Skip to main content

Public Subnet Filtering and Distributed Cloud Firewall

Enforcement of DCF rules on PSF gateways is supported in Controller version 7.2.4820 and above. Legacy security features (such as Egress FQDN Filtering) must be disabled if DCF on PSF Gateways is enabled.
Public Subnet Filtering (PSF) Gateways provide ingress and egress security for AWS public subnets where instances have public IP addresses.

Prerequisites

If the following conditions are met you can enforce Distributed Cloud Firewall (DCF) rules on Public Subnet Filtering (PSF) Gateways:

Enforcing DCF Rules on PSF Gateways

Since the Enforcement on PSF Gateways feature will enforce DCF rules on all PSF gateways—regardless of whether they have been image-upgraded—it is important to ensure that all PSF gateways created prior to Controller version 7.2.4820 are image-upgraded. An error may occur if you attempt to enforce DCF rules on PSF gateways that have not been image-upgraded.
To enforce DCF rules on PSF Gateways:
  1. Ensure that you have created your PSF Gateways.
  2. Create a SmartGroup that contains resources from the VPC associated with the PSF gateway. This should be a CIDR-based SmartGroup that contains IP addresses.
  3. (optional) Create a URL or Domain WebGroup.
  4. (optional) Create a ExternalGroup that contains a Country or Threat Feed to use as the Source or Destination in the subsequent DCF rule.
  5. Create a DCF rule that:
    • Uses the above SmartGroup as a Source or Destination.
    • Uses the WebGroup you created.
    • Uses the above ExternalGroup (that can contain a Country or a Threat Feed) as a Source or Destination (select the opposite of what you selected for the SmartGroup).
The DCF rule is not enforced if it terminates on a PSF subnet that is not monitored.