Since Controller Version 6.8, DCF has been supported in AWS, AWS GovCloud, Azure, Azure Government, and GCP.
Ranges
| Capability | 6.8 | 6.9 | 7.0 | 7.1 | 7.2 | 8.0 | 8.1 | 8.2 |
|---|---|---|---|---|---|---|---|---|
| Number of SmartGroups | 500 | 500 | 500 | 500 | 1,200 | 1,200 | 1,200 | 1,200 |
| Number of Domains per WebGroup | 3,000 | 3,000 | 3,000 | 3,000 | 3,000 | |||
| Number of CIDRs per Group | 3,000 | 3,000 | 3,000 | 3,000 | 10,000 | 10,000 | 10,000 | 10,000 |
| Total Number of CIDRs | 10,000 | 10,000 | 300,000 | 300,000 | 300,000 | 300,000 | ||
| Number of DCF Rules | 2,000 | 2,000 | 2,000 | 2,000 | 5,000 | 5,000 | 5,000 | 5,000 |
Supported Features
The following are supported on AWS, Azure and GCP unless otherwise noted.- PV = feature is in Preview
- GA = feature is Generally Available
- If a cell is blank the feature was not supported in that release.
| Feature | 6.8 | 6.9 | 7.0 | 7.1 | 7.2 | 8.0 | 8.1 | 8.2 |
|---|---|---|---|---|---|---|---|---|
| DCF on Edge Spoke (L4) | PV | PV | ||||||
| DCF on Edge Transit S2C (L4) | PV | PV | ||||||
| DCF Rules | ||||||||
| Layer 4 Rules | GA | GA | GA | GA | GA | GA | GA | |
| Rules with Domain WebGroups | PV | GA | GA | GA | GA | GA | ||
| Rules with URL WebGroups | PV | PV | PV | PV | PV | PV | ||
| Rules with ExternalGroups (formerly GeoGroups and ThreatGroups) | GA | GA | GA | GA | ||||
| DCF on Public Subnet Filtering Gateways | PV | PV | GA | GA | ||||
| DCF on Site2Cloud (L4 only on Transit) | PV | PV | GA | AWS (+Gov) GA, Azure (+Gov) GA, GCP PV, OCI PV | ||||
| DCF on Site2Cloud (AWS, AWS GovCloud) | PV | PV | GA | Azure (+Gov) GA, AWS (+Gov) GA, GCP PV, OCI PV | ||||
| DCF on Transit Egress | PV | PV | ||||||
| Security Group Orchestration (not supported on GCP) | PV (Azure) | PV (Azure, AWS) | PV (AWS) GA (Azure) | PV (AWS) GA (Azure) | PV (AWS) GA (Azure) | PV (AWS) GA (Azure) | ||
| DCF Rulesets | GA | GA | GA | |||||
| Deep Packet Inspection | ||||||||
| Transparent TLS Decryption | PV | PV | PV | PV | PV | |||
| Suricata IDS (Egress only) | PV | PV | PV | PV | PV | |||
| Advanced Features | ||||||||
| Dynamic Signature Update | PV | PV | PV | PV | ||||
| Import Decryption Certificate | PV | PV | PV | PV | PV | PV | ||
| Logging | ||||||||
| Layer 4 logging (+Domain) | GA | GA | GA | GA | GA | GA | ||
| IDS/IPS logging | PV | PV | PV | PV | PV | PV | ||
| Log export via Syslog | GA | GA | GA | GA | GA | GA | ||
| Asset Groups/SmartGroups | ||||||||
| SmartGroups (VM/VPC/Subnet) | GA | GA | GA | GA | GA | GA | GA | |
| DNS Hostname SmartGroups | PV | PV | GA | GA | ||||
| Kubernetes SmartGroups (Workloads and Nodes) | PV | PV | ||||||
| Domain WebGroups | PV | GA | GA | GA | GA | GA | ||
| URL WebGroups | PV | PV | PV | PV | PV | PV | ||
| SNI Verification (valid with WebGroups) | PV | PV | PV | |||||
| ExternalGroups (includes Threat Feeds and Countries) | PV | PV | GA | GA | ||||
| SmartGroups (S2C) | GA | GA | GA | GA | ||||
| SaaS-Based Services | ||||||||
| SaaS-Based Services (Azure and GitHub) | PV | Azure (GA) GitHub (PV) | Azure (GA) GitHub (PV) |
Additional Capabilities
- Overlapping IPs have been supported since Controller Version 7.0. Distributed Cloud Firewall (DCF) understands any defined SNAT/DNAT rules and updates the address for each gateway, enforcing the DCF rules.
- DCF auto-prunes all rules and pushes only related rules to specific gateways.
- SmartGroups dynamically change the resources inside the groups by tracking EC2 changes (AWS, Azure, GCP).
Shared VPC instance tags are not supported in GCP-based SmartGroups.
- Log Export to Splunk HTTP Event Collector