Firewall Policies and ACLs

To secure your branch, you must configure a policy with a set of ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. and apply these policies to user roles or user-facing VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. interfaces.

For an SD Branch setup, the general recommendation is to set the WAN Wide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance.-facing ports as trusted and LAN Local Area Network. A LAN is a network of connected devices within a distinct geographic area such as an office or a commercial establishment and share a common communications line or wireless link to a server.-facing ports as untrusted. Although WAN-facing ports are trusted, HPE Aruba Networking recommends that you apply a restrictive firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policy to the WAN interfaces.

As LAN-facing ports are untrusted, it is very important to secure your branch by applying a AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile to the VLANs configured for the LAN interfaces. When a AAA policy is applied, SD-WAN Software-Defined Wide Area Network. SD-WAN is an application for applying SDN technology to WAN connections that connect enterprise networks across disparate geographical locations. Gateways assign the user roles based on the role preferences configured in a AAA profile.

Firewall Policies for SD Branch

The SD Branch solution supports identity-based controls to enforce application-layer security, prioritization, traffic forwarding, and network performance policies for the WAN network. You can configure firewall policies on Branch Gateways to define user access to network, set priority queue for Quality of Service (QoS Quality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies.), and assign bandwidth contracts.

A firewall policy identifies specific characteristics about a data packet and performs one of the following actions:

  • Firewall-type action such as permitting or denying the packets.
  • Administrative action such as logging the packets.
  • QoS action such as setting 802.1p bits or placing the packet in a priority queue.

Types of ACLs

HPE Aruba Networking Central allows you to configure the following types of ACLs on Branch Gateways.

  • Standard ACLs—Permit or deny any traffic based on the source IP address of the packet. Standard ACLs can be either named or numbered, with valid numbers in the range of 1–99 and 1300–1399. Standard ACLs use a bit-wise mask to specify the portion of the source IP address to be matched.
  • Extended ACLs—Permit or deny any traffic based on source or destination IP address, source or destination port number, or IP protocol. Extended ACLs can be named or numbered, with valid numbers in the range 100–199 and 2000–2699.
  • MAC ACLs—Filter the traffic on a specific source MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address or range of MAC addresses. MAC ACLs can be either named or numbered, with valid numbers in the range of 700–799 and 1200–1299.
  • Ethertype ACLs—Filter the traffic based on the Ethertype field in the frame header. Ethertype ACLs can be either named or numbered, with valid numbers in the range of 200–299.These ACLs can be used to permit IPs while blocking other non-IP protocols, such as IPX or AppleTalk.
  • Session ACLs—Restrict all services from specific hosts and subnets. Rules with this ACL are applied to all traffic on the Branch Gateway regardless of the ingress port or VLAN.
  • Route ACLs—Forward all packets to a device defined by an IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. map, a next hop list, a tunnel or a tunnel group.

For more information, see the following topics:

One netdestination definition can have a maximum of 256 netdestination entries. On the whole, there can be a maximum of 1024 netdestination entries on the gateway.