3.6 Enterprise Firewall Deep Dive
| Field |
Value |
| Document ID |
SDWAN-SEC-3.6 |
| Version |
1.0 |
| Last Updated |
December 2025 |
| Author |
Network Architecture Team |
| Classification |
Internal Use |
1. Executive Summary
This section provides a comprehensive deep dive into enterprise firewall capabilities within Abhavtech's SD-WAN deployment. The firewall architecture encompasses Cisco's integrated Zone-Based Firewall (ZBFW), Application Firewall, IPS/IDS capabilities, and integration with third-party next-generation firewalls (Palo Alto Networks). This multi-layered approach provides defense in depth across the entire WAN infrastructure.
1.1 Firewall Architecture Overview
+------------------------------------------------------------------+
| ENTERPRISE FIREWALL ARCHITECTURE |
+------------------------------------------------------------------+
| |
| Layer 7: Application Firewall |
| +----------------------------------------------------------+ |
| | Deep Packet Inspection | Application Identification | SSL | |
| +----------------------------------------------------------+ |
| |
| Layer 5-6: UTD / IPS-IDS |
| +----------------------------------------------------------+ |
| | Snort 3.0 Engine | Malware Detection | Threat Intel Feed | |
| +----------------------------------------------------------+ |
| |
| Layer 4: Zone-Based Firewall |
| +----------------------------------------------------------+ |
| | Stateful Inspection | Zone Pairs | Class Maps | Policies | |
| +----------------------------------------------------------+ |
| |
| Layer 3: Network Segmentation |
| +----------------------------------------------------------+ |
| | VPN Isolation | VRF Separation | Route Filtering | |
| +----------------------------------------------------------+ |
| |
| External Integration: Palo Alto Networks |
| +----------------------------------------------------------+ |
| | NGFW Service Chain | Panorama | Threat Prevention | |
| +----------------------------------------------------------+ |
| |
+------------------------------------------------------------------+
1.2 Deployment Matrix
| Site |
ZBFW |
App Firewall |
UTD/IPS |
Palo Alto |
License |
| Mumbai DC |
✅ |
✅ |
Full |
✅ |
Premier |
| Chennai DR |
✅ |
✅ |
Full |
✅ |
Premier |
| London |
✅ |
✅ |
Full |
✅ |
Premier |
| New Jersey |
✅ |
✅ |
Full |
✅ |
Premier |
| Bangalore |
✅ |
✅ |
Basic |
- |
Advantage |
| Delhi |
✅ |
✅ |
Basic |
- |
Advantage |
| Frankfurt |
✅ |
✅ |
Basic |
- |
Advantage |
| Dallas |
✅ |
✅ |
Basic |
- |
Advantage |
| Noida |
✅ |
- |
DNS only |
- |
Essentials |
2. Zone-Based Firewall (ZBFW)
2.1 Zone Architecture
+------------------------------------------------------------------+
| ZBFW ZONE ARCHITECTURE |
+------------------------------------------------------------------+
| |
| WAN Edge Router |
| +-------------------------------------------------------------+ |
| | | |
| | +------------------+ +------------------+ | |
| | | VPN-ZONE | | INTERNET-ZONE | | |
| | | (Service VPNs) | | (DIA Interface) | | |
| | | VPN 10,20,30,40 | | GigE 0/0/1 | | |
| | +--------+---------+ +--------+---------+ | |
| | | | | |
| | | +------------------+ | | |
| | +---->| SELF-ZONE |<---+ | |
| | | (Router itself) | | |
| | +--------+---------+ | |
| | | | |
| | +--------------+--------------+ | |
| | | | | |
| | +--------+---------+ +--------+---------+ | |
| | | MPLS-ZONE | | GUEST-ZONE | | |
| | | (MPLS Transport) | | (Guest VPN 20) | | |
| | | GigE 0/0/0 | | Isolated | | |
| | +------------------+ +------------------+ | |
| | | |
| +-------------------------------------------------------------+ |
| |
+------------------------------------------------------------------+
2.2 Zone Definitions
| Zone Name |
Description |
Interfaces |
VPNs |
Security Level |
| VPN-ZONE |
Corporate traffic |
Service VPN interfaces |
10, 40, 50 |
High |
| INTERNET-ZONE |
Internet breakout |
DIA interface |
0 (NAT) |
Untrusted |
| GUEST-ZONE |
Guest network |
Guest VPN interface |
20 |
Restricted |
| IOT-ZONE |
IoT devices |
IoT VPN interface |
30 |
Controlled |
| MPLS-ZONE |
MPLS transport |
MPLS WAN interface |
0 |
Trusted |
