About Distributed Cloud Firewall Settings

On the Security > Distributed Cloud Firewall > Settings tab, you can configure the following:

Security Group Orchestration

This feature is available with Controller 7.1.1710 or greater.

If you are using Controller 7.0, you can click Manage on the Security Group Orchestration panel and enable or disable Security Group Orchestration for selected VPC/VNets. The rest of the functionality below is not available.

When the Security Group Orchestration feature is disabled, this card shows how many VPC/VNets are available to configure.

When the Security Group Orchestration feature is enabled, you can:

  • See how many VPC/VNets have Security Group Orchestration enabled.

  • Pause the Security Group Orchestration process for VPC/VNets that have had Security Group Orchestration enabled before upgrading your Controller. After upgrading, you can resume the Security Group Orchestration process.

    The states are Complete, In Progress, Completing Current Cycle, and Paused.

  • View the Security Group Orchestration configuration in the topology.

  • Click Manage to enable or disable Security Group Orchestration.

The Aviatrix Controller will not remove original ASGs, or apply Aviatrix ASGs, on Azure ScaleSet instances.

Decryption CA Certificate

This feature described below is available with Controller 7.1.1710 or greater. Aviatrix strongly recommends replacing the default Aviatrix CA certificate with your own CA certificate.

If you are using Controller 7.0, you can only download the provided default Aviatrix CA certificate.

The decryption CA certificate (the Aviatrix certificate, or your own) must be distributed to all of your client machines so that signature checks are successful.

Decryption CA certificates must be private.

The CA certificate is used when you create a policy that has TLS Decryption enabled. You can:

Uploading Your Own Certificate

It is best to upload your own certificate (must be in .pem format), since you likely have this certificate in use throughout your environment. You can remove the default Aviatrix CA certificate first, if desired.

  1. On the Settings tab, on the Decryption CA Certificate card, click the arrow next to Download Certificate and click Upload New Certificate.

  2. In the Upload New Certificate dialog, you can upload, remove or replace a certificate and its corresponding certificate key.

300

  1. Both fields must be populated. Click Upload.

Downloading the Aviatrix Certificate

You can download the currently applied Aviatrix CA certificate and add it to your trust bundle.

To download the CA certificate provided by Aviatrix:

  1. Navigate to Security > Distributed Cloud Firewall > Settings.

  2. On the Decryption Trust CA Certificate card, click Download Certificate.

300

  1. Ensure that the downloaded file is saved to the appropriate location on your computer, and any client machines involved in your Distributed Cloud Firewall configuration.

Renewing Your Certificate

You must renew your Aviatrix CA certificate when it is about to expire.

When you click Renew Certificate, the certificate renews automatically.

You can also upload your own CA certificate.

Uploading, Removing, or Replacing Trust Bundle

A trust bundle is a list of trusted CA certificates. If a gateway terminates the TLS connection and negotiates a new TLS connection to the origin certificate, then the origin certificate must be signed by one of the trusted CA certificates if running in the Strict Enforcement mode.

You can upload a trust bundle that has an expired certificate, but you will see a warning.

To upload, remove, or replace a trust bundle (must be in .pem format):

  1. On the Settings tab, on the Decryption CA Certificate card, click the arrow next to Download Certificate and click Upload Trust Bundle.

  2. In the Upload Trust Bundle dialog, you can remove or replace the trust bundle.

  3. Click Upload.

Editing Enforcement

Use the Enforcement option to determine how Distributed Cloud Firewall handles origin certificates that are not signed by a trusted Certificate Authority.

Aviatrix strongly recommends changing the enforcement level to Strict.

To edit the enforcement level:

  1. On the Settings tab, on the Decryption CA Certificate card, click the arrow next to Download Certificate and click Edit Enforcement.

  2. In the Edit Enforcement dialog, select an Enforcement level:

    • Strict: terminate connection for incorrect signatures

    • Permissive: generate a syslog message if the certificate is not signed by a CA, but continue with the connection

    • Ignore: certificate signatures are not checked

Removing a Certificate

To remove a certificate and replace it with your own:

  1. On the Security > Distributed Cloud Firewall > Settings tab, on the Decryption CA Certificate card, click the arrow next to Download Certificate and click Remove Certificate.

  2. When prompted, click Delete to remove the certificate.

  3. Upload your own (private) certificate.

Verifying the Decryption CA Certificate

  1. Replace the default Decryption CA Certificate with a private decryption CA certificate.

  2. Enable TLS Decryption on the DCF rules to match your traffic.

  3. Import the Decryption CA signer or root CA into your VMs.

  4. Generate traffic for the above rule(s).

  5. To verify that the Decryption CA Certificate chain or root is imported correctly to the VM, navigate to the relevant URL in your web browser.

    If you see 'Untrusted' warnings, you should run through these steps again.

    If the import was successful, you should see the new certificate chain with the Decryption CA as the signer of the website.

    You can also use Postman, Ubuntu, or another, similar tool to test the certificate.

    If you use Ubuntu, you see the following messages, depending on the outcome:

    • Successful CA import: You see messages that TLS handshakes are established.

    • Unsuccessful CA import: You see messages that there is an SSL certificate problem, and that the legitimacy of the server could not be verified.

Configuring the Polling Interval

Lowering the polling interval can create more load on the Controller. The default setting should be sufficient.

The Aviatrix Controller periodically polls your clouds to gather and inventory its resources. For example, if you modified your cloud tags, you may want to poll data more frequently so that CoPilot reflects those changes.

  1. In CoPilot go to Security > Distributed Cloud Firewall > Settings. The CSP Resource Polling slider is On by default.

  2. Enter the desired polling interval in minutes (default is 15). This can be a value between 1-1440.

Toggle off the CSP Resource Polling slider if you do not want the Controller to periodically poll your CSP resources.

You can manually trigger a poll to fetch resources directly from your CSPs by clicking Refetch CSP Resources on the SmartGroups tab. The poll may take several minutes to complete depending on the size of your environment.