Add and Deploy Firewall Policies
For SD-WAN deployments, because Juniper’s SD-WAN devices are tightly integrated with security, you must configure a firewall policy to allow traffic that traverses zones. By default, traffic between one site and another, and traffic from a site to the Internet is not allowed and must be explicitly allowed by using a firewall policy. CSO supports intent-based policies, which makes it simple to configure firewall policies.
To add a firewall policy and then deploy the policy:
Field |
Guideline |
---|---|
Name |
Enter a unique name for the firewall policy. The name con contain alphanumeric characters, hyphens, and underscores, and cannot exceed 255 characters. |
Description |
Enter a description for the firewall policy. |
All Sites |
Click the toggle button to enable the firewall policy to be applied to all sites. By default, a firewall policy is not applied to all sites. |
Select Sites |
To apply the firewall policy only to specific sites, select the sites from the left column and click the > icon. The sites that you selected are displayed in the right column. |
Field |
Guideline |
---|---|
[Name] |
Enter a name for the policy intent or use the one generated by CSO. The name must start with an alphanumeric characters, can contain alphanumeric characters, hyphens, and underscores, and cannot exceed 63 characters. |
[Description] |
Enter a description for the policy intent. |
[Select Schedule] |
Policy schedules enable you to define when a policy is active, and thus are an implicit match criterion. Click inside the text box to select a pre-existing schedule or click Add schedule to add a new schedule. For more information on adding schedules, seeCreating Schedules in the CSO Customer Portal User Guide (available at the CSO Documentation page). |
Logging |
Click the toggle button to enable logging. By default, logging is disabled. You can see the logged firewall events in the Firewall Events page (Monitor > Security Events > Firewall). For more information, see About the Firewall Events Page in the CSO Customer Portal User Guide. |
Source |
Select one or more of the following source endpoints:
If you don’t select a source, the default source used is All Sites. |
Action |
Click the add icon (+) and select the action to take on the traffic between the specified source and destination endpoints:
|
Destination |
Select one or more of the following destination endpoints:
If you don’t select a destination, the default destination used is Internet. Note:
The address endpoint Any refers to any address on the Internet and not to any IP address. So, if you want to enable site-to-site traffic, you must explicitly add intents to allow the traffic. For example, if you want traffic from Site A to Site B to be allowed in both directions (A to B and B to A), you must add 2 intents, one allowing traffic from Site A to Site B and another allowing traffic from Site B to Site A. |
Advanced Security |
Note:
This field is enabled only if you select Allow for the action, or if you select a zone as a source and destination.
|