| SELF-ZONE |
Router management |
Loopback, VTY |
512 |
Protected |
2.3 Zone-Pair Policy Matrix
+------------------------------------------------------------------+
| ZONE-PAIR POLICY MATRIX |
+------------------------------------------------------------------+
| |
| Source Zone | Destination Zone | Policy | Action |
| -----------------+-------------------+-----------------+---------|
| VPN-ZONE | INTERNET-ZONE | DIA-OUTBOUND | Inspect |
| INTERNET-ZONE | VPN-ZONE | DIA-RETURN | Inspect |
| GUEST-ZONE | INTERNET-ZONE | GUEST-INTERNET | Permit |
| GUEST-ZONE | VPN-ZONE | BLOCK | Drop |
| IOT-ZONE | INTERNET-ZONE | IOT-CLOUD | Filter |
| VPN-ZONE | SELF-ZONE | MGMT-ACCESS | Permit |
| INTERNET-ZONE | SELF-ZONE | BLOCK | Drop |
| Any | MPLS-ZONE | MPLS-TRANSIT | Permit |
| |
+------------------------------------------------------------------+
2.4 ZBFW Configuration
! Zone Definitions
zone security VPN-ZONE
description "Corporate Service VPNs"
!
zone security INTERNET-ZONE
description "Direct Internet Access"
!
zone security GUEST-ZONE
description "Guest Network Isolation"
!
zone security IOT-ZONE
description "IoT Device Zone"
!
zone security MPLS-ZONE
description "MPLS Transport"
!
! Class Maps for Traffic Classification
class-map type inspect match-any CM-ALLOWED-APPS
match protocol http
match protocol https
match protocol dns
match protocol icmp
!
class-map type inspect match-any CM-BLOCKED-APPS
match protocol telnet
match protocol ftp
match protocol tftp
!
class-map type inspect match-any CM-GUEST-APPS
match protocol http
match protocol https
match protocol dns
!
! Policy Maps
policy-map type inspect PM-VPN-TO-INTERNET
class type inspect CM-ALLOWED-APPS
inspect
class type inspect CM-BLOCKED-APPS
drop log
class class-default
drop
!
policy-map type inspect PM-GUEST-TO-INTERNET
class type inspect CM-GUEST-APPS
pass
class class-default
drop log
!
! Zone Pairs
zone-pair security ZP-VPN-TO-INTERNET source VPN-ZONE destination INTERNET-ZONE
service-policy type inspect PM-VPN-TO-INTERNET
!
zone-pair security ZP-GUEST-TO-INTERNET source GUEST-ZONE destination INTERNET-ZONE
service-policy type inspect PM-GUEST-TO-INTERNET
!
zone-pair security ZP-GUEST-TO-VPN source GUEST-ZONE destination VPN-ZONE
service-policy type inspect PM-DENY-ALL
!
! Interface Zone Assignment
interface GigabitEthernet0/0/1
description "DIA Interface"
zone-member security INTERNET-ZONE
!
interface GigabitEthernet0/0/2.10
description "Employee VPN"
zone-member security VPN-ZONE
!
interface GigabitEthernet0/0/2.20
description "Guest VPN"
zone-member security GUEST-ZONE
!
3. Application Firewall
3.1 Application Visibility and Control (AVC)
+------------------------------------------------------------------+
| APPLICATION VISIBILITY & CONTROL |
+------------------------------------------------------------------+
| |
| NBAR2 Engine (Network-Based Application Recognition) |
| +----------------------------------------------------------+ |
| | | |
| | Layer 7 Identification: | |
| | - 1,400+ applications recognized | |
| | - Custom application signatures | |
| | - Encrypted traffic identification | |
| | - SSL/TLS SNI inspection | |
| | | |
| +----------------------------------------------------------+ |
| |
| Application Categories: |
| +------------------+ +------------------+ +------------------+ |
| | Business | | Social Media | | Streaming | |
| | - Office 365 | | - Facebook | | - Netflix | |
| | - Salesforce | | - Twitter | | - YouTube | |
| | - SAP | | - LinkedIn | | - Spotify | |
| +------------------+ +------------------+ +------------------+ |
| |
| +------------------+ +------------------+ +------------------+ |
| | Collaboration | | Cloud Storage | | Games | |
| | - WebEx | | - Dropbox | | - Steam | |
| | - Zoom | | - OneDrive | | - Xbox Live | |
| | - Teams | | - Google Drive | | - PlayStation | |
| +------------------+ +------------------+ +------------------+ |
| |
+------------------------------------------------------------------+
3.2 Application-Based Policy
! Application Lists
policy
app-list BUSINESS-CRITICAL
app office365
app salesforce
app sap
app oracle-apps
app ms-teams
app webex
!
