How to automate the design of firewalls ？

Fancy Wang 1005 2022

Firewall Automation Design

The SDN controller is connected to the Openstack cloud platform, and the FWaaS plug-in is installed on the Neutron module. The OpenStack cloud platform manages the firewall (FW) service through the FWaaS plug-in, and connects to the network controller to realize the automatic configuration of the second and third layers of the FW.

Different services are isolated by VPN on the gateway, and different and mutually isolated vFWs are created on the FW. The traffic that accesses the outside on the vFW is introduced into the root wall first, and then accesses the outside. The principle of FW automation is shown in the figure.

Pre-configuration is required on the FW so that the network controller can manage the FW. The pre-configured content includes the management IP address of the FW, NETCONF parameters, and the interconnection static route between the FW and the gateway switch VS1 (northbound default route and southbound large network segment route)

The automatic configuration process of the FW is as follows.

• Each VPC creates a corresponding vSys on the FW, and the default route from each vSys to the root wall and the network segment route from the root wall to the vSys;
• If two vSys need to communicate with each other, you need to automatically configure route communication on the root wall;
• The security policy for intercommunication is configured by the user on the cloud platform, and then automatically delivered to the corresponding vSys.

The traffic model designed by FW automation is as follows.

• After the packet is sent to the gateway, it decapsulates the VXLAN, looks up the routing table, and remembers the default route by matching the low priority and forwards it to the corresponding virtual interface of the FW. VRF instance 1 corresponds to vFW1;
• The FW device looks up the routing table, and if there is a route to other vFW egress If the default route is matched, it will be forwarded to the public vFW interface;
• The public vFW is connected to VS1, and the packets will be communicated inside and outside the data center through VS1.

We are a 100G switch with Nos, 100G module/network card factory in Shenzhen, China. We can provide you with one-stop service on products, transportation, customs clearance, and tariffs