SD-WAN

Hi Team,

We're working with SilverPeak Aruba SD-WAN and need guidance on creating a DMZ-like setup without using a traditional firewall.

Our goal is to allow external Symantec DLP agents to securely connect to an internal Symantec DLP Endpoint Detection Server over port 443 (HTTPS).

Inbound NAT is supported and you can NAT to an IP-address in a DMZ zone you have created on one of the interfaces. Firewall and inspection rules can be applied between the Internet and DMZ zones. 

When you go over the documentation be aware that there are a number of NAT options available on the product so not to get confused which one you are looking at:

• SNAT, applied on the ISP interfaces to do your plain vanilla private to public IP mapping for local break out
• Segment NAT to NAT traffic between segments/VRF's when there are overlapping addresses in those
• Branch NAT to apply internal NAT, typically used when your branches use the same address space and need to be reachable from other internal networks
• Inbound NAT, what you need.

Hi Team,

We're working with SilverPeak Aruba SD-WAN and need guidance on creating a DMZ-like setup without using a traditional firewall.

Our goal is to allow external Symantec DLP agents to securely connect to an internal Symantec DLP Endpoint Detection Server over port 443 (HTTPS).

Hi Jan,

Thank you for your response.

In our current network environment, we do not utilize any firewall. Instead, we rely on SilverPeak Aruba SD-WAN for connectivity and traffic management.

We have received a requirement from the Symantec DLP team: external Symantec DLP agents need to securely connect to the internal Symantec DLP server. The key question is how this can be achieved using SilverPeak Aruba SD-WAN.

Is it possible to configure inbound port forwarding rule within the SilverPeak Aruba SD-WAN  to enable external Symantec DLP agents to securely connect to the internal Symantec DLP server?

Inbound NAT is supported and you can NAT to an IP-address in a DMZ zone you have created on one of the interfaces. Firewall and inspection rules can be applied between the Internet and DMZ zones. 

When you go over the documentation be aware that there are a number of NAT options available on the product so not to get confused which one you are looking at:

• SNAT, applied on the ISP interfaces to do your plain vanilla private to public IP mapping for local break out
• Segment NAT to NAT traffic between segments/VRF's when there are overlapping addresses in those
• Branch NAT to apply internal NAT, typically used when your branches use the same address space and need to be reachable from other internal networks
• Inbound NAT, what you need.

Hi Team,

We're working with SilverPeak Aruba SD-WAN and need guidance on creating a DMZ-like setup without using a traditional firewall.

Our goal is to allow external Symantec DLP agents to securely connect to an internal Symantec DLP Endpoint Detection Server over port 443 (HTTPS).