app-list BLOCKED-APPS
app bittorrent
app tor
app ultrasurf
app psiphon
app tunnel-bear
!
app-list SOCIAL-MEDIA
app facebook
app twitter
app instagram
app tiktok
app snapchat
!
app-list STREAMING
app netflix
app youtube
app spotify
app amazon-prime-video
!
!
! Data Policy with Application Control
policy
data-policy APP-FIREWALL-POLICY
vpn-list VPN-10-EMPLOYEE
! Block prohibited applications
sequence 10
match
app-list BLOCKED-APPS
action drop
count BLOCKED-APP-DROPS
!
!
! Rate limit social media during business hours
sequence 20
match
app-list SOCIAL-MEDIA
action accept
policer rate 10000000 burst 1000000
count SOCIAL-RATE-LIMITED
!
!
! Rate limit streaming
sequence 30
match
app-list STREAMING
action accept
policer rate 50000000 burst 5000000
count STREAMING-RATE-LIMITED
!
!
! Prioritize business applications
sequence 40
match
app-list BUSINESS-CRITICAL
action accept
set
dscp 34
local-tloc-list MPLS-PREFERRED
!
!
!
!
!
3.3 Custom Application Signatures
! Custom Application Definition
app visibility
custom-app ABHAVTECH-PORTAL
server-name "portal.abhavtech.com"
server-name "*.abhavtech.com"
L3-L4 tcp port 443
L3-L4 tcp port 8443
!
custom-app ABHAVTECH-VOICE
server-name "voice.abhavtech.com"
L3-L4 tcp port 5060-5061
L3-L4 udp port 16384-32767
!
custom-app SAP-ERP
server-name "sap.abhavtech.com"
L3-L4 tcp port 3200-3299
L3-L4 tcp port 3300-3399
!
!
4. IPS/IDS with UTD
4.1 UTD Architecture
+------------------------------------------------------------------+
| UTD (UNIFIED THREAT DEFENSE) |
+------------------------------------------------------------------+
| |
| WAN Edge Router |
| +-------------------------------------------------------------+ |
| | | |
| | +------------------+ +------------------+ | |
| | | Data Plane | Divert | UTD Container | | |
| | | (Normal Traffic) |--------->| (Snort 3.0) | | |
| | +------------------+ +--------+---------+ | |
| | | | |
| | v | |
| | +------------------+ | |
| | | Verdict: | | |
| | | - PASS | | |
| | | - DROP | | |
| | | - ALERT | | |
| | | - RESET | | |
| | +--------+---------+ | |
| | | | |
| | +---------------------------+ | |
| | | | |
| | +--------v---------+ +------------------+ | |
| | | Forward/Drop | | Logging/Alert | | |
| | | Traffic | | to vManage | | |
| | +------------------+ +------------------+ | |
| | | |
| +-------------------------------------------------------------+ |
| |
+------------------------------------------------------------------+
4.2 Snort 3.0 Configuration
! UTD Engine Configuration
utd engine standard
logging host 10.254.1.50
logging level informational
threat-inspection
threat protection
policy balanced-security-and-connectivity
!
web-filter
url-filtering sourcedb external
cloud-lookup
!
!
! UTD Multi-tenancy Profile
utd multi-tenancy
policy balanced-security
all-interfaces
threat-inspection
threat protection
policy balanced-security-and-connectivity
!
web-filter
block-category malware
block-category botnets
block-category phishing
block-category spyware
!
!
!
! Interface UTD Assignment
interface GigabitEthernet0/0/1
utd enable
!
