Prisma SD-WAN
Prisma SD-WAN ZBFW
Table of Contents
Expand All
|
Collapse All
Prisma SD-WAN Docs
-
-
- Prisma SD-WAN Key Elements
- Prisma SD-WAN Releases and Upgrades
- Use Copilot in Prisma SD-WAN
- Prisma SD-WAN Summary
- Prisma SD-WAN Application Insights
- Device Activity Charts
- Site Summary Dashboard
- Prisma SD-WAN Predictive Analytics Dashboard
- Prisma SD-WAN Link Quality Dashboard
- Prisma SD-WAN Subscription Usage
-
-
- Add a Branch
- Add a Data Center
- Add a Branch Gateway
- Secure Group Tags (SGT) Propagation
- Configure Circuits
- Configure Internet Circuit Underlay Link Aggregation
- Configure Private WAN Underlay Link Quality Aggregation
- Configure Circuit Categories
- Configure Device Initiated Connections for Circuits
- Add Public IP LAN Address to Enterprise Prefixes
- Manage Data Center Clusters
- Configure Secure SD-WAN Fabric Tunnels between Data Centers
- Configure a Site Prefix
- Configure Ciphers
- Configure a DHCP Server
- Configure NTP for Prisma SD-WAN
- Configure the ION Device at a Branch Site
- Configure the ION Device at a Data Center
- Switch a Site to Control Mode
- Allow IP Addresses in Firewall Configuration
-
- Configure a Controller Port
- Configure Internet Ports
- Configure WAN/LAN Ports
- Configure a Sub-Interface
- Configure a Loopback Interface
- Add and Configure Port Channel Interface
- Configure a PoE Port
- Configure and Monitor LLDP Activity and Status
- Configure a PPPoE Interface
- Configure a Layer 3 LAN Interface
- Configure Application Reachability Probes
- Configure a Secondary IP Address
- Configure a Static ARP
- Configure a DHCP Relay
- Configure IP Directed Broadcast
- VPN Keep-Alives
-
- Configure Prisma SD-WAN IPFIX
- Configure IPFIX Profiles and Templates
- Configure and Attach a Collector Context to a Device Interface in IPFIX
- Configure and Attach a Filter Context to a Device Interface in IPFIX
- Configure Global and Local IPFIX Prefixes
- Flow Information Elements
- Options Information Elements
- Configure the DNS Service on the Prisma SD-WAN Interface
- Configure SNMP
-
-
- Prisma SD-WAN Branch Routing
- Prisma SD-WAN Data Center Routing
-
- Configure an OSPF in Prisma SD-WAN
- Enable BGP for Private WAN and LAN
- Configure BGP Global Parameters
- Global or Local Scope for BGP Peers
- Configure a Route Map
- Configure a Prefix List
- Configure an AS Path List
- Configure an IP Community List
- View Routing Status and Statistics
- Distribution to Fabric
- Host Tracking
-
- Configure Multicast
- Create, Assign, and Configure a WAN Multicast Configuration Profile
- Configure Global Multicast Parameters
- Configure a Multicast Static Rendezvous Point (RP)
- Learn Rendezvous Points (RPs) Dynamically
- View LAN Statistics for Multicast
- View WAN Statistics for Multicast
- View IGMP Membership
- View the Multicast Route Table
- View Multicast Flow Statistics
- View Routing Statistics
-
- Prisma SD-WAN Branch HA Key Concepts
-
- Configure Branch HA with Gen-1 Platforms (2000, 3000, 7000, and 9000)
- Configure Branch HA with Gen-2 Platforms (3200, 5200, and 9200)
- Configure Branch HA with Gen-2 Embedded Switch Platforms (1200-S or 3200-L2)
- Configure Branch HA for Devices with Software Cellular Bypass (1200-S-C-5G)
- Configure Branch HA for Platforms without Bypass Pairs
- Configure Branch HA in a Hybrid Topology with Gen-1 (3000) and Gen-2 (3200) Platforms
- Configure HA Groups
- Add ION Devices to HA Groups
- Edit HA Groups and Group Membership
- Prisma SD-WAN Clarity Reports
-
-
CloudBlade Integrations
- CloudBlade Integrations
- CloudBlades Integration with Prisma Access
-
-
-
-
- clear app-engine
- clear app-map dynamic
- clear app-probe prefix
- clear connection
- clear device account-login
- clear dhcplease
- clear dhcprelay stat
- clear flow and clear flows
- clear flow-arp
- clear qos-bwc queue-snapshot
- clear routing
- clear routing multicast statistics
- clear routing ospf
- clear routing peer-ip
- clear switch mac-address-entries
- clear user-id agent statistics
-
- arping interface
- curl
- ping
- ping6
- debug bounce interface
- debug bw-test src-interface
- debug cellular stats
- debug controller reachability
- debug flow
- debug ipfix
- debug log agent eal file log
- debug logging facility
- debug logs dump
- debug logs follow
- debug logs tail
- debug performance-policy
- debug poe interface
- debug process
