Configuring Transit FireNet Inspection Policies

By default, Transit FireNet inspects ingress and east-west traffic only.

The Policy tab and inspection policy procedure are not relevant for Egress Transit FireNet because the traffic from this type of Transit gateway egresses directly to the Internet without being inspected.

Policy configuration is not necessary for Egress Transit FireNet gateways (also, the Policy tab is not displayed for these gateways).

On the FireNet Gateways Policy tab you can add or remove inspection policies for the selected Transit FireNet. When an inspection policy is added the traffic related to the Transit FireNet’s attachment (Spoke/Edge gateway, peered Transit, Site2Cloud external connection) is inspected by the firewall within the selected Transit FireNet.

You can add inspection policies for a Transit FireNet if you have already attached one of the following to the Transit FireNet:

  • Spoke gateway (can attach Spoke gateways here)

  • Edge gateway

  • Peered Transit gateway

  • Site2Cloud (added from Networking > Connectivity > External Connections)

Azure only: See Azure Spoke Subnet Groups to synchronize and add subnet groups for Spoke Gateways attached to Azure Transit FireNets. You cannot add subnet groups to a Spoke Gateway if it has inspection enabled.

  1. Navigate to Security > FireNet > FireNet Gateways and click a Transit FireNet in the list.

  2. Click the Policy tab. The list of attachments for that Transit FireNet displays.

  3. Select the attachments that you want to add for inspection.

  4. From the Actions menu, select Add. The selected attachments now show On in the Inspection column.

    500

To remove an inspection policy, select the checkbox next to the attachment name, and then select Remove from the Actions menu.