breakout is not enabled and MPLS link type is used.

Table 6 shows the firewall policy intent that is defined:

Table 6: Firewall Policy Intent Definition for Example - 3

Source

Destination

Action

Internet

Sales, site B

Permit

Table 7 shows how this firewall policy intent is resolved:

Table 7: Firewall Policy Intent Resolution for Example - 3

Source Address

Zone

Destination Address

Service

Intent Created

Any public Internet address

Trust to Sales (No breakout)

[LS4]

Any

Intent 1__0

Configuration Output Example

Sample of configuration that permits any public Internet address to access the Sales department in site B.

The hierarchy level for the following configuration sample is [edit security policies].

Example 4: Firewall Policy that Permits Social Media Access to all Departments in Site A

Define a firewall policy that permits all departments in site A access to Facebook.

Table 8 shows the firewall policy intent that is defined:

Table 8: Firewall Policy Intent Definition for Example - 4

Source

Destination

Action

site A

Facebook

Permit

Table 9 shows how this firewall policy intent is resolved:

Table 9: Firewall Policy Intent Resolution for Example - 4

Site

Source Address

Zone

Destination Address

Service

Intent Created

Application Firewall Profile

site A

[LS2]

Untrust

Facebook

Any

Intent 1__0

AppFwProfile_0

site A

[LS1]

Untrust

Facebook

Any

Intent 1__1

AppFwProfile_0

Configuration Output Example

Sample of configuration that controls access to Facebook for site A.

The hierarchy level for the following configuration sample is [edit security policies].

The hierarchy level for the following configuration sample is [edit security application-firewall].

Example 5: Firewall Policy that Controls Access to Specific Applications for Various Departments

Define a firewall policy that controls access to specific applications from various departments, with the following intents:

  • The finance departments located in site A and site B (which are in different geographical locations) are permitted to access the news applications BBC and CNN.

  • The IT department located in site A is denied access to the news applications BBC and CNN.

  • Access to Telnet and SSH applications is given only to the finance departments.

  • Access to Telnet and SSH applications is denied to all departments, except for the finance department.

Table 10 shows the firewall policy intents that are to fulfil this requirement:

Table 10: Firewall Policy Intent Definition for Example - 5

Source

Destination

Action

Finance department, site A and Finance department, site B

BBC and CNN

Permit

IT department, site A

BBC and CNN

Deny

Finance department, site A and Finance department, site B

Telnet and SSH

Permit

Any (All addresses except the finance department)

Telnet and SSH

Deny

Note

The number of intents depends on the number of source sites within the given department and the number of destination sites.

Table 11 shows how this firewall policy intent is resolved:

Table 11: Firewall Policy Intent Resolution for Example - 5

Source Department

Source Address

Zone

Destination Address

Service

Application Firewall Profile

Finance

[LS2]

Trust/Untrust

Any

Any

AppFwProfile_1

Permit: CNN/BBC

Def. Rule : Permit

Finance

[LS3]

Trust/Untrust

Any

Any

AppFwProfile_1

Permit: CNN/BBC

Def. Rule : Permit

IT

[LS1]

Trust/Untrust

Any

Any

AppFwProfile_3

Deny: CNN/BBC

Def. Rule : Deny

Finance department, site A and Finance department, site B

[LS2, LS3]

Trust/Untrust

Any

Telnet, SSH

AppFwProfile_1-1

Permit: Telnet/SSH

Def. Rule : Deny

IT department, site A

[LS1]

Trust/Untrust

Any

Telnet, SSH

AppFwProfile_3-1

Deny: Telnet/SSH

Def. Rule : Deny

Configuration Output Example

Sample of configuration that controls access to specific applications for various departments in site A.

The hierarchy level for the following configuration sample is [edit security policies].

The hierarchy level for the following configuration sample is [edit security application-firewall].

Sample of configuration that controls access to specific applications for various departments in site B.