- debug reboot
- debug routing multicast log
- debug routing multicast pimd
- debug servicelink logging
- debug tcpproxy
- debug time sync
- dig dns
- dig6
- file export
- file remove
- file space available
- file tailf log
- file view log
- ssh6 interface
- ssh interface
- tcpdump
- tcpping
- traceroute
- traceroute6
-
- dump appdef config
- dump appdef version
- dump app-engine
- dump app-l4-prefix table
- dump app-probe config
- dump app-probe flow
- dump app-probe prefix
- dump app-probe status
- dump auth config
- dump auth status
- dump banner config
- dump bfd status
- dump bypass-pair config
- dump cellular config
- dump cellular stats
- dump cellular status
- dump cgnxinfra status
- dump cgnxinfra status live
- dump cgnxinfra status store
- dump config network
- dump config security
- dump controller cipher
- dump controller status
- dump device accessconfig
- dump device conntrack count
- dump device date
- dump device info
- dump device status
- dump dhcp-relay config
- dump dhcprelay stat
- dump dhcp-server config
- dump dhcp-server status
- dump dhcpstat
- dump dnsservice config all
- dump dpdk cpu
- dump dpdk interface
- dump dpdk port status
- dump dpdk stats
- dump flow
- dump flow count-summary
- dump interface config
- dump interface status
- dump interface status interface details
- dump interface status interface module
- dump intra cluster tunnel
- dump ipfix config collector-contexts
- dump ipfix config derived-exporters
- dump ipfix config filter-contexts
- dump ipfix config ipfix-overrides
- dump ipfix config prefix-filters
- dump ipfix config profiles
- dump ipfix config templates
- dump lldp
- dump lldp config
- dump lldp info
- dump lldp stats
- dump lldp status
- dump log-agent eal conn
- dump log-agent eal response-time
- dump log-agent eal stats
- dump log-agent config
- dump log-agent iot snmp config
- dump log-agent iot snmp device discovery stats
- dump log-agent ip mac bindings
- dump log-agent neighbor discovery stats
- dump log-agent status
- dump ml7 mctd counters
- dump ml7 mctd session
- dump ml7 mctd version
- dump nat counters
- dump nat6 counters
- dump nat summary
- dump network-policy config policy-rules
- dump network-policy config policy-sets
- dump network-policy config policy-stacks
- dump network-policy config prefix-filters
- dump overview
- dump performance-policy config policy-rules
- dump performance-policy config policy-sets
- dump performance-policy config policy-set-stacks
- dump performance-policy config threshold-profile
- dump poe system config
- dump poe system status
- dump priority-policy config policy-rules
- dump priority-policy config policy-sets
- dump priority-policy config policy-stacks
- dump priority-policy config prefix-filters
- dump probe config
- dump probe profile
- dump radius config
- dump radius statistics
- dump radius status
- dump reachability-probe config
- dump qos-bwc config
- dump reachability-probe status
- dump routing aspath-list
- dump routing cache
- dump routing communitylist
- dump routing multicast config
- dump routing multicast igmp
- dump routing multicast interface
- dump routing multicast internal vif-entries
- dump routing multicast mroute
- dump routing multicast pim
- dump routing multicast sources
- dump routing multicast statistics
- dump routing multicast status
- dump routing ospf
- dump routing peer advertised routes
- dump routing peer config
- dump routing peer neighbor
- dump routing peer received-routes
- dump routing peer routes
- dump routing peer route-via
- dump routing peer status
- dump routing peer route-json
- dump routing prefixlist
- dump routing prefix-reachability
- dump routing route
- dump routing routemap
- dump routing running-config
- dump routing summary
- dump routing static-route reachability-status
- dump routing static-route config
- dump routing vpn host tracker
- dump security-policy config policy-rules
- dump security-policy config policy-set
- dump security-policy config policy-set-stack
- dump security-policy config prefix-filters
- dump security-policy config zones
- dump sensor type
- dump sensor type summary
- dump serviceendpoints
- dump servicelink summary
- dump servicelink stats
- dump servicelink status
- dump site config
- dump snmpagent config
- dump snmpagent status
- dump software status
- dump spoke-ha config
- dump spoke-ha status
