Distributed Cloud Firewall Field Reference

This table describes the fields to configure when creating a Distributed Cloud Firewall (DCF) rule.

Field Description

Name

Distributed Cloud Firewall rule name.

Source Groups

The groups (SmartGroup, Default ThreatGroup, GeoGroup) that originate traffic. You must create the SmartGroups and GeoGroups before creating a DCF rule.

You must include at least one SmartGroup.

You cannot have a GeoGroup or a ThreatGroup as both a source and a destination.

Destination Groups

The groups (SmartGroup, Default ThreatGroup, GeoGroup) that terminate traffic. You must create the SmartGroups and GeoGroups before creating a DCF rule.

You must include at least one SmartGroup.

You cannot have a GeoGroup or a ThreatGroup as both a source and a destination.

If you are using Distributed Cloud Firewall rules for egress purposes, you must:

  • Select Public Internet as the Destination SmartGroup.

  • Enable SNAT on the Spoke Gateways that enforce the egress policy.

The Destination Group must be 'Public Internet' if the following are all true:

  • You are creating a new rule

  • The Destination Group has not already been modified

  • At least one WebGroup has been selected

WebGroups

Select the WebGroups that filter egress traffic. You must create these groups before creating a DCF rule.

Protocol

Select TCP, UDP, ICMP, or Any. If you select TCP or UDP you can enter a port number or port range.

The ICMP protocol is unavailable if a WebGroup is selected, because WebGroups are only supported for TLS traffic.

Enforcement

If this slider is On, the rule is enforced in the data plane.

If this slider is Off, the packets are only watched. This allows you to observe if the traffic impacted by this rule causes any inadvertent issues (such as traffic being dropped).

After the rule is created you can enable or disable rule enforcement from the vertical ellipsis 20 menu next to the rule.

Logging

If this slider is On, information related to the action (such as five-tuple, source/destination MAC address, etc.) is logged.

After the rule is created you can enable or disable logging from the vertical ellipsis 20 menu next to the rule.

Aviatrix recommends not logging Permit rules.

Action

Select Permit or Deny. This determines the action to be taken on the traffic.

SG Orchestration

This slider is On by default and means the rule is available for Security Group Orchestration.

The SG Orchestration toggle is Off and disabled for new rules when any of the following conditions are true:

  • WebGroup is present in the rule

  • Source Group is 'Anywhere' and action is 'Permit'

  • Source Group is 'Anywhere'; Destination Group is 'Anywhere'; and action is 'Deny'

Ensure TLS

Turn On this slider if you want any traffic that matches the ports and Source and Destination Groups, but that is not TLS, to be denied. Traffic is also denied (dropped) even if it is HTTP traffic that matches the domains or URLs in the WebGroups.

TLS Decryption

If the rule action is Allow, you can enable TLS Decryption.

TLS Decryption must be enabled if a URL-based WebGroup is selected.

TLS decryption refers to the process of intercepting and deciphering encrypted data that is transmitted over a TLS-secured connection.

Intrusion Detection (IDS)

If Intrusion Detection is enabled, traffic is inspected for threats, and the results are displayed on the Detected Intrusions tab.

If Intrusion Detection and TLS Decryption are both enabled, the TLS stream is temporarily decrypted, and the decrypted data is examined for intrusions.

You must download the provided Aviatrix CA certificate (if using Controller 7.0) or upload your own certificate (if using Controller 7.1 or later) before creating a policy with IDS or TLS Decryption.

Place Rule

Select Above, Below, Top, Bottom, or Priority.

Existing Rule

If you select Above or Below (Place Rule), you must select the existing rule that is affected by the position of the new rule.

Priority

If you selected Priority (Place Rule), enter a priority number for the new rule. If an existing rule already has that priority, it is bumped down in the list. Zero (0) is the highest priority number.

You can change the rule priority after the rule is created (using the arrow icon next to that rule in the Rule table).