Example SD-WAN configuration 4: create Access rules
The rules in this example allow connections between hosts in protected networks of all gateways to connect to all other protected networks.
Note: This configuration scenario does not explain all settings related to SD-WAN Access rules.
For more details about the product and how to configure features, click Help or press F1.
Steps
- Select Configuration.
- Browse to Engine > Policies > Engine Policies.
-
Add rules to the policy that is used by the Secure SD-WAN Engine that acts as a hub.
- Right-click the Engine policy, then select Edit Engine Policy.
-
Add the following rules in a suitable location in the policy:
Make sure that rules for sending traffic through the VPN are above other rules that match the same traffic with the Allow, Discard, or Refuse action. Traffic that you do not want to send through the VPN must not match this rule. Traffic that is not routable through the VPN is dropped if it matches this rule. If NAT is enabled in the VPN, remember that the Access rules are checked before the NAT rules are applied.
Table 1. Example SD-WAN rules in the hub policy Source Destination Service Action Source SD-WAN Rules for traffic between the hub spoke 1, and between spoke 1 and spoke 2 Hub gateway Spoke 1 internal network Set as needed. Select Allow, then open the Action options. Set SD-WAN Action to Enforce SD-WAN, then select the Policy-Based SD-WAN element that you created. Your Policy-Based SD-WAN element Spoke 1 internal network Hub gateway Set as needed. Select Allow, then open the Action options. Set SD-WAN Action to Enforce SD-WAN, then select the Policy-Based SD-WAN element that you created. Your Policy-Based SD-WAN element Spoke 1 internal network Spoke 2 internal network Set as needed. Select Allow, then open the Action options. Set SD-WAN Action to Forward, then select your Policy-Based SD-WAN. Your Policy-Based SD-WAN element Rules for traffic between the hub spoke 2, and between spoke 2 and spoke 1 Hub gateway Spoke 2 internal network Set as needed. Select Allow, then open the Action options. Set SD-WAN Action to Enforce SD-WAN, then select the Policy-Based SD-WAN element that you created. Your Policy-Based SD-WAN element Spoke 2 internal network Hub gateway Set as needed. Select Allow, then open the Action options. Set SD-WAN Action to Enforce SD-WAN, then select the Policy-Based SD-WAN element that you created. Your Policy-Based SD-WAN element Spoke 2 internal network Spoke 1 internal network Set as needed. Select Allow, then open the Action options. Set SD-WAN Action to Forward, then select your Policy-Based SD-WAN. Your Policy-Based SD-WAN element - Save the policy.
-
Add rules to the policy that is used by the Secure SD-WAN Engine that acts as spoke 1.
- Right-click the Engine policy, then select Edit Engine Policy.
-
Add the following rules in a suitable location in the policy:
Make sure that rules for sending traffic through the VPN are above other rules that match the same traffic with the Allow, Discard, or Refuse action. Traffic that you do not want to send through the VPN must not match this rule. Traffic that is not routable through the VPN is dropped if it matches this rule. If NAT is enabled in the VPN, remember that the Access rules are checked before the NAT rules are applied.
Table 2. Example SD-WAN rules in the spoke 1 policy Source Destination Service Action Source SD-WAN Spoke 1 internal network Hub gateway Set as needed. Select Allow, then open the Action options. Set SD-WAN Action to Enforce SD-WAN, then select the Policy-Based SD-WAN element that you created. Your Policy-Based SD-WAN element Hub gateway Spoke 1 internal network Set as needed. Select Allow, then open the Action options. Set SD-WAN Action to Enforce SD-WAN, then select the Policy-Based SD-WAN element that you created. Your Policy-Based SD-WAN element Spoke 1 internal network Spoke 2 internal network Set as needed. Select Allow, then open the Action options. Set SD-WAN Action to Forward, then select your Policy-Based SD-WAN. Your Policy-Based SD-WAN element Spoke 2 internal network Spoke 1 internal network Set as needed. Select Allow, then open the Action options. Set SD-WAN Action to Forward, then select your Policy-Based SD-WAN. Your Policy-Based SD-WAN element - Save the policy.
-
Add rules to the policy that is used by the Secure SD-WAN Engine that acts as spoke 2.
- Right-click the Engine policy, then select Edit Engine Policy.
-
Add the following rules in a suitable location in the policy:
Make sure that rules for sending traffic through the VPN are above other rules that match the same traffic with the Allow, Discard, or Refuse action. Traffic that you do not want to send through the VPN must not match this rule. Traffic that is not routable through the VPN is dropped if it matches this rule. If NAT is enabled in the VPN, remember that the Access rules are checked before the NAT rules are applied.
Table 3. Example SD-WAN rules in the spoke 2 policy Source Destination Service Action Source SD-WAN Spoke 2 internal network Hub gateway Set as needed. Select Allow, then open the Action options. Set SD-WAN Action to Enforce SD-WAN, then select the Policy-Based SD-WAN element that you created. Your Policy-Based SD-WAN element Hub gateway Spoke 2 internal network Set as needed. Select Allow, then open the Action options. Set SD-WAN Action to Enforce SD-WAN, then select the Policy-Based SD-WANelement that you created. Your Policy-Based SD-WAN element Spoke 2 internal network Spoke 1 internal network Set as needed. Select Allow, then open the Action options. Set SD-WAN Action to Forward, then select your Policy-Based SD-WAN. Your Policy-Based SD-WAN element Spoke 1 internal network Spoke 2 internal network Set as needed. Select Allow, then open the Action options. Set SD-WAN Action to Forward, then select your Policy-Based SD-WAN. Your Policy-Based SD-WAN element - Save the policy.
-
Refresh the policies of all engines involved in the VPN to activate the new configuration.
CAUTION:If you continue to use this VPN, change the pre-shared key periodically (for example, monthly) to guarantee continued confidentiality of your data. Alternatively, you can switch to certificate-based authentication by creating a custom VPN profile.