- dump standingalarms
- dump static-arp config
- dump static host config
- dump static routes
- dump support details
- dump-support
- dump switch fdb vlan-id
- dump switch port status
- dump switch vlan-db
- dump syslog config
- dump syslog-rtr stats
- dump syslog status
- dump time config
- dump time log
- dump time status
- dump troubleshoot message
- dump user-id agent config
- dump user-id agent statistics
- dump user-id agent status
- dump user-id agent summary
- dump user-id groupidx
- dump user-id group-mapping
- dump user-id ip-user-mapping
- dump user-id statistics
- dump user-id status
- dump user-id summary
- dump user-id useridx
- dump vlan member
- dump vpn count
- dump vpn ka all
- dump vpn ka summary
- dump vpn ka VpnID
- dump vpn status
- dump vpn summary
- dump vrf
- dump waninterface config
- dump waninterface summary
-
- inspect app-flow-table
- inspect app-l4-prefix lookup
- inspect app-map
- inspect certificate
- inspect certificate device
- inspect cgnxinfra role
- inspect connection
- inspect dhcplease
- inspect dhcp6lease
- inspect dpdk ip-rules
- inspect dpdk vrf
- inspect fib
- inspect fib-leak
- inspect flow-arp
- inspect flow brief
- inspect flow-detail
- inspect flow internal
- inspect interface stats
- inspect ipfix exporter-stats
- inspect ipfix collector-stats
- inspect ipfix app-table
- inspect ipfix wan-path-info
- inspect ipfix interface-info
- inspect ip-rules
- inspect ipv6-rules
- inspect lqm stats
- inspect memory summary
- inspect network-policy conflicts
- inspect network-policy dropped
- inspect network-policy hits policy-rules
- inspect network-policy lookup
- inspect performance-policy fec status
- inspect policy-manager status
- inspect policy-mix lookup-flow
- inspect priority-policy conflicts
- inspect priority-policy dropped
- inspect priority-policy hits default-rule-dscp
- inspect priority-policy hits policy-rules
- inspect priority-policy lookup
- inspect performance-policy incidents
- inspect performance-policy lookup
- inspect performance-policy hits analytics
- inspect process status
- inspect qos-bwc debug-state
- inspect qos-bwc queue-history
- inspect qos-bwc queue-snapshot
- inspect routing multicast fc site-iface
- inspect routing multicast interface
- inspect routing multicast mroute
- inspect security-policy lookup
- inspect security-policy size
- inspect switch mac-address-table
- inspect system arp
- inspect system ipv6-neighbor
- inspect system vrf
- inspect vrf
- inspect wanpaths
-
-
5.6
- 5.6
- 6.1
- 6.2
- 6.3
- 6.4
- 6.5
- New Features Guide
- On-Premises Controller
- Prisma SD-WAN CloudBlades
- Prisma Access CloudBlade Cloud Managed
- Prisma Access CloudBlade Panorama Managed
-
- Features Introduced in Prisma SD-WAN ION Release 5.6
- Changes to Default Behavior in Prisma SD-WAN ION Release 5.6
- Upgrade ION 9000 Firmware for Device Version 5.6.x
- CLI Commands in Prisma SD-WAN ION Release 5.6
- Addressed Issues in Prisma SD-WAN ION Release 5.6
- Known Issues in Prisma SD-WAN ION Release 5.6
Prisma SD-WAN ZBFW
Prisma SD-WAN Application Fabric includes an in-built
security solution called the Zone-Based Firewall (ZBFW).
Where Can I Use This? | What Do I Need? |
---|---|
|
|
The zone-based firewall (ZBFW) is designed
to create, manage, and enforce security policies and propagate those
policies to all branch sites without using fragmented rules or managing
security at an individual device-level. It is a lightweight security solution
for securing the WAN perimeter and segmenting traffic within a branch
site.
- Securing the Perimeter—ION hardware and virtual devices include an application-aware, stateful, zone-based firewall to protect internet connections in the remote office. With the ION device, application-aware policies are defined that specify what is allowed into and out of the remote location, giving the administrator explicit control to secure the perimeter. Additionally, AppFabric is centrally managed through the cloud-delivered and deploys hardware, software, and storage to support the management and monitoring infrastructure.
- Segment Traffic in the Branch—Prisma SD-WAN uses the concept of zones and prefix filters within ZBFW rules to isolate and segment traffic in the branch.
- Prepare to Configure ZBFW—To prepare for securing the network, conduct preliminary planning and evaluation of your environment.
