Contrail Service Orchestration (CSO) provides the ability to create, modify, and delete firewall policy intents associated with a firewall policy. Firewall policies are presented as intent-based policies. A firewall policy intent controls transit traffic within a context that is derived out of the end-points defined in the intent. Intent-based firewall policies can incorporate both transport layer (Layer 4) and application layer (Layer 7) firewall constructs in a single intent. The underlying system, automatically analyzes the intent, translates them into the set of rules the devices understand. The choice of sequence and the assignment happens implicitly based on the endpoints in the intent definition. The intent consist of source and destination endpoints. Endpoints could be applications (L7), sites or site groups, IP address/address-groups, services, or departments.
Note
Starting from CSO Release 5.0.1, if a device (CPE or next-generation firewall) is running Junos OS Release 18.2R1 or later, a firewall policy acts as a unified firewall policy. In a unified firewall policy, dynamic application can be used as a match condition along with the existing match conditions. Therefore, a separate application firewall is not configured on the device to allow or block traffic to an application.
However, If the device is running a version earlier than Junos OS Release 18.2R1, the firewall policy does not act as a unified firewall policy and application firewalls continue to be configured on the device.
See Unified Security Policies for information about unified firewall policies.
Firewall policies provide security functionality by enforcing intents on traffic that passes through a device. Traffic is permitted or denied based on the action defined as the firewall policy intent.
A firewall policy provides the following features:
Permits, rejects, or denies traffic based on the application in use.
Identifies not only HTTP but also any application running on top of it, enabling you to properly enforce policies. For example, an application firewall intent could block HTTP traffic from Facebook but allow Web access to HTTP traffic from Microsoft Outlook.
Provides the ability to enable advanced security protection by specifying one or more of the following:
Unified threat management (UTM) profile
SSL proxy profile
Intrusion prevention system (IPS) profile
In CSO, intents are categorized as zone-based intents and enterprise-based intents.
Zone-based-intents are intents with zones as source and destination endpoints. The policies with zone-based intents can be applied to SD-WAN sites and next-generation firewall sites. The parameters that you can define for zone-based intents are listed in Table 156.
Table 156: Zone-based intents
Source End Points | Destination End points | Advanced Security Options | Supported Options |
|---|---|---|---|
Zones Address Users | Zones Address Service (L4 port/protocol) Applications (Dynamic Applications) | SSL Proxy Profile UTM Profile IPS Profile | Scheduler Logging |
Note You cannot select a department or site as an endpoint in zone-based intents. The sites assigned to the policy are applicable for zone-based intents and are automatically considered for deployment.
Enterprise-based intents are intents that contain sites, site-groups, departments, addresses as source and destination endpoints. Firewall policies with enterprise-based intents can be applied only to SD-WAN sites. The parameters that you can define for enterprise-based intents are listed in Table 157.
Table 157: Enterprise-based intents
Source Endpoints | Destination Endpoints | Advanced Security Options | Supported Options |
|---|---|---|---|
Sites Site-groups Departments Addresses Users | Sites Site-groups Departments Addresses Users Service/Applications | UTM Profile IPS Profile | Scheduler Logging |
Note
Zones cannot be selected as source or destination endpoints for enterprise-based intents.
Intents added in CSO Release 4.1 and earlier are now called enterprise-based-intents.