Security Policy

Policy combines one or more Security policy definitions to create a Policy based on use-case. These policies can then be attached to device templates.

Diagram

Classes

security_policies (sdwan)

Name	Type	Constraint	Mandatory	Default Value
feature_policies	List	`[feature_policies]`	No

feature_policies (sdwan.security_policies)

Name	Type	Constraint	Mandatory	Default Value
name	String	Regex: `^[A-Za-z0-9\-_]{1,32}$`	Yes
description	String		Yes
mode	Choice	`security`, `unified`	No	`security`
use_case	Choice	`custom`	Yes
firewall_policies	List	String[Regex: `^[A-Za-z0-9\-_]{1,32}$`]	No
intrusion_prevention_policy	String	Regex: `^[A-Za-z0-9\-_]{1,32}$`	No
unified_firewall_policies	List	`[unified_firewall_policies]`	No
additional_settings	Class	`[additional_settings]`	No

unified_firewall_policies (sdwan.security_policies.feature_policies)

Name	Type	Constraint	Mandatory	Default Value
firewall_policy	String	Regex: `^[A-Za-z0-9\-_]{1,32}$`	Yes
zones	List	`[zones]`	Yes

additional_settings (sdwan.security_policies.feature_policies)

Name	Type	Constraint	Mandatory	Default Value
firewall	Class	`[firewall]`	No
ips_url_amp	Class	`[ips_url_amp]`	No

zones (sdwan.security_policies.feature_policies.unified_firewall_policies)

Name	Type	Constraint	Mandatory	Default Value
source_zone	Choice	`self_zone`	Yes
destination_zone	Choice	`self_zone`	Yes

firewall (sdwan.security_policies.feature_policies.additional_settings)

Name	Type	Constraint	Mandatory
direct_internet_applications	Boolean	`true`, `false`	No
tcp_syn_flood_limit	Integer	min: `1`, max: `4294967295`	No
high_speed_logging	Class	`[high_speed_logging]`	No
audit_trail	Boolean	`true`, `false`	No
match_stats_per_filter	Boolean	`true`, `false`	No
max_incomplete_icmp_limit	Integer	min: `1`, max: `4294967295`	No
max_incomplete_tcp_limit	Integer	min: `1`, max: `4294967295`	No
max_incomplete_udp_limit	Integer	min: `1`, max: `4294967295`	No
unified_logging	Choice	`on`, `off`	No
session_reclassify_allow	Choice	`on`, `off`	No
icmp_unreachable_allow	Choice	`on`, `off`	No

ips_url_amp (sdwan.security_policies.feature_policies.additional_settings)

Name	Type	Constraint	Mandatory	Default Value
external_syslog_server	Class	`[external_syslog_server]`	Yes
failure_mode	Choice	`open`, `close`	Yes

high_speed_logging (sdwan.security_policies.feature_policies.additional_settings.firewall)

Name	Type	Constraint	Mandatory
vpn_id	Integer	min: `0`, max: `65530`	Yes
server_ip	IP		Yes
server_port	Integer	min: `0`, max: `65535`	Yes

external_syslog_server (sdwan.security_policies.feature_policies.additional_settings.ips_url_amp)

Name	Type	Constraint	Mandatory	Default Value
vpn_id	Integer	min: `0`, max: `65530`	Yes
server_ip	IP		Yes

Examples

Example-1:Ensuring Secure and Optimized SaaS Connectivity for Branch Networks

A company with multiple branch offices wants to ensure secure and optimized access to trusted SaaS applications while blocking all other internet traffic. Employees in branch offices should be able to access essential cloud services, such as Amazon Web Services (AWS) and Amazon S3, but all other external traffic should be restricted. Additionally, the organization wants to maintain visibility and logging of this traffic through an external syslog server. To achieve this, an SD-WAN Zone-Based Firewall (ZBFW) policy is implemented, along with a feature policy to optimize SaaS traffic while maintaining security.

The provided YAML defines an SD-WAN security policy that restricts internet access from branch offices to only approved SaaS applications, blocking all other external traffic. The zones include Branch_Offices (VPN ID 100) representing internal branch networks and Internet (VPN ID 400) for external cloud access. An application list named Allow_Trusted_SaaS specifies trusted applications such as Amazon, AWS, Amazon S3, and CloudFront, ensuring that only these services are accessible. The Zone-Based Firewall (ZBFW) policy named Cloud_Access_ZBFW_10 enforces this access control by allowing traffic only to destinations that match the trusted SaaS list while blocking all other traffic by default. A zone pair is defined to apply this policy to traffic moving from Branch_Offices to the Internet.

