Distributed Cloud Firewall Supported Capabilities
Since Controller Version 6.8, DCF has been supported in AWS, AWS GovCloud, Azure, Azure Government, and GCP.
Ranges
| Capability | 6.8 | 6.9 | 7.0 | 7.1 | 7.2 | 8.0 | 8.1 | 8.2 |
|---|
| Number of SmartGroups | 500 | 500 | 500 | 500 | 1,200 | 1,200 | 1,200 | 1,200 |
| Number of Domains per WebGroup | | | | 3,000 | 3,000 | 3,000 | 3,000 | 3,000 |
| Number of CIDRs per Group | 3,000 | 3,000 | 3,000 | 3,000 | 10,000 | 10,000 | 10,000 | 10,000 |
| Total Number of CIDRs | | | 10,000 | 10,000 | 300,000 | 300,000 | 300,000 | 300,000 |
| Number of DCF Rules | 2,000 | 2,000 | 2,000 | 2,000 | 5,000 | 5,000 | 5,000 | 5,000 |
Supported Features
The following are supported on AWS, Azure and GCP unless otherwise noted.
| Feature | 6.8 | 6.9 | 7.0 | 7.1 | 7.2 | 8.0 | 8.1 | 8.2 | | |
|---|
| DCF on Edge Spoke (L4) | | | | | | | PV | PV | | |
| DCF on Edge Transit S2C (L4) | | | | | | | PV | PV | | |
| DCF Rules | | | | | | | | | | |
| Layer 4 Rules | | GA | GA | GA | GA | GA | GA | GA | | |
| Rules with Domain WebGroups | | | PV | GA | GA | GA | GA | GA | | |
| Rules with URL WebGroups | | | PV | PV | PV | PV | PV | PV | | |
| Rules with ExternalGroups (formerly GeoGroups and ThreatGroups) | | | | | GA | GA | GA | GA | | |
| DCF on Public Subnet Filtering Gateways | | | | | PV | PV | GA | GA | | |
| DCF on Site2Cloud (L4 only on Transit) | | | | | PV | PV | GA | AWS (+Gov) GA, Azure (+Gov) GA, GCP PV, OCI PV | | |
| DCF on Site2Cloud (AWS, AWS GovCloud) | | | | | PV | PV | GA | Azure (+Gov) GA, AWS (+Gov) GA, GCP PV, OCI PV | | |
| DCF on Transit Egress | | | | | | | PV | PV | | |
| Security Group Orchestration (not supported on GCP) | | | PV (Azure) | PV (Azure, AWS) | PV (AWS) GA (Azure) | PV (AWS) GA (Azure) | PV (AWS) GA (Azure) | PV (AWS) GA (Azure) | | |
| DCF Rulesets | | | | | | GA | GA | GA | | |
| Deep Packet Inspection | | | | | | | | | | |
| Transparent TLS Decryption | | | | PV | PV | PV | PV | PV | | |
| Suricata IDS (Egress only) | | | | PV | PV | PV | PV | PV | | |
| Advanced Features | | | | | | | | | | |
| Dynamic Signature Update | | | | | PV | PV | PV | PV | | |
| Import Decryption Certificate | | | | PV | PV | PV | PV | PV | | |
| Logging | | | | | | | | | | |
| Layer 4 logging (+Domain) | | GA | GA | GA | GA | GA | GA | GA | | |
| IDS/IPS logging | | | PV | PV | PV | PV | PV | PV | | |
| Log export via Syslog | | GA | GA | GA | GA | GA | GA | GA | | |
| Asset Groups/SmartGroups | | | | | | | | | | |
| SmartGroups (VM/VPC/Subnet) | GA | GA | GA | GA | GA | GA | GA | | | |
| DNS Hostname SmartGroups | | | | | | | PV | PV | GA | GA |
| Kubernetes SmartGroups (Workloads and Nodes) | | | | | | | PV | PV | | |
| Domain WebGroups | | | PV | GA | GA | GA | GA | GA | | |
| URL WebGroups | | | PV | PV | PV | PV | PV | PV | | |
| SNI Verification (valid with WebGroups) | | | | | | PV | PV | PV | | |
| ExternalGroups (includes Threat Feeds and Countries) | | | | | PV | PV | GA | GA | | |
| SmartGroups (S2C) | | | | GA | GA | GA | GA | | | |
| SaaS-Based Services | | | | | | | | | | |
| SaaS-Based Services (Azure and GitHub) | | | | | | | PV | Azure (GA) GitHub (PV) | | |
Additional Capabilities
- Overlapping IPs have been supported since Controller Version 7.0. Distributed Cloud Firewall (DCF) understands any defined SNAT/DNAT rules and updates the address for each gateway, enforcing the DCF rules.
- DCF auto-prunes all rules and pushes only related rules to specific gateways.
- SmartGroups dynamically change the resources inside the groups by tracking EC2 changes (AWS, Azure, GCP).
Shared VPC instance tags are not supported in GCP-based SmartGroups.
- Log Export to Splunk HTTP Event Collector
