Zone-Based Firewall

Zone-Based Firewall defines the matching conditions and actions to configure a firewall policy.

Note: When using "protocol_names" in match_criterias, also populate the "protocols" and "destination_ports" with corresponding values. The full list of "protocol_names" amd their corresponding "protocols" and "destination_ports" can be accessed at https://<vmanage-ip>/app/json/application_protocol.json. when chosing the "protocol_names" as either "tcp" or "udp", "destination_ports" is not mandatory.

Diagram

Classes

definitions (sdwan.security_policies)

Name	Type	Constraint	Mandatory	Default Value
zone_based_firewall	List	[zone_based_firewall]	No

zone_based_firewall (sdwan.security_policies.definitions)

Name	Type	Constraint	Mandatory	Default Value
name	String	Regex: ^[A-Za-z0-9\-_]{1,32}$	No
description	String		Yes
default_action_type	Choice	pass, drop	Yes
rules	List	[rules]	No
zone_pairs	List	[zone_pairs]	Yes

rules (sdwan.security_policies.definitions.zone_based_firewall)

Name	Type	Constraint	Mandatory	Default Value
id	Integer	min: 1, max: 65534	Yes
name	String	Regex: ^[A-Za-z0-9\-_]{1,32}$	Yes
base_action	Choice	pass, drop, inspect	Yes
match_criterias	Class	[match_criterias]	No
actions	Class	[actions]	No

zone_pairs (sdwan.security_policies.definitions.zone_based_firewall)

Name	Type	Constraint	Mandatory	Default Value
source_zone	Choice	self_zone	Yes
destination_zone	Choice	self_zone	Yes

match_criterias (sdwan.security_policies.definitions.zone_based_firewall.rules)

Name	Type	Constraint	Mandatory	Default Value
source_data_prefix_lists	List	String[Regex: ^[A-Za-z0-9\-_]{1,32}$]	No
source_ip_prefix	IP		No
source_ip_prefix_variable	String		No
source_fqdn_lists	List	String[Regex: ^[A-Za-z0-9\-_]{1,32}$]	No
source_fqdn	String	Regex: ^(?=.{1,120}$)((\*|[a-zA-Z0-9-]{1,63})\.)+([a-zA-Z0-9-]{2,63})$	No
source_geo_locations	List	String[max: 3]	No
source_ports	List	Integer[min: 0, max: 65535]	No
source_port_ranges	List	[source_port_ranges]	No
destination_data_prefix_lists	List	String[Regex: ^[A-Za-z0-9\-_]{1,32}$]	No
destination_ip_prefix	IP		No
destination_ip_prefix_variable	String		No
destination_fqdn_lists	List	String[Regex: ^[A-Za-z0-9\-_]{1,32}$]	No
destination_fqdn	String	Regex: ^(?=.{1,120}$)((\*|[a-zA-Z0-9-]{1,63})\.)+([a-zA-Z0-9-]{2,63})$	No
destination_geo_locations	List	String[max: 3]	No
destination_ports	List	Integer[min: 0, max: 65535]	No
destination_port_ranges	List	[destination_port_ranges]	No
protocol_names	List	String	No
protocols	List	Integer[min: 0, max: 255]	No
local_application_list	String	Regex: ^[A-Za-z0-9\-_]{1,32}$	No

actions (sdwan.security_policies.definitions.zone_based_firewall.rules)

Name	Type	Constraint	Mandatory	Default Value
log	Boolean	true, false	No

source_port_ranges (sdwan.security_policies.definitions.zone_based_firewall.rules.match_criterias)

Name	Type	Constraint	Mandatory	Default Value
from	Integer	min: 0, max: 65535	Yes
to	Integer	min: 0, max: 65535	Yes

destination_port_ranges (sdwan.security_policies.definitions.zone_based_firewall.rules.match_criterias)

Name	Type	Constraint	Mandatory	Default Value
from	Integer	min: 0, max: 65535	Yes
to	Integer	min: 0, max: 65535	Yes

Examples

sdwan:
  security_policies:
    definitions:
      zone_based_firewall:
        - name: Test_zone_based_firewall
          description: Test_zone_based_firewall
          default_action_type: drop
          rules:
            - id: 1
              name: Rule_1
              base_action: pass
              match_criterias:
                source_data_prefix_lists:
                  - ZBFW_SDPL_1
                  - ZBFW_SDPL_2
                source_fqdn_lists:
                  - ZBFW_SFL_1
                  - ZBFW_SFL_2
                source_geo_locations:
                  - DZA
                  - AGO
                source_ports:
                  - 1045
                  - 1657
                source_port_ranges:
                  - from: 1331
                    to: 1442
                  - from: 1511
                    to: 1631
                destination_data_prefix_lists:
                  - ZBFW_DDPL_1
                  - ZBFW_DDPL_2
                destination_fqdn_lists:
                  - ZBFW_DFL_1
                  - ZBFW_DFL_2
                destination_geo_locations:
                  - DZA
                  - AGO
              actions:
                log: true
            - id: 2
              name: Rule_2
              base_action: inspect
              match_criterias:
                source_ip_prefix: 10.0.0.0/12
                source_fqdn: cisco.com
                destination_ip_prefix: 10.0.0.0/12
                destination_fqdn: cisco.com
                local_application_list: ZBFW_LAL_1_uni1
            - id: 3
              name: Rule_3
              base_action: drop
              match_criterias:
                source_ip_prefix_variable: sipprfxvar1
                destination_ip_prefix_variable: dipprfxvar1
                protocol_names:
                  - aol
                  - cifs
                protocols:
                  - 6
                  - 17
                destination_ports:
                  - 5190
                  - 3020
              actions:
                log: true
            - id: 4
              name: Rule_4
              base_action: inspect
              match_criterias:
                protocols:
                  - 6
                  - 17
          zone_pairs:
            - source_zone: Test_zone_1
              destination_zone: Test_zone_2
            - source_zone: Test_zone_3
              destination_zone: Test_zone_4
        - name: Test_zone_based_firewall_2
          description: Test_zone_based_firewall_2
          default_action_type: drop
          rules:
            - id: 1
              name: Rule_set_1
              base_action: inspect
              match_criterias:
                source_data_prefix_lists:
                  - ZBFW_SDPL_1
                  - ZBFW_SDPL_2
            - id: 2
              name: Rule_2
              base_action: drop
          zone_pairs:
            - source_zone: self_zone
              destination_zone: Test_zone_2