All Ecessa products include a built-in firewall feature. In this configuration the Ecessa unit is the only edge device between the WAN gateways and the local network. The built-in firewall can protect your network by blocking all inbound traffic except what is specifically allowed. Outbound traffic can be blocked by IP address, protocol, port, or a combination of identifiers. Documentation about configuring the Ecessa Firewall feature can be found at https://support.ecessa.com/hc/en-us/sections/200033466-Firewall
Instead of using Ecessa's built-in firewall a standalone firewall can be used between the Ecessa and the local network. This configuration is commonly used when installing Ecessa products at locations that already have firewalls or when additional firewall features are needed that the Ecessa firewall does not provide. Using a standalone firewall can give added capabilities such as content filtering and more in-depth traffic inspection.
Centrally Managed Firewall
With multiple sites a local firewall at each site may be difficult to manage. Ecessa PowerLink and ClariLink products may be used to connect to a centrally managed firewall using VPNs. The Ecessa will handle WAN failover while routing all outbound traffic to the centrally managed firewall. The centrally managed firewall could be a physical firewall at a datacenter or, as the diagram below shows, a virtual machine running in the cloud.