Distributed Cloud Firewall Supported Capabilities

Since Controller Version 6.8, DCF has been supported in AWS, AWS GovCloud, Azure, Azure Government, and GCP.

Ranges

Capability 6.8 6.9 7.0 7.1 7.2

Number of CIDR-Based Groups

500

500

500

500

1,400

Number of Domains per WebGroup

3,000

3,000

Number of CIDRs per Group

3,000

3,000

3,000

3,000

10,000

Total Number of CIDRs

10,000

10,000

300,000

Number of DCF Rules

2,000

2,000

2,000

2,000

5,000

Supported Features

The following are supported on AWS, Azure and GCP unless otherwise noted.

  • PV = feature is in Preview

  • GA = feature is Generally Available

  • If a cell is blank the feature was not supported in that release.

Feature 6.8 6.9 7.0 7.1 7.2

DCF Rules

Layer 4 Rules

GA

GA

GA

GA

Rules with Domain WebGroups

PV

GA

GA

Rules with URL WebGroups

PV

PV

PV

Rules with ThreatGroups and GeoGroups

GA

DCF on Public Subnet Filtering Gateways

PV

DCF on Site2Cloud (L4 only on Transit)

PV

Security Group Orchestration (not supported on GCP)

PV (Azure)

PV (Azure, AWS)

PV (AWS), GA (Azure)

Deep Packet Inspection

Transparent TLS Decryption

PV

PV

Suricata IDS (Egress only)

PV

PV

Advanced Features

Dynamic Signature Update

PV

Import Decryption Certificate

PV

PV

PV

Logging

Layer 4 logging (+Domain)

GA

GA

GA

Layer 7 logging (URL)

PV

PV

PV

IDS/IPS logging

PV

PV

PV

Log export via Syslog

GA

GA

GA

Asset Groups/SmartGroups

SmartGroups (EC2/VPC/Subnet)

GA

GA

GA

GA

Domain WebGroups

PV

GA

GA

URL WebGroups

PV

PV

PV

ThreatGroups

GA

GeoGroups

GA

SmartGroups (S2C)

GA

Additional Capabilities

  • Overlapping IPs have been supported since Controller Version 7.0. Distributed Cloud Firewall (DCF) understands any defined SNAT/DNAT rules and updates the address for each gateway, enforcing the DCF rules.

  • DCF auto-prunes all rules and pushes only related rules to specific gateways.

  • SmartGroups dynamically change the resources inside the groups by tracking EC2 changes (AWS, Azure, GCP).

  • Log Export to Splunk HTTP Event Collector