4.3 IPS Signature Management
+------------------------------------------------------------------+
| IPS SIGNATURE MANAGEMENT |
+------------------------------------------------------------------+
| |
| Signature Sources: |
| +----------------------------------------------------------+ |
| | Source | Update Frequency | Coverage | |
| +----------------------------------------------------------+ |
| | Cisco Talos | Daily | All threats | |
| | Custom Rules | As needed | Organization-spec | |
| | Emerging Threats | Hourly | New threats | |
| +----------------------------------------------------------+ |
| |
| Signature Categories: |
| +------------------+ +------------------+ +------------------+ |
| | Malware | | Exploits | | DoS | |
| | - Trojans | | - Buffer overflow| | - SYN flood | |
| | - Ransomware | | - RCE | | - UDP flood | |
| | - Worms | | - Injection | | - Amplification | |
| +------------------+ +------------------+ +------------------+ |
| |
| Policy Modes: |
| - Detection Only: Alert but do not block |
| - Prevention: Block matching traffic |
| - Balanced: Block high confidence, alert medium |
| |
+------------------------------------------------------------------+
4.4 Custom IPS Rules
! Custom Snort Rules for Abhavtech
! File: /etc/snort/rules/local.rules
# Block SSH brute force attempts
alert tcp any any -> $HOME_NET 22 (msg:"SSH Brute Force Attempt"; \
flags:S; threshold:type both,track by_src,count 5,seconds 60; \
classtype:attempted-admin; sid:1000001; rev:1;)
# Detect unauthorized admin access
alert tcp any any -> $HOME_NET [23,22,3389] (msg:"Admin Protocol from External"; \
flow:to_server,established; \
classtype:policy-violation; sid:1000002; rev:1;)
# Block known malware C2 domains
alert udp $HOME_NET any -> any 53 (msg:"Malware C2 DNS Query"; \
content:"|03|bad|07|example|03|com|00|"; nocase; \
classtype:trojan-activity; sid:1000003; rev:1;)
# Detect data exfiltration patterns
alert tcp $HOME_NET any -> any 443 (msg:"Large Data Exfiltration"; \
flow:to_server,established; dsize:>10000; \
threshold:type threshold,track by_src,count 100,seconds 60; \
classtype:policy-violation; sid:1000004; rev:1;)
5. Attack Mitigation
5.1 Common Attack Vectors
+------------------------------------------------------------------+
| ATTACK MITIGATION MATRIX |
+------------------------------------------------------------------+
| |
| Attack Type | Detection Method | Mitigation |
| ------------------+------------------------+--------------------|
| SYN Flood | Connection rate | TCP Intercept |
| UDP Flood | Packet rate threshold | Rate limiting |
| DNS Amplification | Query/Response ratio | Response filtering |
| ICMP Flood | Packet rate threshold | Rate limiting |
| Slowloris | Connection state | Timeout tuning |
| SQL Injection | Pattern matching | IPS blocking |
| XSS | Pattern matching | IPS blocking |
| Port Scanning | Connection patterns | Threat detection |
| Brute Force | Auth failure rate | Account lockout |
| |
+------------------------------------------------------------------+
5.2 DDoS Protection Configuration
! TCP SYN Cookie Protection
ip tcp synwait-time 10
ip tcp intercept list SYN-FLOOD-PROTECT
ip tcp intercept mode watch
ip tcp intercept watch-timeout 15
ip tcp intercept connection-timeout 60
ip access-list extended SYN-FLOOD-PROTECT
permit tcp any any
! Connection Rate Limiting
parameter-map type inspect CONN-RATE-LIMIT
max-incomplete low 1000
max-incomplete high 1500
one-minute low 500
one-minute high 750
tcp max-incomplete host 100 block-time 60
! Apply to Zone Pair
zone-pair security ZP-INTERNET-TO-VPN source INTERNET-ZONE destination VPN-ZONE
service-policy type inspect PM-INTERNET-INBOUND
parameter-map type inspect CONN-RATE-LIMIT
!
! Control Plane Protection
control-plane host
management-interface GigabitEthernet0/0/2 allow ssh https snmp
control-plane
service-policy input CP-PROTECTION
!
! Control Plane Policing
policy-map CP-PROTECTION
class MANAGEMENT-TRAFFIC
police rate 1000 pps burst 200 packets
conform-action transmit
exceed-action drop
class ROUTING-TRAFFIC
police rate 5000 pps burst 500 packets
class class-default
police rate 100 pps burst 50 packets
conform-action transmit
exceed-action drop
!
5.3 Anti-Spoofing Configuration
! Unicast Reverse Path Forwarding (uRPF)
interface GigabitEthernet0/0/1
description "DIA Interface - Untrusted"
ip verify unicast source reachable-via rx allow-default
!
