While configuring business policies at Profile and Edge level, you can select the existing object groups to match the source or destination. You can define the rules for a range of IPv4 and IPv6 addresses or port numbers available in the object groups.
At the Profile level, to configure a business policy with Object Group, perform the following steps:
Procedure
In the SD-WAN service of the Enterprise portal, go to Configure > Profiles. The Profiles page displays the existing Profiles.
Select a Profile to configure a business policy, and click the Business Policy tab.
From the
Profiles page, you can navigate to the
Business Policy page directly by clicking the
View link in the
Biz.Pol column of the Profile.
In the Configure Business Policy section and under Business Policy Rules, click + ADD. The Add Rule dialog box appears.
In the Rule Name text box, enter a unique name for the Rule.
In the Match area, configure the match conditions for the rule:
Choose the IP version type for the rule. By default, IPv4 and IPv6 address type is selected. You can configure the Source and Destination IP addresses according to the selected Address Type.
Based on the IP version selected, the behavior will be as follows:
IPv4 Type Rule matches only the IPv4 addresses available in the selected Address Group.
IPv6 Type Rule matches only the IPv6 addresses available in the selected Address Group.
Mixed Type Rule matches both the IPv4 and IPv6 addresses in the selected Address Group.
From the Source drop-down menu, select Object Groups.
Select the relevant Address Group and Service Group from the drop-down menu. If the selected address group contains any domain names, they would be ignored when matching for the source.
Note: When configuring domains as match criteria for an
Address Group, the SD-WAN service first checks for an IP address match. If a match is found, then the service skips domain name matching. However, if no match is found for an IP address, then the service performs a domain name match in the
Address Group.
Important: The matching criteria may match basic wildcard patterns. For example, if you configure a domain in an
Address Group as
google.com, then
mail.google.com and/or
www.google.com may also match this criteria. However, if you configure
www.google.com as the domain in an
Address Group, then
mail.google.com will not match this policy.
If required, you can select the Address and Service Groups for the destination as well.
Choose business policy actions as required and click Create.
The business policy rules that you create for a profile are automatically applied to all the Edges associated with the profile. If required, you can create additional rules specific to the Edges or modify the inherited rule by navigating to
Configure >
Edges, select an Edge, and click the
Business Policy tab.
The
Rules From Profile section displays the rules inherited from profile and they are read only. If you want to override any Profile-level rule, then add a new rule. The added rule appears in the
Edge Overrides section and it can be manipulated by modifying or deleting, if needed.
Note: By default, the business policy rules are assigned to the global segment. If required, you can choose a segment from the
Segment drop-down and create business policy rules specific to the selected segment.
You can modify the object groups with additional IP addresses, port numbers, service types and codes. The changes are automatically included in the business policy rules that use the object groups.
Note: When an object group is associated with a business policy rule, the ICMP type and code based configuration in service groups will not be applied. Though the Orchestrator allows this type of configuration, the Edge ignores ICMP type and code based configuration when matching business policy.