Example SD-WAN configuration 4: create Access rules

Select

Configuration.

Browse to Engine > Policies > Engine Policies.

Add rules to the policy that is used by the Secure SD-WAN Engine that acts as a hub.

Right-click the Engine policy, then select Edit Engine Policy.

Add the following rules in a suitable location in the policy:

Make sure that rules for sending traffic through the VPN are above other rules that match the same traffic with the Allow, Discard, or Refuse action. Traffic that you do not want to send through the VPN must not match this rule. Traffic that is not routable through the VPN is dropped if it matches this rule. If NAT is enabled in the VPN, remember that the Access rules are checked before the NAT rules are applied.

Table 1. Example SD-WAN rules in the hub policy
Source	Destination	Service	Action	Source SD-WAN
Rules for traffic between the hub spoke 1, and between spoke 1 and spoke 2
Hub gateway	Spoke 1 internal network	Set as needed.	Select Allow, then open the Action options. Set SD-WAN Action to Enforce SD-WAN, then select the Policy-Based SD-WAN element that you created.	Your Policy-Based SD-WAN element
Spoke 1 internal network	Hub gateway	Set as needed.	Select Allow, then open the Action options. Set SD-WAN Action to Enforce SD-WAN, then select the Policy-Based SD-WAN element that you created.	Your Policy-Based SD-WAN element
Spoke 1 internal network	Spoke 2 internal network	Set as needed.	Select Allow, then open the Action options. Set SD-WAN Action to Forward, then select your Policy-Based SD-WAN.	Your Policy-Based SD-WAN element
Rules for traffic between the hub spoke 2, and between spoke 2 and spoke 1
Hub gateway	Spoke 2 internal network	Set as needed.	Select Allow, then open the Action options. Set SD-WAN Action to Enforce SD-WAN, then select the Policy-Based SD-WAN element that you created.	Your Policy-Based SD-WAN element
Spoke 2 internal network	Hub gateway	Set as needed.	Select Allow, then open the Action options. Set SD-WAN Action to Enforce SD-WAN, then select the Policy-Based SD-WAN element that you created.	Your Policy-Based SD-WAN element
Spoke 2 internal network	Spoke 1 internal network	Set as needed.	Select Allow, then open the Action options. Set SD-WAN Action to Forward, then select your Policy-Based SD-WAN.	Your Policy-Based SD-WAN element

Save the policy.

Add rules to the policy that is used by the Secure SD-WAN Engine that acts as spoke 1.

Right-click the Engine policy, then select Edit Engine Policy.

Add the following rules in a suitable location in the policy:

Make sure that rules for sending traffic through the VPN are above other rules that match the same traffic with the Allow, Discard, or Refuse action. Traffic that you do not want to send through the VPN must not match this rule. Traffic that is not routable through the VPN is dropped if it matches this rule. If NAT is enabled in the VPN, remember that the Access rules are checked before the NAT rules are applied.

Table 2. Example SD-WAN rules in the spoke 1 policy
Source	Destination	Service	Action	Source SD-WAN
Spoke 1 internal network	Hub gateway	Set as needed.	Select Allow, then open the Action options. Set SD-WAN Action to Enforce SD-WAN, then select the Policy-Based SD-WAN element that you created.	Your Policy-Based SD-WAN element
Hub gateway	Spoke 1 internal network	Set as needed.	Select Allow, then open the Action options. Set SD-WAN Action to Enforce SD-WAN, then select the Policy-Based SD-WAN element that you created.	Your Policy-Based SD-WAN element
Spoke 1 internal network	Spoke 2 internal network	Set as needed.	Select Allow, then open the Action options. Set SD-WAN Action to Forward, then select your Policy-Based SD-WAN.	Your Policy-Based SD-WAN element
Spoke 2 internal network	Spoke 1 internal network	Set as needed.	Select Allow, then open the Action options. Set SD-WAN Action to Forward, then select your Policy-Based SD-WAN.	Your Policy-Based SD-WAN element

Save the policy.

Add rules to the policy that is used by the Secure SD-WAN Engine that acts as spoke 2.

Right-click the Engine policy, then select Edit Engine Policy.

Add the following rules in a suitable location in the policy:

Make sure that rules for sending traffic through the VPN are above other rules that match the same traffic with the Allow, Discard, or Refuse action. Traffic that you do not want to send through the VPN must not match this rule. Traffic that is not routable through the VPN is dropped if it matches this rule. If NAT is enabled in the VPN, remember that the Access rules are checked before the NAT rules are applied.

Table 3. Example SD-WAN rules in the spoke 2 policy
Source	Destination	Service	Action	Source SD-WAN
Spoke 2 internal network	Hub gateway	Set as needed.	Select Allow, then open the Action options. Set SD-WAN Action to Enforce SD-WAN, then select the Policy-Based SD-WAN element that you created.	Your Policy-Based SD-WAN element
Hub gateway	Spoke 2 internal network	Set as needed.	Select Allow, then open the Action options. Set SD-WAN Action to Enforce SD-WAN, then select the Policy-Based SD-WANelement that you created.	Your Policy-Based SD-WAN element
Spoke 2 internal network	Spoke 1 internal network	Set as needed.	Select Allow, then open the Action options. Set SD-WAN Action to Forward, then select your Policy-Based SD-WAN.	Your Policy-Based SD-WAN element
Spoke 1 internal network	Spoke 2 internal network	Set as needed.	Select Allow, then open the Action options. Set SD-WAN Action to Forward, then select your Policy-Based SD-WAN.	Your Policy-Based SD-WAN element

Save the policy.

Refresh the policies of all engines involved in the VPN to activate the new configuration.

CAUTION:

If you continue to use this VPN, change the pre-shared key periodically (for example, monthly) to guarantee continued confidentiality of your data. Alternatively, you can switch to certificate-based authentication by creating a custom VPN profile.

Example SD-WAN configuration 4: create Access rules

Steps

Result