How does SD-WAN firewall work?

Updated 2/25/2019 11:41:53 AM by Comcast Expert


A firewall prevents unauthorized ingress network traffic and gives permissions for egress network traffic.

The firewall accomplishes this by recognizing trusted and untrusted network traffic and applying defined firewall rules to accept, reject or drop the packets. By accepting packets, the firewall allows the traffic to proceed to the network. By rejecting the packets, the firewall denies the traffic and informs the client that the traffic was unauthorized. By dropping the packet, the firewall just drops the traffic silently and the client never receives a response.

ActiveCore’s implementation of firewall allows you to choose between predefined profiles and customizable profiles to establish IP and port number rules for all network traffic. If you intend to reach a specific IP address through a rule, it must be in CIDR format. If you intend to reach all IP addresses through a rule, the IP address box should be left blank.

Additionally, it is important to ensure all IP-specific rules are prioritized above generic rules for all traffic. This prevents the generic rule from superseding the IP-specific rule.


To implement changes to the firewall, start by creating a new template under the Service Configuration tab. You must also select the Firewall Profile checkbox to ensure the following firewall rules are applied to all sites within the network.


Firewall rules can be changed through the template flow or individual site changes. You can choose a predefined rule profile or create your own rule profile. Additionally, you can select a predefined profile, such as Normal, and add a rule to customize it further.


In the example below, the user would like to create an additional rule to accept a specific protocol for traffic from the untrusted zone to the trusted zone. The Normal profile by default drops all traffic that originates from the untrusted zone for security purposes. The original rule for UnTrust to Trust that accompanied this predefined profile dropped all traffic. To drop all traffic except for the specific protocol the user would like to accept, the user must create a rule with a higher priority level that has the details for this protocol. 


Therefore, the user creates a new UnTrust to Trust rule that accepts http protocol and prioritizes it as 2, above the “drop all” rule, which is now prioritized as 3.


After all rules are updated accordingly, the user will save all changes and then select the VPNs for which the firewall will be applied. As is customary, each VPN is capable of utilizing its own firewall. Once the VPNs are configured, the user can either save this firewall template for later or deploy immediately.

Was This Article Helpful?

Rate this article on a scale of 1-5

Didn't find what you're looking for?

Related Articles

» More about ActiveCore℠