! Bogon Filtering
ip access-list extended BOGON-FILTER
deny ip 0.0.0.0 0.255.255.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 169.254.0.0 0.0.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.0.2.0 0.0.0.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 198.18.0.0 0.1.255.255 any log
deny ip 224.0.0.0 31.255.255.255 any log
permit ip any any
interface GigabitEthernet0/0/1
ip access-group BOGON-FILTER in
!
6. Palo Alto Networks Integration
6.1 Integration Architecture
+------------------------------------------------------------------+
| PALO ALTO NETWORKS INTEGRATION |
+------------------------------------------------------------------+
| |
| |
| +------------------+ +------------------+ |
| | SD-WAN Manager | | Panorama | |
| | (Orchestration) |<----------------->| (PA Management) | |
| +--------+---------+ REST API +--------+---------+ |
| | | |
| v v |
| +------------------+ +------------------+ |
| | WAN Edge Router | | PA-VM / PA-450 | |
| | (Service Chain) |------------------>| (NGFW) | |
| +------------------+ PBR/VRF +------------------+ |
| | | |
| | Traffic Flow: | |
| | 1. WAN Edge receives traffic | |
| | 2. Policy redirects to PA | |
| | 3. PA inspects and returns | |
| | 4. WAN Edge forwards | |
| | | |
| +------------------+ +------------------+ |
| | Branches | | Data Centers | |
| | (No PA needed) | | (PA deployed) | |
| +------------------+ +------------------+ |
| |
+------------------------------------------------------------------+
6.2 Service Chain Configuration
! Define Palo Alto as Service Node
service-insertion
service-node-group PALO-ALTO-NGFW
service-node 10.254.10.10
interface GigabitEthernet0/0/3
ip address 10.254.10.1/30
!
service-node 10.254.10.14
interface GigabitEthernet0/0/4
ip address 10.254.10.5/30
!
load-balance round-robin
health-check
probe icmp
interval 5
threshold 3
!
!
!
! Service Chain Policy
policy
data-policy PALO-ALTO-CHAIN
vpn-list VPN-10-EMPLOYEE
! All Internet traffic through Palo Alto
sequence 10
match
destination-data-prefix-list INTERNET-DESTINATIONS
action accept
set
service FW
service-node-group PALO-ALTO-NGFW
!
!
! High-risk applications through PA
sequence 20
match
app-list HIGH-RISK-APPS
action accept
set
service FW
service-node-group PALO-ALTO-NGFW
!
!
!
!
!
6.3 Palo Alto NGFW Configuration
# Palo Alto Configuration (XML/Set format)
# Zone Configuration
set zone TRUST interface ethernet1/1
set zone UNTRUST interface ethernet1/2
set zone SD-WAN interface ethernet1/3
# Security Policy - SD-WAN Integration
set rulebase security rules "SD-WAN-to-Internet" from SD-WAN to UNTRUST
set rulebase security rules "SD-WAN-to-Internet" source any
set rulebase security rules "SD-WAN-to-Internet" destination any
set rulebase security rules "SD-WAN-to-Internet" application any
set rulebase security rules "SD-WAN-to-Internet" service application-default
set rulebase security rules "SD-WAN-to-Internet" action allow
set rulebase security rules "SD-WAN-to-Internet" profile-setting profiles
virus default
spyware strict
vulnerability strict
url-filtering strict
file-blocking strict
data-filtering default
# Threat Prevention Profile
set profiles spyware "strict" rules rule1 action block-ip
set profiles vulnerability "strict" rules rule1 action reset-both
set profiles url-filtering "strict" block-list gambling adult-content
6.4 High Availability for Palo Alto
+------------------------------------------------------------------+
| PALO ALTO HA CONFIGURATION |
+------------------------------------------------------------------+
| |
| Mumbai DC |
| +-------------------------------------------------------------+ |
| | | |
| | +------------------+ +------------------+ | |
| | | PA-VM-1 | | PA-VM-2 | | |
| | | (Active) |<-------->| (Passive) | | |
| | | 10.254.10.10 | HA | 10.254.10.14 | | |
| | +--------+---------+ +--------+---------+ | |
| | | | | |
| | +-------------+---------------+ | |
| | | | |
| | +---------+---------+ | |
| | | WAN Edge Router | | |
| | | (ECMP to both) | | |
| | +-------------------+ | |
| | | |
| +-------------------------------------------------------------+ |
| |
| HA Mode: Active/Passive |
| Failover Time: < 3 seconds |
| Session Sync: Enabled |
| |
+------------------------------------------------------------------+
7. SSL/TLS Inspection
7.1 SSL Decryption Architecture
+------------------------------------------------------------------+
| SSL/TLS INSPECTION |
+------------------------------------------------------------------+
| |
| Client WAN Edge NGFW Server |
| | | | | |
| |--TLS Hello--->| | | |
| | |--Intercept------->| | |
| | | |--TLS Hello------->| |
| | | |<--Server Cert-----| |
| | |<--Resign Cert-----| | |
| |<--Resign Cert-| | | |
| | | | | |
| |===TLS Tunnel==|===Decrypt/Inspect=|===TLS Tunnel======| |
| | | | | |
| |
| Note: Requires trusted CA certificate on client devices |
| |
+------------------------------------------------------------------+
7.2 SSL Inspection Policy
! Categories to Decrypt
ssl-proxy
certificate-authority ABHAVTECH-INTERNAL-CA
proxy-mode inline
decrypt-categories
business-and-economy
general-interest
technology
!