The hierarchy level for the following configuration sample is [edit security policies].

The hierarchy level for the following configuration sample is [edit security application-firewall].

Example 6: Firewall Policy that Denies Access to Social Networking Sites

Define a firewall policy that denies access to networking sites such as Facebook and Twitter (defined as application group Social Networking) to the IT and finance departments located in Site A.

Table 12 shows the firewall policy intent that is needed to fulfil this requirement:

Table 12: Firewall Policy Intent Definition for Example - 6

Source

Destination

Action

IT and Finance, site A

Application group Social Networking (Facebook and Twitter)

Deny

Note

Add site A if the IT or finance departments are present in different sites, but you only want to apply this firewall policy intent to the IT or finance departments present in site A.

Table 13 shows how this firewall policy intent is resolved:

Table 13: Firewall Policy Intent Resolution for Example - 6

Source Department

Source Address

Zone

Destination Address

Service

Application Firewall Profile

Finance

[LS2]

Trust/Untrust

Any

Any

AppFwProfile_0

Deny: Social Networking (Apps)

Def. Rule : Deny

IT

[LS1]

Trust/Untrust

Any

Any

AppFwProfile_1

Deny: Social Networking (Apps)

Def. Rule : Deny

Configuration Output Example

Sample of configuration that denies access to social networking sites for departments in site A.

The hierarchy level for the following configuration sample is [edit security policies].

The hierarchy level for the following configuration sample is [edit security application-firewall].

Example 7: Firewall Policy that Controls Access to an Address over the Internet (HTTP)

Define a firewall policy that controls access to an address over the Internet (HTTP) for various sites or site groups with the following intents:

  • IP address prefix of site A and site B are permitted to access example.com.

  • IP address prefix of site group Q1 are denied access to example-one.com. Site group Q1 consists of site A and site B.

Table 14 shows the firewall policy intents that are needed to fulfil this requirement:

Table 14: Firewall Policy Intent Definition for Example - 7

Source

Service

Destination

Action

IP address prefix, site A and IP-Prefix, site B

HTTP

www.example.com

Permit

IP address prefix, site group Q1

HTTP

www.example-one.com

Deny

Table 15 shows how this firewall policy intent is resolved:

Table 15: Firewall Policy Intent Resolution for Example - 7

Source Department

Source Address

Zone

Destination Address

Service

Application Firewall Profile

IT, Finance departments in site A

[LS1, LS2]

Trust/Untrust

www.example.com

Any

AppFwProfile_0

Permit: HTTP

Def. Rule : Deny

Finance, Sales departments in site B

[LS3, LS4]

Trust/Untrust

www.example.com

Any

AppFwProfile_1

Permit: HTTP

Def. Rule : Deny

IT, Finance departments in site A

[LS1, LS2]

Trust/Untrust

www.example-one.com

Any

AppFwProfile_2

Deny: HTTP

Def. Rule : Deny

Finance, Sales departments in site B

[LS3, LS4]

Trust/Untrust

www.example-one.com

Any

AppFwProfile_3

Deny: HTTP

Def. Rule : Deny

Configuration Output Example

Sample of configuration that controls access to an address over the Internet (HTTP) for site A.

The hierarchy level for the following configuration sample is [edit security policies].

The hierarchy level for the following configuration sample is [edit security application-firewall].

Sample of configuration that controls access to an address over the Internet (HTTP) for site B.

The hierarchy level for the following configuration sample is [edit security policies].

The hierarchy level for the following configuration sample is [edit security application-firewall].

Example 8: Firewall Policy that Permits or Denies the Use of HTTP or FTP as a Service

Define a firewall policy where a specific IP address that belongs to the IT department is permitted or denied the use of HTTP or FTP as a service.

