We have a remote site ( MX65 ) with site-to-site VPN tunnel going to one of our MX cluster.
Somehow , someone managed to configure many Site-to-site outbound firewall rules ( those rules are Org wide ! ).
Those rules are only there to permit or deny specific traffic comming from the remote site.
Why would you configure those rules on the site-to-site outbound firewall and not the MX ( remote site ) ? Currently any remote site ( that is participating to the site-to-site VPN ) is bound to those rules ( they are org wide )
That firewall is meant to control traffic between site-to-site VPN peers. Let's say for example you have a datacenter, and in that DC there are some servers that you want to be reachable only from some VPN branches. You would then configure the outgoing firewall from the point of view of the branch's subnets and block the access for the subnets you don't want to have access (it's a default allow firewall).
Let's say I want to block the remote site from reaching the servers. I would have to do this with the site-to-site VPN firewall outbound rules ? And these rules would also apply to ALL my other remote site ( 2k ) ?
I'm not really a fan of this , so I'm going to configure these rules on our NGFW behind the MX. I don't like to idea to mess with those site-to-site firewall rules and accidently blocking the traffic for our 2k remote sites.
>I'm not really a fan of this , so I'm going to configure these rules on our NGFW behind the MX. I don't like to idea to mess with those site-to-site firewall rules and accidently blocking the traffic for our 2k remote sites.
I typically use that approach. I often have a "WAN" interface on the DC firewall, and then is where I plug in both MPLS WAN circuits and MPLS AutoVPN terminations.
I use the firewall to provide fine grained control, and the MX VPN firewall rules for course control.