Metadata-Based Policy Enforcement Overview
Traditionally, firewall policies are created using source and
destination address objects. These objects are usually addresses or
address groups. To create a firewall policy, you must know the IP
address or range of IP addresses you want to target.
The introduction of metadata enables you to appropriately tag
these addresses. You can use these metadata tags when you create the
firewall policy.
The metadata-based policy enforcement involves the following
steps:
- Metadata definition—Define the metadata key values
you want to use. For example, Location = Bangalore; Sunnyvale, OS
= Windows, Mac, Linux; Role = Database, application, Web.
- Metadata association—Associate the defined metadata
with the addresses of type host or range.
- Metadata expressions evaluation—When you create
a rule for a firewall policy, you choose the source and destination
addresses based on metadata expressions, instead of IP addresses,
address groups, or network ranges.
Benefits of Metadata-Based Policies
- The use of metadata tags facilitates a wide range of security
automation operations and significantly reduces the number of rules
required to implement a solution.
- Metadata-based policies ensure that the defined security
policy is instantiated on the firewalls even before the applications
and application components are created. When the new application components
are instantiated, the relevant firewall policies are automatically
updated with the metadata for the application components, thereby
enabling automatic policy enforcement at the time of instantiation
of the application components. The security administrators do not
need to manually commit changes related to the metadata of addresses
unless the rules are changed.
- Whether you deploy the application components inside
a data center or in different public cloud locations, you can leverage
the same metadata-based policy and deploy it to different SRX Series
devices or vSRX instances in different locations and achieve a consistent
security posture.
- Security administrators can see a more holistic picture
about each network entity based on the metadata assignments. The administrators
are no longer limited to knowing the network entity based on only
the IP address of the entity.
Related Documentation
Help us to improve. Rate this article.
Feedback Received. Thank You!