ZBFW Contructs
ZBFW constructs include
applications
, prefix filters
, zones
,
security
policy sets
, security policy rules
, and actions
. The information
specified for these constructs defines the security policy you want to implement.
ZBFW Application
Applications are the core element of the ZBFW solution for controlling
network traffic and implementing security policies. You use the same application
definitions and fingerprinting technologies for security policies for path selection
and quality of service (QoS) in network policy definition.
ZBFW Prefix Filters
Prefix filters specify a group of one or more individual IP addresses or
IP address subnets. With security policies, prefix filters restrict access within a
branch and filter out traffic to specific IP addresses within the particular source
and destination zones. As with application definitions, you can reuse prefix filters
across the rules and policy sets you have created for security policy rules.
- Global prefix filters use the same set of prefixes. By applying the global prefix filters defined for custom applications, leverage the security policy application definition.
- Local prefix filters use branch location. They enable you to address site-specific scenarios where devices in a specific zone such as a guest zone.
Local filters allow administrators to create a single policy across all
sites to describe application behavior, eliminating the need to develop individual
policies on a per-site basis. It automatically populates the prefix values for the
specific branch location and notifies the administrator to settle deals for local
prefix filters as needed, if you add a new branch, simplify policy administration,
and reduce the number of rules that need to be configured and managed.
ZBFW Zones
Zones specify enforcement boundaries where traffic subject to inspection
and filtering. Each zone maps to networks attached to physical interfaces, logical
interfaces, or sub-interfaces of a device. These zone-level interfaces serve as a
proxy for physical circuits and virtual circuits, such as VLAN, Layer 3 VPN, and
Layer 2 VPN circuits. You can manage and secure every interface in a zone
independently.
- Allow or deny every interface in zone access to other zones within an enterprise network.
- Segregate interface traffic by blocking all access not explicitly allowed by the security policies of an enterprise.
- Isolate networks that have private or secure information by restricting access to it from public networks.
An area includes source and destination zones with network IDs for a
site and is associated with one or more WAN, LAN, or VPN. Attach a zone to multiple
networks, but each network type LAN, WAN, or VPN would be connected to one location.
Typically, most organizations create three to four zones to segregate
traffic using the model’s guest zone, one or more corporate LAN zones, an outside
zone for internet underlay, and a corporate WAN zone for private WAN and VPN over
the internet or private WAN.
Define the network segments that allow or restricts the application
access to control traffic between LAN or between LAN and WAN and, through site
bindings, bind zones to the appropriate LAN and WAN interfaces at each site.
In Security Policy rules, specify the source and destination zones to
which the rule applies. You must establish one or more source and destination zones
for each security rule to configure. The source zone identifies the network from
where traffic originates and the destination zone identifies the destination traffic
of the network.
Security Policy Rules
A security policy rule specifies the handling of application traffic
between zones in a branch office. For each security policy rule, define source and
destination zones, the applications to which the rule applies, optional
prefix filters, and the appropriate action.
By default, three security policy rules add to the end of every security
policy set. These default policy rules provide a basic framework for handling
network traffic and cannot be edited or deleted.
If you don’t configure any security policy rules of your own, the following default
security policy rules are applied:
- Default—Denies all traffic from any source zone to any destination zone.
- Self-Zone—Allows any traffic generated by the ION or destined to the ION on trusted L3 interfaces (L3 LAN, controller, or L3 private WAN interfaces). For an untrusted interface (L3 public WAN), only traffic initiated by the ION untrusted interface permits by this rule; unsolicited inbound traffic to a public WAN port drops by default regardless of ZBFW policy and zones applied.
- Intra-Zone—Allows any traffic within the same zone.
The new rules take precedence over the default rules and control how
rules evaluate by specifying the ruling order.
There is no limit on the number of security policy rules added to the network
configuration.
Security Policy Sets
A security policy set provides a common administrative domain for a
group of security policy rules applied to designated sites. Each security policy set
is attached—or bound—to one or more areas and contains the collection of individual
security rules that applies to those sites.
By default, each security policy set has three default security policy
rules. You can add security policy rules to a set to customize the traffic allowed,
denied, or rejected from any source or destination zone in a site. You bind security
policy sets to sites to map the firewall zones that specify interfaces and network
segments and apply the associated security rules to the selected location.
ZBFW Actions
Prisma SD-WAN ZBFW supports the action to allow, deny, or
reject traffic based on the security intent of the enterprise.
- Allow—Traffic that matches this rule is permitted.
- Deny—Traffic that matches this rule is dropped with no RESET or ICMP HOST UNREACHABLE message sent to the client or server.
- Reject—TCP traffic that matches this rule sends a RESET message to both the client and the server.