Configure SD-WAN IP-Filtering Policies

For supported software information, click here.

Traffic passing through the network may have IP addresses that are associated with a bad reputation and that may cause security risk to your network. To block these IP addresses based on IP address reputation and IP address metadata such as geolocation, you can configure IP address–filtering policies and then associate them with security policies. You associate IP-filtering policies with basic and standard master profiles.

Versa Operating System^TM (VOS^TM) devices provide predefined IP reputations that you can use to create IP address–filtering policies.

You can filter and control traffic based on IP address in the following ways:

• Security access policy enforcement based on address objects with fully qualified domain names (FQDNs)—You can define address objects based on the FQDN by specifying source and destination IP address objects in the match criteria in a security policy rule. The VOS device queries the DNS server for the domain names and caches the resolved IP addresses. When the VOS device processes traffic, the IP address matching is done using the cached resolved IP addresses. This type of filtering minimizes latency associated with real-time DNS lookups, thus improving performance.
• Security access policy enforcement based on address objects with dynamic addresses—You can define address objects based on dynamic addresses by specifying a dynamic source and destination IP address object in the match criteria in a security policy rule. The VOS device does not perform any operations on its own to resolve the dynamic address objects to IP addresses. Instead, the VOS device depends on an external mechanism that pushes the most accurate IP address list corresponding to the dynamic object to the VOS device. This external mechanism makes a REST API call to the Director node, which then pushes the updates to the VOS device. When a VOS device is processing traffic, it matches IP addresses using the translated IP addresses that are part of the dynamic address object. This type of filtering minimizes the latency associated with real-time DNS lookups, thus improving performance.
• IP filtering based on the reputation associated with an IP address and its geolocation—You can filter traffic based on IP reputation and IP address metadata (that is, geolocation). Versa Networks provides an IP reputation feed that is updated both daily and in real time. Additionally, you can populate an IP-filtering policy with IP address deny lists (also called blacklists) or allow lists (also called whitelists) by using a custom script or an automated script that invokes REST APIs on the Director node.

IP address filters are based on the following IP address attributes:

• IP reputation—You can create IP filter policies using the following predefined IP reputations:
  • BotNets
  • Cloud providers
  • Denial of service
  • Mobile threats
  • Network
  • Phishing
  • Proxy
  • Reputation
  • Scanners
  • Spam sources
  • Tor proxy
  • Web attacks
  • Windows exploits
• Geolocation—Versa Networks provides a list of predefined regions that you can use to create IP filter policies based on geolocation.

You define IP-filtering policies to filter traffic based on the IP address attributes. Each IP-filtering policy consists of the following:

• Denied IP addresses
• Allowed IP addresses
• Rules for geolocation-based actions
• Rules for IP reputation-based actions
• DNS reverse lookup configurations

You can match the IP address based on the following match criteria:

• Source IP address
• Destination IP address
• Source or destination IP address
• Source and destination IP address

You can enforce the following actions when a session's IP address matches the conditions in the IP-filtering policy:

• Allow
• Alert
• Drop packet
• Drop session
• Reset

You can also configure custom actions in an IP-filtering file.

To configure IP-filtering policies:

1. Go to Configure > Secure SD-WAN > Profile Elements > Policies > Security > IP Filtering.
   
   
   
   The following screen displays.
   
   
2. To customize which columns to display, click Select Columns and then click the columns to select or deselect the ones you want to display. Click Reset to return to the default column display settings.
   
   
    
3. Click + Add to create a policy. The Add IP Filtering Policy screen displays.
4. By default, all fields are configured. To customize IP-filtering actions, in Step 1, Deny and Allow List, enter information for the following fields. Note that if the traffic matches both a deny list and an allow list, the action in the deny list takes precedence.
   
   
    

   Field	Description
   Deny List (Group of Fields)	Choose the IP addresses and groups to deny (block).
   Action	Select the action to enforce when the IP-filtering policy encounters an IP address that is configured in a deny-listed IP address or IP address group: Alert—Allow the IP address, and generate an entry in the IP-filtering log. Allow—Allow the IP address, and do not generate an entry in the IP-filtering log. Drop Packet—The browser waits for a response from the server and then drops the packets. It is not possible to determine whether the packet was dropped because of a delayed response from the server or because a firewall blocked access to the website. Drop Session—The browser waits for a response from the server and drops the session. It is not possible to determine whether the session was dropped because of a delayed response from the server or because a firewall blocked access to the website. Reject—Send an ICMP unreachable message back to the client and reset the connection to the server.
   Address Group	Select the IP address groups for which to enforce the action. For more information about adding address group objects, see Configure Address Objects.
   IPv4/IPv6 Subnet	Enter a list of IPv4 or IPv6 subnets.
   IP Range	Enter a list of IP address ranges.
   IP Wildcard	Enter a list of IP address wildcard values.
   Specify the Match Criteria for IP Address	Select the match criteria for the IP address: Match only source IP address Match only destination IP address Match source or destination IP address Match source and destination IP address
   Allow List (Group of Fields)	Choose the IP addresses and groups to allow.
   Address Group	Select the IP address groups for which to enforce the action. For more information about adding address group objects, see Configure Address Objects.
   IPv4/IPv6 Subnet	Enter a list of IPv4 or IPv6 subnet values.
   IP Range	Enter a list of IP address range values.
   IP Wildcard	Enter a list of IP address wildcard values.
   Specify the Match Criteria for IP Address	Select the match criteria for the IP address: Match only source IP address. Match only destination IP address. Match source or destination IP address. Match source and destination IP address.