Table 16 shows the firewall policy intents that are needed to fulfil this requirement:

Table 16: Firewall Policy Intent Definition for Example - 8

Source

Service

Destination

Action

192.0.2.0

HTTP

example.com

Permit

192.0.2.0

FTP

example.com

Deny

Table 17 shows how this firewall policy intent is resolved:

Table 17: Firewall Policy Intent Resolution for Example - 8

Source Department

Source Address

Zone

Destination Address

Service

IT, site A

192.0.2.0

Trust/Untrust

example.com

FTP

IT, site A

192.0.2.0

Trust/Untrust

example.com

HTTP

Configuration Output Example

Sample of configuration that allows access to HTTP

The hierarchy level for the following configuration sample is [edit security policies].

Example 9: Firewall Policy that Denies Access to BitTorrent to the Finance Departments across both Site A and Site B

Define a firewall policy that denies access to BitTorrent for the Finance departments in site A and Site B.

Table 18 shows the firewall policy intents that are needed to fulfil this requirement:

Table 18: Firewall Policy Intent Definition for Example - 9

Source

Destination

Action

site A, Finance department

BitTorrent

Deny

site B, Finance department

BitTorrent

Deny

Table 19 shows how this firewall policy intent is resolved:

Table 19: Firewall Policy Intent Resolution for Example - 9

Site

Source Address

Zone

Destination Application

Service

Application Firewall Profile

Finance department, site A

[LS2]

Trust/Untrust

BitTorrent

Any

AppFwProfile_0

Deny: BitTorrent

Def. Rule : Deny

Finance department, site B

[LS3]

Trust/Untrust

BitTorrent

Any

AppFwProfile_0

Deny: BitTorrent

Def. Rule : Deny

Configuration Output Example

Sample of configuration that allows site A access to BitTorrent.

The hierarchy level for the following configuration sample is [edit security policies].

The hierarchy level for the following configuration sample is [edit security application-firewall].

Sample of configuration that allows site B to access to BitTorrent.

The hierarchy level for the following configuration sample is [edit security policies].

The hierarchy level for the following configuration sample is [edit security application-firewall].

Example 10: Firewall Policy that Allows Access to Facebook for Users in User Group A

Define a firewall policy where the users that are a part of user group A are provided access only to Facebook, and no other applications. User group A consists of users located in site A.

Table 20 shows the firewall policy intent that is needed to fulfil this requirement:

Table 20: Firewall Policy Intent Definition for Example - 10

Source

Destination

Action

user group A, site A

Facebook

Permit

Table 21 shows how this firewall policy intent is resolved:

Table 21: Firewall Policy Intent Resolution for Example - 10

Site

User/User Group

Source Address Range

Destination Address

Application

site A

user group A

192.0.2.0 to 192.0.2.20

Any

Facebook

Configuration Output Example

Sample of configuration that allows users in user group A access to Facebook.

The hierarchy level for the following configuration sample is [edit security policies].

The hierarchy level for the following configuration sample is [edit security application-firewall].

The hierarchy level for the following configuration sample is [edit services user-identification identity-management].

Example 11: Firewall Policy that Permits User B in Site A Access to YouTube with UTM Enabled

Define a firewall policy where the User B located in Site A is provided access only to YouTube with UTM enabled. The user does not have permission to access any other applications.

Table 22 shows the firewall policy intent that is needed to fulfil this requirement:

Table 22: Firewall Policy Intent Definition for Example - 11

Source

Destination

Action

user B, site A

YouTube

Permit

Table 23 shows how this firewall policy intent is resolved:

Table 23: Firewall Policy Intent Resolution for Example - 11

Site

Source Address

User/User Group

Destination Address

UTM

Application

site A

192.0.2.22

user B

Any

Enabled

Facebook

Configuration Output Example

Sample of configuration that allows user B in site A access to YouTube, with UTM enabled.

The hierarchy level for the following configuration sample is [edit security policies].

The hierarchy level for the following configuration sample is [edit security utm].

The hierarchy level for the following configuration sample is [edit security application-firewall].

The hierarchy level for the following configuration sample is [edit services user-identification identity-management].