Public Subnet Filtering and Distributed Cloud Firewall

Enforcement of DCF rules on PSF gateways is supported in Controller version 7.2.4820 and above.

Legacy security features (such as Egress FQDN Filtering) must be disabled if DCF on PSF Gateways is enabled.

Public Subnet Filtering (PSF) Gateways provide ingress and egress security for AWS public subnets where instances have public IP addresses.

Prerequisites

If the following conditions are met you can enforce Distributed Cloud Firewall (DCF) rules on Public Subnet Filtering (PSF) Gateways:

Enforcing DCF Rules on PSF Gateways

The Enforcement on PSF Gateways feature will enforce DCF rules on non-image upgraded (Controller version prior to Controller version 7.2.4820) PSF gateways as well as any upgraded PSF gateways. Make sure all of your PSF gateways created prior to Controller version 7.2.4820 are image-upgraded.

To enforce DCF rules on PSF Gateways:

  1. Ensure that you have created your PSF Gateways.

  2. Create a SmartGroup that contains resources from the VPC associated with the PSF gateway. This should be a CIDR-based SmartGroup that contains IP addresses.

  3. (optional) Create a URL or Domain WebGroup.

  4. (optional) Create a GeoGroup to use as the Source or Destination in the subsequent DCF rule.

  5. Create a DCF rule that:

    • Uses the above SmartGroup as a Source or Destination.

    • Uses the WebGroup you created.

    • Uses the above GeoGroup (or Default ThreatGroup, also optional) as a Source or Destination (select the opposite of what you selected for the SmartGroup).

The DCF rule is not enforced if it terminates on a PSF subnet that is not monitored.