Metadata-Based Policy Enforcement Overview
Traditionally, firewall policies are created using source and destination address objects. These objects are usually addresses or address groups. To create a firewall policy, you must know the IP address or range of IP addresses you want to target.
The introduction of metadata enables you to appropriately tag these addresses. You can use these metadata tags when you create the firewall policy.
The metadata-based policy enforcement involves the following steps:
Metadata definition—Define the metadata key values you want to use. For example, Location = Bengaluru; Sunnyvale, OS = Windows, Mac, Linux; Role = Database, application, Web.
Metadata association—Associate the defined metadata with the addresses of type host or range.
Metadata expressions evaluation—When you create a rule for a firewall policy, you choose the source and destination addresses based on metadata expressions, instead of IP addresses, address groups, or network ranges.
Benefits of Metadata-Based Policies
The use of metadata tags facilitates a wide range of security automation operations and significantly reduces the number of rules required to implement a solution.
Metadata-based policies ensure that the defined security policy is instantiated on the firewalls even before the applications and application components are created. When the new application components are instantiated, the relevant firewall policies are automatically updated with the metadata for the application components, thereby enabling automatic policy enforcement at the time of instantiation of the application components. The security administrators do not need to manually commit changes related to the metadata of addresses unless the rules are changed.
Whether you deploy the application components inside a data center or in different public cloud locations, you can leverage the same metadata-based policy and deploy it to different SRX Series devices or vSRX instances in different locations and achieve a consistent security posture.
Security administrators can see a more holistic picture about each network entity based on the metadata assignments. The administrators are no longer limited to knowing the network entity based on only the IP address of the entity.