5. Click Next to go to Step 2, Geo IP-Based Actions, to add actions for geographic reputation-based IP filtering.
   
   
6. Click the Add icon, and in the Add Location popup window, enter information for the following fields.
   
   
    

   Field	Description
   Location Name	Select the name of the geographic reputation-based IP-filtering policy.
   Action	Select the action to enforce when the IP-filtering policy encounters an IP address or IP address group that has an unacceptable geographic reputation: Alert—Allow the IP address, and generate an entry in the IP-filtering log. Allow—Allow the IP address, and do not generate an entry in the IP-filtering log. Drop Packet—The browser waits for a response from the server and then drops the packets. It is not possible to determine whether the packet was dropped because of a delayed response from the server or because a firewall blocked access to the website. Drop Session—The browser waits for a response from the server and drops the session. It is not possible to determine whether the session was dropped because of a delayed response from the server or because a firewall blocked access to the website. Reject—Send an ICMP unreachable message back to the client and reset the connection to the server.
   Specify the Match Criteria for IP Address	Select the match criteria for the IP address: Match only source IP address. Match only destination IP address. Match source or destination IP address. Match source and destination IP address.
   Select Country	Select one or more countries to specify the geographic region.

7. Click Add.
8. Click Next to go to Step 3, Reputation-Based Actions.
   
   
9. Click the Add icon, and in the Add Reputation popup window, enter information for the following fields.
   
   
    

   Field	Description
   Reputation Name (Required)	Enter a name for the IP reputation-based IP-filtering policy.
   Action	Select the action to enforce when the IP-filtering policy encounters an IP address or IP address group that has an unacceptable reputation: Alert—Allow the IP address, and generate an entry in the IP-filtering log. Allow—Allow the IP address, and do not generate an entry in the IP-filtering log. Drop Packet—The browser waits for a response from the server and then drops the packets. It is not possible to determine whether the packet was dropped because of a delayed response from the server or because a firewall blocked access to the website. Drop Session—The browser waits for a response from the server and drops the session. It is not possible to determine whether the session was dropped because of a delayed response from the server or because a firewall blocked access to the website. Reject—Send an ICMP unreachable message back to the client and reset the connection to the server.
   Specify the Match Criteria for IP Address	Select the match criteria for the IP address: Match only source IP address. Match only destination IP address. Match source or destination IP address. Match source and destination IP address.
   Select one or more reputations	Select one or more reputations: Botnets Denial of service Phishing Proxy Reputation Scanners Spam sources Web attacks Windows exploits

10. Click Add.
11. Click Next to go to Step 4, Address Reverse Lookup, to configure address reverse lookup, which performs a reverse lookup of an IP tuple (source IP address and destination IP address) and can then apply a URL-filtering policy on the reverse lookup domain. You can use this in conjunction with host reputation-based actions for non-HTTP or non-HTTPS traffic (for example, FTP traffic). Enter information for the following fields.
    
    
     

    Field	Description
    Specify the address type to perform reverse lookup	Select the address type on which to perform a reverse lookup: Match only source IP address. Match only destination IP address. Match source and destination IP address.
    URL-Filtering Profile	Select the URL-filtering profile to associate with IP address reverse lookup. For more information, see Configure Custom URL-Filtering Profiles.

12. Click Next to go to Step 5, Default Action, to select the default action to perform when there are no matching criteria.
    
    
     

    Field	Description
    Specify the the default action to enforce if there are no criteria matched	Select the default action to perform when there are no matching criteria: Alert—Allow the IP address, and generate an entry in the IP-filtering log. Allow—Allow the IP address, and do not generate an entry in the IP-filtering log. Drop Packet—The browser waits for a response from the server and then drops the packets. It is not possible to determine whether the packet was dropped because of a delayed response from the server or because a firewall blocked access to the website. Drop Session—The browser waits for a response from the server and drops the session. It is not possible to determine whether the session was dropped because of a delayed response from the server or because a firewall blocked access to the website. Reject—Send an ICMP unreachable message back to the client and reset the connection to the server.
    Prioritize URL Reputation	Click to prioritize the URL reputation over the IP reputation. Instead of blocking the traffic in IP filtering based on reputation, traffic is further evaluated with URL filtering. URL reputation correlates with an actual website. When you configure an IP-filtering policy that blocks traffic based on IP reputation, some legitimate websites may be blocked. When the URL reputation meets the threshold you select in the URL Reputation Priority field, prioritizing URL reputation overrides the IP Reputation Action.

13. Click Next to go to Step 6, Permissions, to set or update the permission for each role. The roles are Enterprise Administrator, Enterprise Operator, Service Provider Administrator, and Service Provider Operator. The permission for each role is selected by default, and you can update it. The role permissions are Edit, Hide, and Read.
    
    
14. Click Next to go to Step 7, Review and Submit.
    
    
15. In the General section, enter a name for the IP-filtering policy and, optionally, a description and tags.
16. For all other sections, review the information. If you need to make changes, click the Edit icon.
17. Click Save.

You associate IP-filtering policies with basic or standard master profiles. For more information, see Configure Profiles.