Security pairing
General information
A security pair is a minimum configuration requirement on the 7705 SAR to enable Firewall/NAT functionality.
There are 2 steps to creating a security pair:
-
Configuring security policies from Policies>Security in the NFM-P main menu.
-
Assigning a security zone policy to a network interface. You can also assign a security zone policy to an L3 access interface on an IES or VPRN service site; an L2 access interface or a spoke or mesh SDP on an EPIPE, VPLS, or MVPLS service; and a tunnel interface on a VPRN service.
To enable Firewall or NAT, these two configuration areas must exist and pair together on a 7705 SAR device. The final result is a security policy that is applied to the Zone to enable Firewall/NAT functionality.
Security bypass
When you create a zone for an EPIPE, VPLS, or MVPLS service, you can assign a security bypass policy to L2 services at the site level. The security bypass policy defines protocols and traffic that is permitted to cross the zone at that site, regardless of other firewall configurations. The bypass policy does not affect traffic moving within the security zone, and each bypass policy counts as a global filter entry.