Additionally, a feature policy named Direct_Cloud_Access_10 is implemented to optimize SaaS traffic while maintaining security. This policy applies the firewall policy and includes monitoring settings, enabling match_stats_per_filter for tracking network activity and sending security logs to an external syslog server (192.168.1.100). The failure mode is set to open, allowing traffic to pass even if external security services fail.

This configuration ensures that employees in branch offices can securely access only trusted cloud applications, improving security and performance while maintaining visibility and control over network traffic. By enforcing strict access policies and monitoring mechanisms, the organization can reduce security risks while ensuring seamless access to critical cloud services.

sdwan:
  security_policies:
    feature_policies:
      - name: Direct_Cloud_Access_10
        description: Policy to optimize SaaS traffic while maintaining security
        use_case: custom
        firewall_policies:
          - Cloud_Access_ZBFW_10
        additional_settings:
          firewall:
            match_stats_per_filter: true
          ips_url_amp:
            external_syslog_server:
              vpn_id: 400
              server_ip: "192.168.1.100"
            failure_mode: open

The security policy YAML mentioned above will only be effective if the following policy objects and application lists YAML is created.

sdwan:
  policy_objects:
    zones:
      - name: Branch_Offices
        vpn_ids:
          - 100
      - name: Internet
        vpn_ids:
          - 400
    application_lists:
      - name: Allow_Trusted_SaaS
        applications:
          - amazon
          - amazon-web-services
          - amazon-instant-video
          - amazon-cloudfront
          - amazon-ec2
          - amazon-s3
  security_policies:
    definitions:
      zone_based_firewall:
        - name: Cloud_Access_ZBFW_10
          description: ZBFW policy to allow trusted SaaS applications
          default_action_type: drop
          rules:
            - id: 1
              name: Allow_Trusted_SaaS_Traffic
              base_action: pass
              match_criterias:
                destination_ip_prefix_variable: Allow_Trusted_SaaS
          zone_pairs:
            - source_zone: Branch_Offices
              destination_zone: Internet

Example-2: Mitigating DDoS Attacks with SYN Flood Protection

A large enterprise is facing periodic SYN flood attacks on its internet-facing applications, which can overwhelm network resources and degrade service availability. To combat this, a Zone-Based Firewall (ZBFW) policy is implemented within the SD-WAN security framework. The solution enforces a tcp_syn_flood_limit to restrict excessive SYN requests and prevent malicious traffic from disrupting legitimate services. Additionally, high-speed logging is enabled to capture real-time attack data for monitoring and analysis.

The YAML configuration defines two zones (vpn110 and vpn120) to segregate network traffic. A zone-based firewall policy named DDoS_Mitigation_FW is created to mitigate SYN flood attacks. This policy drops all traffic by default but includes a rule (Mitigate_SYN_Flood) that allows HTTP (port 80) and HTTPS (port 443) traffic while enforcing a SYN flood limit of 100,000 connections. A zone pair is defined between vpn110 (source) and vpn120 (destination), ensuring that traffic between these zones follows the firewall rules.

To enhance security further, a feature policy named DDoS_Mitigation references the firewall policy and includes high-speed logging to track attack patterns. Logging is configured to send data to an external syslog server (192.168.2.100) on VPN ID 100, ensuring security teams receive real-time insights. This comprehensive setup provides an effective, scalable defense against SYN flood attacks, ensuring network resilience and service availability.

sdwan:
    feature_policies:
      - name: DDoS_Mitigation
        description: Policy to mitigate SYN flood attacks on internet-facing applications
        use_case: custom
        firewall_policies:
          - DDoS_Mitigation_FW
        additional_settings:
          firewall:
            high_speed_logging:
              vpn_id: 100
              server_ip: "192.168.2.100"
              server_port: 514

The feature policies YAML mentioned above will only be effective if the following policy objects and security policies YAML is created.

