VMware SD-WAN Edge by VeloCloud Firewall Functionality...The firewall has an “allow all” policy,...
2
VMWARE SD-WAN EDGE FIREWALL FUNCTIONALITY VMware SD-WAN Edge by VeloCloud Firewall Functionality SOLUTION OVERVIEW The purpose of this document is to describe the functionality of the firewall implemented in the VMware SD-WAN Edge by VeloCloud. Firewall Capabilities on VMware SD-WAN Edge On the VMware SD-WAN Edge, the firewall rules can be configured only on the outbound side. The rules are used to determine which traffic is allowed out from LAN to the Internet, overlay, and between LAN segments. Examples Examples of how this is performed will better explain this description. Example 1: The enterprise network is powered by VMware SD-WAN.
Transcript of VMware SD-WAN Edge by VeloCloud Firewall Functionality...The firewall has an “allow all” policy,...
V M WA R E S D - WA N E D G E F I R E WA L L F U N C T I O N A L I T Y
VMware SD-WAN Edge by VeloCloud Firewall Functionality
S O L U T I O N O V E R V I E W
The purpose of this document is to describe the functionality of the firewall implemented in the VMware SD-WAN Edge by VeloCloud.
Firewall Capabilities on VMware SD-WAN EdgeOn the VMware SD-WAN Edge, the firewall rules can be configured only on the outbound side. The rules are used to determine which traffic is allowed out from LAN to the Internet, overlay, and between LAN segments.
ExamplesExamples of how this is performed will better explain this description.
Example 1: The enterprise network is powered by VMware SD-WAN.
VMware SD-WAN Edge by VeloCloud Firewall Functionality
VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.com Copyright © 2019 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. and its subsidiaries in the United States and other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Item No: brief-edge-firewall-functionality 4/19
Scenario 1 Ping from SIC user to LAX user.
The firewall has an “allow all” policy, so all the packets will go through. There is not much firewalling in this scenario.
Scenario 2Configuration of an outbound firewall rule on the VMware SD-WAN Edge in the SJC branch location. The firewall rule will deny any traffic originating from 192.168.4.14 and going to 192.168.6.14 on any/all ports. As expected, when the SJC-user initiates ping traffic to LAX-user at 192.168.6.14, the firewall blocks the communication due the configured “deny” rule.
Scenario 3Block the communication originating from LAX-user (192.168.6.14) to the SJC-user (192.168.4.14). There are two ways to configure this:
1. A rule on the LAX edge denying traffic from 192.168.6.14 to 192.168.4.14
2. A rule on the SJC VMware SD-WAN Edge denying traffic from 192.168.4.14 to 192.168.6.14. The ICMP reply gets blocked with this rule.
