Firewall Policy Overview
Contrail Service Orchestration (CSO) provides the ability to create, modify, and delete firewall policy intents associated with a firewall policy. Firewall policies are presented as intent-based policies. A firewall policy intent controls transit traffic within a context that is derived out of the end-points defined in the intent. Intent-based firewall policies can incorporate both transport layer (Layer 4) and application layer (Layer 7) firewall constructs in a single intent. The underlying system, automatically analyzes the intent, translates them into the set of rules the devices understand. The choice of sequence and the assignment happens implicitly based on the endpoints in the intent definition. The intent consist of source and destination endpoints. Endpoints could be applications (L7), sites or site groups, IP address/address-groups, services, or departments.
Starting from CSO Release 5.0.1, if a device (CPE or next-generation firewall) is running Junos OS Release 18.2R1 or later, a firewall policy acts as a unified firewall policy. In a unified firewall policy, dynamic application can be used as a match condition along with the existing match conditions. Therefore, a separate application firewall is not configured on the device to allow or block traffic to an application.
However, If the device is running a version earlier than Junos OS Release 18.2R1, the firewall policy does not act as a unified firewall policy and application firewalls continue to be configured on the device.
See Unified Security Policies for information about unified firewall policies.
Firewall policies provide security functionality by enforcing intents on traffic that passes through a device. Traffic is permitted or denied based on the action defined as the firewall policy intent.
A firewall policy provides the following features:
Permits, rejects, or denies traffic based on the application in use.
Identifies not only HTTP but also any application running on top of it, enabling you to properly enforce policies. For example, an application firewall intent could block HTTP traffic from Facebook but allow Web access to HTTP traffic from Microsoft Outlook.
Provides the ability to enable advanced security protection by specifying one or more of the following:
Unified threat management (UTM) profile
SSL proxy profile
Intrusion prevention system (IPS) profile
In CSO, intents are categorized as zone-based intents and enterprise-based intents.
Zone-based-intents are intents with zones as source and destination endpoints. The policies with zone-based intents can be applied to SD-WAN sites and next-generation firewall sites. The parameters that you can define for zone-based intents are listed in Table 1.
Table 1: Zone-based intents
Source End Points
Destination End points
Advanced Security Options
Service (L4 port/protocol)
Applications (Dynamic Applications)
SSL Proxy Profile
You cannot select a department or site as an endpoint in zone-based intents. The sites assigned to the policy are applicable for zone-based intents and are automatically considered for deployment.
Enterprise-based intents are intents that contain sites, site-groups, departments, addresses as source and destination endpoints. Firewall policies with enterprise-based intents can be applied only to SD-WAN sites. The parameters that you can define for enterprise-based intents are listed in Table 2.
Table 2: Enterprise-based intents
Advanced Security Options
Zones cannot be selected as source or destination endpoints for enterprise-based intents.
Intents added in CSO Release 4.1 and earlier are now called enterprise-based-intents.