1. Features Guide
  2. Release 6.0 Features
  3. VRF Firewall Enhancement

VRF Firewall Enhancement

Edge 6.0 GA introduces VRF Firewall enhancements to allow for multiple VRFs, each having access to the Internet. Each VRF is configured to be associated with a different user group, for example, employee or guests, while keeping the traffic from each isolated. This feature allows each Routing Domain (user group) access to the Internet through a common Access Interface. This provides the following capability:

  • Local guest-user Internet access
  • Employee-user Internet access for defined applications
  • Employee-users may continue hairpin all other traffic to the NCN
  • Allow the user to add specific routes per Routing Domain, if required
  • When enabled, this feature applies to all Routing Domains

Users may also create multiple access interfaces to accommodate separate public facing IP addresses. Either option provides the required security necessary per user group.

Note:

Detailed instructions for how to configure VRFs can be found in the Edge 5.0 New Features Guide.

Below are the steps to configure this option:

  1. Create Internet Service for a Site under Connections > [Site Name] > Internet Services and enable the Use checkbox under WAN Links.
  2. Enable the checkbox labeled Internet Access for All Routing Domains under Sites > [Site Name] > WAN Links > [WAN Link Name] > Access Interfaces.

INSERT ALT TEXT

Figure 8: Enabling Internet access for All Routing Domains

Selecting this checkbox allows the Edge to use this Access Interface for Internet Service on all configured Routing Domains.

Users may choose to configure either a shared Access Interface or one Access Interface for each group (separate public facing IP addresses).

Note:

After completing the following steps you should see 0.0.0.0/0 routes added, one per Routing Domain, under Connections > [Site Name] > Routes.

INSERT ALT TEXT

Figure 9: Verifying Routes Added for Each Routing Domain

Note:

It is no longer required to have all Routing Domains enabled at the NCN. Disabling Routing Domains at the NCN that are in use at a Branch site will produce a popup message:

INSERT ALT TEXT

Figure 10: Removing a Routing Domain

Users may confirm that each Routing Domain is using the Internet Service by checking the Routing Domain column in the Flows table of the web UI under Monitor > Flows.

INSERT ALT TEXT

Figure 11: Flows in Routing Domains

Users may also check the routing table for each Routing Domain under Monitor > Statistics > Routes.

INSERT ALT TEXT

Figure 12: Flows for a Routing Domain