External Connection (Site2Cloud) and Distributed Cloud Firewall

DCF rules can be pushed to Spoke or Transit Gateways as follows:

  • External connection terminating on Spoke (L7 DCF for Active/Passive; L4 DCF for Active/Active)

  • External connection terminating on Transit (L4 only for Active/Passive and Active/Active)

DCF on External Connections is supported on AWS (and AWS Government) and Azure (and Azure Government).

External Connections with DCF Prerequisites

If the following conditions are met you can enforce Distributed Cloud Firewall (DCF) rules on External Connection (Site2Cloud) interfaces:

External Connections (S2C) with DCF Capabilities

External Connections (S2C) Capabilities Supported Not Supported

Gateways

  • Spoke Gateway

  • Transit Gateway

  • Standalone Gateway

  • PSF Gateway

Connection Type

  • BGP over IPsec

  • BGP over GRE

  • Static Route-Based (Mapped)

  • Static Route-Based (ActiveMesh)

  • Static Route-Based

  • BGP over LAN

  • Static Policy-Based

  • Static Policy-Based (Mapped)

  • Static Route-Based (Custom Mapped)

L4/L7 DCF

  • Spoke Gateway

  • Transit Gateway

No L7 enforcement on Transit Gateway

Cloud Type

  • AWS

  • Azure

  • AWS GovCloud

  • Azure Government

  • GCP

  • OCI

  • China CSPs