External Connection (Site2Cloud) and Distributed Cloud Firewall

DCF rules can be pushed to Spoke or Transit Gateways as follows:

  • External connection terminating on Spoke (L7 DCF for Active/Passive; L4 DCF for Active/Active)

  • External connection terminating on Transit (L4 only for Active/Passive and Active/Active)

External Connections with DCF Prerequisites

If the following conditions are met you can enforce Distributed Cloud Firewall (DCF) rules on External Connection (Site2Cloud) interfaces:

External Connections (S2C) with DCF Capabilities

External Connections (S2C) Capabilities Supported Not Supported

Gateways

  • Spoke Gateway

  • Transit Gateway

  • Standalone Gateway

  • PSF Gateway

Connection Type

  • BGP over IPsec

  • BGP over GRE

  • Static Route-Based (Mapped)

  • Static Route-Based (ActiveMesh)

  • Static Route-Based

  • BGP over LAN

  • Static Policy-Based

  • Static Policy-Based (Mapped)

  • Static Route-Based (Custom Mapped)

L4/L7 DCF

  • Spoke Gateway

  • Transit Gateway

No L7 enforcement on Transit Gateway

Cloud Type

  • AWS

  • Azure

  • AWS GovCloud

  • Azure Government

  • GCP

  • OCI

  • China CSPs