bypass-categories
financial-services
health-and-medicine
government
!
bypass-domains
*.abhavtech.com
*.microsoft.com
*.apple.com
*.google.com
*.bankofamerica.com
!
!
8. Firewall Logging and Monitoring
8.1 Logging Architecture
+------------------------------------------------------------------+
| FIREWALL LOGGING |
+------------------------------------------------------------------+
| |
| WAN Edge / NGFW |
| | |
| | Syslog/CEF |
| v |
| +------------------+ |
| | Log Aggregator | |
| | (Splunk/ELK) | |
| +--------+---------+ |
| | |
| +------+------+ |
| | | |
| v v |
| +-------+ +-------+ |
| | SIEM | | vMgr | |
| | | | | |
| +-------+ +-------+ |
| |
| Log Types: |
| - Traffic logs (permit/deny) |
| - Threat logs (IPS alerts) |
| - URL logs (web filtering) |
| - Session logs (start/end) |
| - System logs (HA failover) |
| |
+------------------------------------------------------------------+
8.2 Logging Configuration
! WAN Edge Syslog Configuration
logging host 10.254.1.50 transport udp port 514
logging host 10.254.1.51 transport tcp port 6514 secure
logging trap informational
logging source-interface Loopback0
! Firewall Specific Logging
zone-pair security ZP-VPN-TO-INTERNET source VPN-ZONE destination INTERNET-ZONE
service-policy type inspect PM-VPN-TO-INTERNET
log
dropped-packets
sessions initiations-and-terminations
!
!
! UTD Logging
utd engine standard
logging host 10.254.1.50
logging level info
!
8.3 Key Metrics and Alerts
| Metric |
Threshold |
Alert Level |
Action |
| Dropped connections |
>1000/min |
Warning |
Investigate |
| IPS alerts (high severity) |
>10/hour |
Critical |
Immediate review |
| Zone policy violations |
>100/hour |
Warning |
Review policy |
| DDoS indicators |
Threshold breach |
Critical |
Auto-mitigation |
| SSL inspection failures |
>5% |
Warning |
Check certificates |
9. Best Practices Summary
9.1 Zone-Based Firewall Best Practices
- Define clear zone boundaries aligned with security policy
- Use explicit zone pairs; avoid allowing all by default
- Enable stateful inspection for all permitted traffic
- Log all dropped and blocked traffic
9.2 Application Firewall Best Practices
- Maintain updated application signatures
- Create custom signatures for internal applications
- Use rate limiting instead of blocking where appropriate
- Monitor application usage trends
9.3 IPS/IDS Best Practices
- Update signatures daily
- Start in detection mode, move to prevention gradually
- Tune rules to minimize false positives
- Create custom rules for organization-specific threats
9.4 Third-Party NGFW Best Practices
- Ensure HA for all NGFW deployments
- Use service chaining for seamless integration
- Monitor health of service nodes
- Maintain consistent policies across platforms
References
| Document |
Description |
Location |
| Cisco SD-WAN Security Configuration Guide |
Official security docs |
cisco.com |
| Palo Alto SD-WAN Integration Guide |
PA integration procedures |
paloaltonetworks.com |
| Snort 3.0 User Manual |
IPS rule writing |
snort.org |
| Abhavtech Security Policy |
Corporate security standards |
SharePoint |
Document Version: 1.0
Last Updated: December 2025
Classification: Internal Use
Document ID: SDWAN-SEC-3.6