Prisma SD-WAN
Prisma SD-WAN ZBFW
Table of Contents
Expand All
|
Collapse All
Prisma SD-WAN Docs
-
-
-
- CloudBlade Integrations
- CloudBlades Integration with Prisma Access
-
-
-
-
- 5.6
- 6.1
- 6.2
- 6.3
- 6.4
- 6.5
- New Features Guide
- On-Premises Controller
- Prisma SD-WAN CloudBlades
- Prisma Access CloudBlade Cloud Managed
- Prisma Access CloudBlade Panorama Managed
Prisma SD-WAN ZBFW
Prisma SD-WAN Application Fabric includes an in-built
security solution called the Zone-Based Firewall (ZBFW).
Where Can I Use This? | What Do I Need? |
---|---|
|
|
The zone-based firewall (ZBFW) is designed
to create, manage, and enforce security policies and propagate those
policies to all branch sites without using fragmented rules or managing
security at an individual device-level. It is a lightweight security solution
for securing the WAN perimeter and segmenting traffic within a branch
site.
- Securing the Perimeter—ION hardware and virtual devices include an application-aware, stateful, zone-based firewall to protect internet connections in the remote office. With the ION device, application-aware policies are defined that specify what is allowed into and out of the remote location, giving the administrator explicit control to secure the perimeter. Additionally, AppFabric is centrally managed through the cloud-delivered and deploys hardware, software, and storage to support the management and monitoring infrastructure.
- Segment Traffic in the Branch—Prisma SD-WAN uses the concept of zones and prefix filters within ZBFW rules to isolate and segment traffic in the branch.
- Prepare to Configure ZBFW—To prepare for securing the network, conduct preliminary planning and evaluation of your environment.
ZBFW Contructs
ZBFW constructs include applications, prefix filters, zones,
security
policy sets, security policy rules, and actions. The information
specified for these constructs defines the security policy you want to implement.
ZBFW Application
Applications are the core element of the ZBFW solution for controlling
network traffic and implementing security policies. You use the same application
definitions and fingerprinting technologies for security policies for path selection
and quality of service (QoS) in network policy definition.
ZBFW Prefix Filters
Prefix filters specify a group of one or more individual IP addresses or
IP address subnets. With security policies, prefix filters restrict access within a
branch and filter out traffic to specific IP addresses within the particular source
and destination zones. As with application definitions, you can reuse prefix filters
across the rules and policy sets you have created for security policy rules.
- Global prefix filters use the same set of prefixes. By applying the global prefix filters defined for custom applications, leverage the security policy application definition.
- Local prefix filters use branch location. They enable you to address site-specific scenarios where devices in a specific zone such as a guest zone.
Local filters allow administrators to create a single policy across all
sites to describe application behavior, eliminating the need to develop individual
policies on a per-site basis. It automatically populates the prefix values for the
specific branch location and notifies the administrator to settle deals for local
prefix filters as needed, if you add a new branch, simplify policy administration,
and reduce the number of rules that need to be configured and managed.
ZBFW Zones
Zones specify enforcement boundaries where traffic subject to inspection
and filtering. Each zone maps to networks attached to physical interfaces, logical
interfaces, or sub-interfaces of a device. These zone-level interfaces serve as a
proxy for physical circuits and virtual circuits, such as VLAN, Layer 3 VPN, and
Layer 2 VPN circuits. You can manage and secure every interface in a zone
independently.
- Allow or deny every interface in zone access to other zones within an enterprise network.
- Segregate interface traffic by blocking all access not explicitly allowed by the security policies of an enterprise.
- Isolate networks that have private or secure information by restricting access to it from public networks.
An area includes source and destination zones with network IDs for a
site and is associated with one or more WAN, LAN, or VPN. Attach a zone to multiple
networks, but each network type LAN, WAN, or VPN would be connected to one location.
Typically, most organizations create three to four zones to segregate
traffic using the model’s guest zone, one or more corporate LAN zones, an outside
zone for internet underlay, and a corporate WAN zone for private WAN and VPN over
the internet or private WAN.
Define the network segments that allow or restricts the application
access to control traffic between LAN or between LAN and WAN and, through site
bindings, bind zones to the appropriate LAN and WAN interfaces at each site.
In Security Policy rules, specify the source and destination zones to
which the rule applies. You must establish one or more source and destination zones
for each security rule to configure. The source zone identifies the network from
where traffic originates and the destination zone identifies the destination traffic
of the network.
Security Policy Rules
A security policy rule specifies the handling of application traffic
between zones in a branch office. For each security policy rule, define source and
destination zones, the applications to which the rule applies, optional
prefix filters, and the appropriate action.
By default, three security policy rules add to the end of every security
policy set. These default policy rules provide a basic framework for handling
network traffic and cannot be edited or deleted.
If you don’t configure any security policy rules of your own, the following default
security policy rules are applied:
- Default—Denies all traffic from any source zone to any destination zone.
- Self-Zone—Allows any traffic generated by the ION or destined to the ION on trusted L3 interfaces (L3 LAN, controller, or L3 private WAN interfaces). For an untrusted interface (L3 public WAN), only traffic initiated by the ION untrusted interface permits by this rule; unsolicited inbound traffic to a public WAN port drops by default regardless of ZBFW policy and zones applied.
- Intra-Zone—Allows any traffic within the same zone.
The new rules take precedence over the default rules and control how
rules evaluate by specifying the ruling order.
There is no limit on the number of security policy rules added to the network
configuration.
Security Policy Sets
A security policy set provides a common administrative domain for a
group of security policy rules applied to designated sites. Each security policy set
is attached—or bound—to one or more areas and contains the collection of individual
security rules that applies to those sites.
By default, each security policy set has three default security policy
rules. You can add security policy rules to a set to customize the traffic allowed,
denied, or rejected from any source or destination zone in a site. You bind security
policy sets to sites to map the firewall zones that specify interfaces and network
segments and apply the associated security rules to the selected location.
ZBFW Actions
Prisma SD-WAN ZBFW supports the action to allow, deny, or
reject traffic based on the security intent of the enterprise.
- Allow—Traffic that matches this rule is permitted.
- Deny—Traffic that matches this rule is dropped with no RESET or ICMP HOST UNREACHABLE message sent to the client or server.
- Reject—TCP traffic that matches this rule sends a RESET message to both the client and the server.