This section provides examples of BloxOne Service Edge configurations by using different use cases. You can create configurations to meet your business requirements and provide security for your networks and users, regardless of their locations, services, and contents.

Permitting and Denying Matching FQDN Objects for Different Organizations

In this scenario, assume you want to apply firewall policies that allow access to social media sites to users in the Marketing organization but not to users in the Engineering organization. Essentially, you are creating firewall rules that contain matching FQDN objects and applying them to the edges that host the Marketing and Engineering organizations.

To deploy this scenario, do the following:

1. Define or deploy an on-prem host, and enable the Service Edge Firewall service on it. For information, see Deploying On-Prem Hosts for Service Edge. 
2. Follow Creating Address Groups to create the following address objects:
   • marketing-group: This address object identifies the Marketing organization by its IP address. Select IP as the type, and enter a valid IP.
   • engineering-group: This address object identifies the Engineering organization by its IP address. Select IP as the type, and enter the valid IP.
   • social-network-sites: This address object identifies all the social media sites you want to include in the firewall rule. Use matching FQDNs for these sites.
     
     The following screenshot shows how you would create the marketing-group address object:
     
     
     In this scenario, users in Marketing will get access to Twitter, Facebook, YouTube, and ESPN, but users in Engineering will not. Create a social-network-sites address object that consists of the matching FQDNs for these sites, and then include this address object in the security rules you will create later.
     
3. Now that you have created the marketing-group, engineering-group, and social-network-sites objects, you can create two firewall rules by using these address objects. One firewall rule will allow Marketing to access the social networking sites, and the other will not allow Engineering to access them. For more information, see Creating Firewall Policies.
   
   We name the allow rule fqdn-allow-social-marketing and the disallow rule fqdn-deny-social-eng. When creating the firewall rule for Marketing, add the marketing-group address object as the source and the social-network-sites address object as the destination, and choose PERMIT as the action:
   
   
   
   Similarly, add another firewall rule, fqdn-deny-social-eng, by adding the engineering-group address object as the Source and social-network-sites as the Destination, and choose DENY as the action. You can also specify additional service parameters for this rule, such as the source port, destination port, and the protocol used:
   
   
4. Add the rules to two separate firewall policies. For more information, see Creating Firewall Policies.
5. Create a new profile, fqdn-social, and add both firewall policies to it. For more information, see Creating Edge Profiles.
6. You can now associate the new profile fqdn-social with your edge. For more information, see Creating Edges.