Distributed Cloud Firewall Supported Capabilities
Since Controller Version 6.8, DCF has been supported in AWS, AWS GovCloud, Azure, Azure Government, and GCP.
Ranges
Capability | 6.8 | 6.9 | 7.0 | 7.1 | 7.2 |
---|---|---|---|---|---|
Number of CIDR-Based Groups |
500 |
500 |
500 |
500 |
1,400 |
Number of Domains per WebGroup |
3,000 |
3,000 |
|||
Number of CIDRs per Group |
3,000 |
3,000 |
3,000 |
3,000 |
10,000 |
Total Number of CIDRs |
10,000 |
10,000 |
300,000 |
||
Number of DCF Rules |
2,000 |
2,000 |
2,000 |
2,000 |
5,000 |
Supported Features
The following are supported on AWS, Azure and GCP unless otherwise noted.
-
PV = feature is in Preview
-
GA = feature is Generally Available
-
If a cell is blank the feature was not supported in that release.
Feature | 6.8 | 6.9 | 7.0 | 7.1 | 7.2 |
---|---|---|---|---|---|
DCF Rules |
|||||
Layer 4 Rules |
GA |
GA |
GA |
GA |
|
Rules with Domain WebGroups |
PV |
GA |
GA |
||
Rules with URL WebGroups |
PV |
PV |
PV |
||
Rules with ThreatGroups and GeoGroups |
GA |
||||
DCF on Public Subnet Filtering Gateways |
PV |
||||
DCF on Site2Cloud (L4 only on Transit) |
PV |
||||
Security Group Orchestration (not supported on GCP) |
PV (Azure) |
PV (Azure, AWS) |
PV (AWS), GA (Azure) |
||
Deep Packet Inspection |
|||||
Transparent TLS Decryption |
PV |
PV |
|||
Suricata IDS (Egress only) |
PV |
PV |
|||
Advanced Features |
|||||
Dynamic Signature Update |
PV |
||||
Import Decryption Certificate |
PV |
PV |
PV |
||
Logging |
|||||
Layer 4 logging (+Domain) |
GA |
GA |
GA |
||
Layer 7 logging (URL) |
PV |
PV |
PV |
||
IDS/IPS logging |
PV |
PV |
PV |
||
Log export via Syslog |
GA |
GA |
GA |
||
Asset Groups/SmartGroups |
|||||
SmartGroups (EC2/VPC/Subnet) |
GA |
GA |
GA |
GA |
|
Domain WebGroups |
PV |
GA |
GA |
||
URL WebGroups |
PV |
PV |
PV |
||
ThreatGroups |
GA |
||||
GeoGroups |
GA |
||||
SmartGroups (S2C) |
GA |
Additional Capabilities
-
Overlapping IPs have been supported since Controller Version 7.0. Distributed Cloud Firewall (DCF) understands any defined SNAT/DNAT rules and updates the address for each gateway, enforcing the DCF rules.
-
DCF auto-prunes all rules and pushes only related rules to specific gateways.
-
SmartGroups dynamically change the resources inside the groups by tracking EC2 changes (AWS, Azure, GCP).
-
Log Export to Splunk HTTP Event Collector