Security

You can configure the security settings such as, network encryption, virtual path IPsec, firewall, and certificates that are applicable to all the appliances across the network.

Firewall zones

You can configure zones in the network and define policies to control how traffic enters and leaves the zones. The following zones are available by default:

  • Default_LAN_Zone: Applies to traffic to or from an object with a configurable zone, where the zone has not been set.
  • Internet_Zone: Applies to traffic to or from an Internet service using a trusted interface.
  • Untrusted_Internet_Zone: Applies to traffic to or from an Internet service using an untrusted interface.

Firewall zones

You can also create your own zones and assign them to the following types of objects:

  • Virtual Network Interfaces
  • Intranet Services
  • GRE Tunnels
  • LAN IPsec Tunnels

Click Verify Config to validate any audit error.

Firewall defaults

You can configure the global firewall settings that can be applied to all the appliances in the SD-WAN network. The settings can also be defined at the site level which overrides the global setting.

Firewall defaults

  • Default Firewall Action: Select an action (Allow/Drop) from the list for packets that do not match a policy.

  • Default Connection State Tracking: Enables directional connection state tracking for TCP, UDP, and ICMP flows that do not match a filter policy or NAT rule.

    Note

    Asymmetric flows are blocked when Default Connection State Tracking is enabled even when there are no Firewall policies defined. If there is the possibility of asymmetric flows at a site, the recommendation is to enable it at a site or policy level and not globally.

  • Denied Timeout (s): Time (in seconds) to wait for new packets before closing denied connections.

  • TCP Initial Timeout (s): Time (in seconds) to wait for new packets before closing an incomplete TCP session.

  • TCP Idle Timeout (s): Time (in seconds) to wait for new packets before closing an active TCP session.

  • TCP Closing Timeout: Time (in seconds) to wait for new packets before closing a TCP session after a terminate request.

  • TCP Time Wait Timeouts (s): Time (in seconds) to wait for new packets before closing a terminated TCP session.

  • TCP Closed Timeout (s): Time (in seconds) to wait for new packets before closing an aborted TCP session.

  • UDP Initial Timeout (s): Time (in seconds) to wait for new packets before closing the UDP session that has not seen traffic in both directions.

  • UDP Idle Timeout (s): Time (in seconds) to wait for new packets before closing an active UDP session.

  • ICMP Initial Timeout (s): Time (in seconds) to wait for new packets before closing an ICMP session that has not seen traffic in both directions

  • ICMP Idle Timeout (s): Time (in seconds) to wait for new packets before closing an active ICMP session.

  • Generic Initial Timeout (s): Time (in seconds) to wait for new packets before closing a generic session that has not seen traffic in both directions.

  • Generic Idle Timeout (s): Time (in seconds) to wait for new packets before closing an active generic session.

Click Verify Config to validate any audit error.

Firewall policies

Firewall policies provide security by ensuring that network traffic is restricted only to a specific policy depending on the match criteria and by applying specific actions.

You can define firewall rules and place it based on the priority. You can choose the priority order to begin from the top of the list, bottom of the list, or from a specific row.

It is recommended to have more specific rules for applications or subapplications at the top, followed by less specific rules for the ones representing broader traffic.

Firewall defaults

To create a firewall rule, click Create New Rule.

Firewall policy details

  • The match criteria defines the traffic for the rule such as, an application, a custom defined application, group of applications, application family, or IP protocol based.

  • Rule scope specifies whether a defined rule can be applied globally across all the sites in the network or on certain specific sites.

  • Filtering criteria:

    • Source Zone: The source firewall zone.

    • Destination Zone: The destination firewall zone.

    • Source Service Type: The source SD-WAN service type – Local, Virtual Path, Intranet, IPhost, or Internet are examples of Service Types.

    • Source Service Name: The name of a service tied to the service type. For example, if virtual path is selected for Source Service type, it would be the name of the specific virtual path. This is not always required and depends on the service type selected.

    • Source IP: The IP address and subnet mask the rule uses to match.

    • Source Port: The source port the specific application uses.

    • Dest Service Type: The destination SD-WAN service type – Local, Virtual Path, Intranet, IPhost, or Internet are examples of service types.

    • Dest Service Name: Name of a service tied to the service type. This is not always required and depends on the service type selected.

    • Dest IP: The IP address and subnet mask the filter use to match.

    • Dest Port: destination port the specific application uses (that is, HTTP destination port 80 for the TCP protocol).

    • IP Protocol: If this match type is selected, select an IP protocol that the rule matches with. Options include ANY, TCP, UDP ICMP and so on.

    • DSCP: allow the user to match on a DSCP tag setting.

    • Allow Fragments: Allow IP fragments that match this rule.

    • Reverse Also: Automatically add a copy of this filter policy with source and destination settings reversed.

    • Match Established: Match incoming packets for a connection to which outgoing packets were allowed.

  • The following actions can be performed on a matched flow:

    • Allow: Permit the flow through the Firewall.

    • Drop: Deny the flow through the firewall by dropping the packets.

    • Reject: Deny the flow through the firewall and send a protocol specific response. TCP sends a reset, ICMP sends an error message.

    • Count and Continue: Count the number of packets and bytes for this flow, then continue down the policy list.

Apart from defining the action to be taken, you can also select the logs to be captured.

Click Verify Config to validate any audit error.

Network encryption

Select the encryption mechanism to be used across the network. You can configure the global security settings that secure the entire SD-WAN network.

Network Encryption mode defines the algorithm used for all encrypted paths in the SD-WAN network. It is not applicable for non–encrypted paths. You can set the encryption as AES-128 or AES-256.

Network encryption mode

Virtual path IPsec settings

Virtual Path IPsec Settings defines the IPsec tunnel settings to ensure secure transmission of data over the virtual paths.

  • Encapsulation Type: Choose one of the following security types:
    • ESP: Data is encapsulated and encrypted.
    • ESP+Auth: Data is encapsulated, encrypted, and validated with an HMAC.
    • AH: Data is validated with an HMAC.
  • Encryption Mode: The encryption algorithm used when ESP is enabled.
  • Hash Algorithm: The hash algorithm used to generate an HMAC.
  • Lifetime (s): The preferred duration, in seconds, for an IPsec security association to exist. Enter 0 for unlimited.

For information on configuring IPsec service, see IPsec service.

Virtual path IPsec setting

Click Verify Config to validate any audit error

Certificates

There are two types of certificates: Identity and Trusted. Identity Certificates are used to sign or encrypt data to validate the contents of a message and the identity of the sender. Trusted Certificates are used to verify message signatures. Citrix SD-WAN appliances accept both Identity and Trusted Certificates. Administrators can manage certificates in the Configuration Editor.

Certificate

Click Verify Config to validate any audit error

To add a certificate click Add Certificate.

  • Certificate Name: Provide the crtificate name.

  • Certificate Type: SZelect the certificate type from the drop-down list.

    • Identity Certificates: Identity certificates require that the certificate’s private key be available to the signer. Identity Certificates or their certificate chains that are trusted by a peer to validate the contents and identity of the sender. The configured Identity Certificates and their respective Fingerprints are displayed in the Configuration Editor.

    • Trusted Certificates: Trusted Certificates are self-signed, intermediate certificate authority (CA) or root CA certificates used to validate the identity of a peer. No private key is required for a Trusted Certificate. The configured Trusted Certificates and their respective Fingerprints are listed here.

Security certificate.