About Transit FireNet Settings

This document describes the settings you can configure for an Aviatrix Transit FireNet Gateway after it is created.

  1. Select a Transit FireNet.

  2. Click its Settings tab.

  3. Configure the following for the selected TransitFireNet:

Firewall Management Access

Advertise the Transit FireNet VPC/VNet CIDRS to on-prem. For example, if a firewall management console such as Palo Alto Networks Panorama is deployed on-prem, the Panorama can access the firewalls of their private IP addresses with this option configured.

Static CIDR Egress

Allow egress to a subnet of your IP address space from your on-prem data center to the Internet. Static CIDR egress is supported on Aviatrix Transit and AWS Transit gateways. You can add up to 20 subnets.

Exclude from East-West Inspection

(not applicable for Egress Transit FireNet)

Transit FireNet inspects all East-West (VPC/Vnet to VPC/VNet) traffic by default, but you may have an instance that you do not want inspected. The CIDRs listed here will not be subject to firewall policies/firewall policy errors.

CIDRs are excluded from East-West inspections only.

Firewall Forwarding

Select a 5-Tuple or 2-Tuple hashing algorithm:

  • 2-Tuple hashes Source IP and Destination IP

  • 5-Tuple hashes Source and Destination IP, Source and Destination Port, and Protocol Type.

By default, FireNet and AWS TGW FireNet use the 5-Tuple algorithm to load balance traffic across different firewalls. However, you can select 2-Tuple to map traffic to the available firewalls.

TGW Segmentation for Egress (AWS TGW FireNet only)

Enable this feature to block traffic between network domains when the network domains do not have a connection policy defined between them and are connected to an Egress Firewall Domain.