External Connection (Site2Cloud) and Distributed Cloud Firewall
Distributed Cloud Firewall (DCF) rules can be pushed to Spoke or Transit Gateways as follows:- External connection terminating on Spoke (L7 DCF for Active/Passive; L4 DCF for Active/Active)
- External connection terminating on Transit (L4 only for Active/Passive and Active/Active)
If you roll back your 7.2.4820 gateways to 7.1, any DCF rules that include External Connections will no longer be evaluated or enforced. This is expected behavior, because the DCF with External Connections feature was introduced in 7.2.4820.
External Connections with DCF Prerequisites
If the following conditions are met you can enforce Distributed Cloud Firewall (DCF) rules on External Connection (Site2Cloud) interfaces:- DCF feature is enabled; this makes the DCF on External Connections feature available.
- Enforcement on External Connections setting is enabled
External Connections (S2C) with DCF Capabilities
| External Connections (S2C) Capabilities | Supported | Not Supported |
|---|---|---|
| Gateways | Spoke Gateway Transit Gateway | Standalone Gateway PSF Gateway |
| Connection Type | BGP over LAN BGP over IPsec BGP over GRE Static Route-Based (Mapped) Static Route-Based (ActiveMesh) Static Route-Based | Static Policy-Based (Unmapped) Static Route-Based (Custom Mapped) |
| L4/L7 DCF | Spoke Gateway Transit Gateway | No L7 enforcement on Transit Gateway |
| Cloud Type | AWS Azure | AWS GovCloud Azure Government GCP OCI China CSPs |