Download This Guide
Firewall Policy Use Cases
The following examples provide an understanding of how you can construct intent-based firewall policies for different traffic scenarios across sources and destinations.
Firewall Policy Use Case - 1
Define a firewall policy that controls access to specific applications for various departments, with the following intents:
- All PR departments located in site A and site B (which are in different geographical locations) are permitted to access the news applications BBC and CNN.
- All engineering departments located in site A and site B (which are in different geographical locations) are denied access to the news applications BBC and CNN.
- Access to Telnet and SSH applications is given only to the engineering department.
- Access to Telnet and SSH applications is denied to all departments, except for the engineering department.
Table 1 shows the firewall policy intents that are to fulfil this requirement:
Table 1: Firewall Policy Use Case - 1
Source | Destination (Application) | Action |
|---|---|---|
PR department, site A and PR department, site B | BBC and CNN | Permit |
Engineering department, site A and Engineering department, site B | BBC and CNN | Deny |
Engineering department | Telnet and SSH | Permit |
Any (All addresses except the engineering department) | Telnet and SSH | Deny |
 | Note: The number of intents depends on the number of source sites with the given department and the number of destination sites. |
Firewall Policy Use Case - 2
Define a firewall policy that denies access to networking sites such as Facebook and Twitter (defined as application group Social Networking) to the HR, finance, and IT departments located in Site A.
Table 2 shows the firewall policy intents that are needed to fulfil this requirement:
Table 2: Firewall Policy Use Case - 2
Source Department | Destination Application Group | Action |
|---|---|---|
HR, Finance, IT, site A | Application group Social Networking (Facebook and Twitter) | Deny |
| Note: Add site A, only if the HR, Finance, or IT departments are present in different sites, but, you only want to apply this firewall policy intent to the HR, Finance, and IT departments present in site A, only. |
Firewall Policy Use Case - 3
Define a firewall policy that controls traffic to example.com based on the services used by the source endpoint, with the following intents:
- The IT team in site A is permitted access to FTP and HTTP services.
- The IT team in site B is only permitted access to the FTP service.
Table 3 shows the firewall policy intents that are needed to fulfil this requirement:
Table 3: Firewall Policy Use Case - 3
Source Address | Service | Destination Address | Action |
|---|---|---|---|
IT, site A | FTP and HTTP | example.com | Permit |
IT, site B | FTP | example.com | Permit |
Firewall Policy Use Case - 4
Define a firewall policy that controls access to an address over the internet (HTTP) for various sites or site groups with the following intents:
- All addresses of site A and site B are permitted access to example.com.
- All addresses of site group Q1 are denied access to example-one.com.
Table 4 shows the firewall policy intents that are needed to fulfil this requirement:
Table 4: Firewall Policy Use Case - 4
Source Address | Service | Destination Address | Action |
|---|---|---|---|
IP address prefix, site A and IP-Prefix, site B | HTTP | www.example.com | Permit |
IP address prefix, site group Q1 | HTTP | www.example-one.com | Deny |
Firewall Policy Use Case - 5
Define a firewall policy where a specific IP address belonging to all sites and departments, is permitted or denied the use HTTP or FTP as a service.
Table 5 shows the firewall policy intents that are needed to fulfil this requirement:
Table 5: Firewall Policy Use Case - 5
Source Address | Service | Destination Address | Action |
|---|---|---|---|
192.0.2.0 | HTTP | example.com | Permit |
192.0.2.0 | FTP | example.com | Deny |
