Firewall Network (FireNet) Configuration

These configuration options apply to both AWS TGW-based FireNet and Aviatrix Transit FireNet. However, if you are using Centralized FireNet (AWS only) you cannot configure these options for Secondary FireNets.

All of this configuration is performed under Firewall Network > List > FireNet. Select a FireNet VPC (?) in the list and then click Details.

The Details page also displays Firewall Network route table details. You can run and then show diagnostics on these route tables. You can also submit the diagnostics log file

Traffic Inspection

You can enable and disable traffic inspection. When traffic inspection is disabled, FireNet Gateway loops back all packets.

Egress Through Firewall

By default, FireNet inspects traffic between North South (on-prem and VPC/VNet) and East West (VPC/VNet to VPC/VNet). To enable Egress traffic (Internet bound) inspection, scroll down to Egress through Firewall and click Enable.

Any GCP instance (including Controller-created gateways) that needs to participate in egress control (FQDN, SNAT, and FW egress) have to be tagged as "avx-snat-noip". The GCP network tag "avx-snat-noip" can be associated during GCE creation or by editing an existing instance.

Egress Static CIDRs

You can allow egress to a subset of your IP address space from your on-prem data center to the Internet with Aviatrix Egress FireNet. Static CIDR egress is supported on Aviatrix Transit and AWS Transit Gateways (TGW). Up to 20 subnets are supported.

Enter the static CIDRs in the field and click Change. This changes the egress static CIDR attribute for the selected FireNet to the value you entered.

Network List Excluded From East-West Inspection

By default, FireNet inspects all East-West (VPC/VNet to VPC/VNet) traffic but you may have an instance in the VPC/VNet that you do not want to be inspected, for example, the Aviatrix Controller deployed in the Shared Service VPC/VNet to be excluded from inspection while Shared Service VPC/VNet traffic is inspected. This improves the Controller reachability by not subjecting the Controller access to unintentional firewall policy errors.

In the Network List Excluded From East-West Inspection field, add the CIDRS to exclude from firewall inspection.

  • Maximum 50 CIDRs coma-separated are supported.

  • CIDRs are excluded from East-West inspections only.

  • In Transit FireNet, if Egress inspection is enabled, all the Egress traffic will get inspected by the firewall even for the CIDRs excluded for East-West inspection.

Firewall Forwarding

The FireNet solution supports two hashing types:

  • Two-tuple (Source IP/Destination IP)

  • Five-tuple (Source IP/Source Port/Destination IP/Destination Port/Protocol Type)

By default, AWS TGW-based FireNet and Aviatrix Transit FireNet use 5-tuple hashing algorithm (source IP, source port, destination IP, destination port and protocol type) to load balance the traffic across different firewall. However, you can select the two-tuple (source IP and destination IP) hashing algorithm to map traffic to the available firewalls.