sdwan:
  policy_objects:
    zones:
      - name: vpn110
        vpn_ids:
          - 110
      - name: vpn120
        vpn_ids:
          - 120
  security_policies:
    definitions:
      zone_based_firewall:
        - name: DDoS_Mitigation_FW
          description: Zone-based firewall policy to mitigate SYN flood attacks
          default_action_type: drop
          rules:
            - id: 1
              name: Mitigate_SYN_Flood
              base_action: pass
              match_criterias:
                protocols:
                  - 6  # TCP
                destination_ports:
                  - 80   # HTTP
                  - 443  # HTTPS
              tcp_syn_flood_limit: 100000
          zone_pairs:
            - source_zone: vpn110
              destination_zone: vpn120

Example-3: Logging and Monitoring for Security Compliance

Government agencies are required to maintain logs of all security events for compliance audits, ensuring adherence to regulatory standards. To address this, a zone-based firewall policy is implemented to log all traffic traversing the network. This approach enables detailed tracking of security events, helping auditors verify compliance and detect potential threats.

The YAML configuration defines a firewall policy (Compliance_FW) within SD-WAN security policies, which is applied to traffic within VPN 300. The policy allows all traffic (default_action_type: pass) but ensures that every session is logged (log: true). This firewall policy is then linked to the Security_Compliance_Logging feature policy, which includes high-speed logging and external syslog server integration. These settings enable real-time monitoring of security events, with logs being sent to an external syslog server (192.168.4.101) for centralized analysis.

By leveraging audit trails, firewall logging, and external syslog integration, this solution ensures that all security-related activities are recorded, providing an effective framework for regulatory compliance and proactive threat monitoring.

sdwan:
  security_policies:
    definitions:
      feature_policies:
        - name: Security_Compliance_Logging
          description: Policy to log all security events for compliance audits
          use_case: custom
          firewall_policies:
            - Compliance_FW
          additional_settings:
            firewall:
              audit_trail: true
              high_speed_logging:
                vpn_id: 300
                server_ip: "192.168.4.100"
                server_port: 514
            ips_url_amp:
              external_syslog_server:
                vpn_id: 300
                server_ip: "192.168.4.101"

The feature policy YAML mentioned above will only be effective if the following policy objects and security policies YAML is created.

sdwan:
  policy_objects:
    zones:
      - name: vpn300
        vpn_ids:
          - 300
  security_policies:
    definitions:
      zone_based_firewall:
        - name: Compliance_FW
          description: Zone-based firewall policy for security logging
          default_action_type: pass
          rules:
            - id: 1
              name: Log_All_Traffic
              base_action: pass
              match_criterias:
                protocols:
                  - 6
              log: true
          zone_pairs:
            - source_zone: vpn300
              destination_zone: vpn300

Example-4: Referencing the NextGen Firewall (Unified Firewall) Policy in the Unified Security Policy

The Unified Security Policy can be defined as mentioned in the YAML below. The mode element determines the Security Policy mode is Unified or Security. The source and destination zones for referenced Firewall Policy is also defined in Unified security policy. Unlike in security policy where the same would be defined in the Zone based firewall definition. The Next gen firewall or zone based firewall with mode unified can only be referenced in Unified security policy as shown below.

sdwan:
  security_policies:
    feature_policies:
      - name: U-SECURITY-POLICY
        description: SECURITY-POLICY-TEMPLATE-01
        mode: unified
        use_case: custom
        unified_firewall_policies:
          - firewall_policy: NGFW-TF-AK
            zones:
              - source_zone: self_zone
                destination_zone: Test_zone_2_uni1
              - source_zone: Test_zone_2_uni1
                destination_zone: self_zone
          - firewall_policy: NGFW-TF-AK2
            zones:
              - source_zone: Test_zone_1_uni1
                destination_zone: Test_zone_2_uni1
        additional_settings:
          firewall:
            max_incomplete_icmp_limit: 5000
            max_incomplete_tcp_limit: 2000
            max_incomplete_udp_limit: 3000
            unified_logging: on
            session_reclassify_allow: on
            icmp_unreachable_allow: on
            tcp_syn_flood_limit: 1239
            audit_trail: true

The above Unified Security Policy expects that the firewall policies NGFW-TF-AK and NGFW-TF-AK2 are created in zone_based_firewall section with mode unified and the source, destination zones are also created in the policy_objects section respectively.