About Transit FireNet Settings
This document describes the settings you can configure for an Aviatrix Transit FireNet Gateway after it is created.
-
On the Security > FireNet > FireNet Gateways tab, click on a Transit FireNet.
-
Click the Settings tab.
-
Configure the following for the selected Transit FireNet.
Firewall Management Access
Advertise the Transit FireNet VPC/VNet CIDRS to on-prem. For example, if a firewall management console such as Palo Alto Networks Panorama is deployed on-prem, the Panorama can access the firewalls of their private IP addresses with this option configured.
Static CIDR Egress
If Egress is enabled for the Transit FireNet (can also be Egress Transit FireNet or AWS TGW FireNet), this setting allows traffic from Spoke gateways to these subnet addresses to egress via the firewall attached to the selected Transit FireNet before going to the Internet. You can add up to 20 subnets.
You only enable this setting if you also have a Site2Cloud external connection that is advertising this CIDR via a BGP or static connection.
Exclude from East-West Inspection
Not applicable for Egress Transit FireNet. |
Transit FireNet inspects all East-West (VPC/Vnet to VPC/VNet) traffic by default, but you may have an instance that you do not want inspected. The CIDRs listed here will not be subject to firewall policies/firewall policy errors. You can add a maximum of 200 CIDRs.
CIDRs are excluded from East-West inspections only.
Firewall Forwarding
Select a 5-Tuple or 2-Tuple hashing algorithm:
-
2-Tuple hashes Source IP and Destination IP
-
5-Tuple hashes Source and Destination IP, Source and Destination Port, and Protocol Type.
By default, FireNet and AWS TGW FireNet use the 5-Tuple algorithm to load balance traffic across different firewalls. However, you can select 2-Tuple to map traffic to the available firewalls.