Configuring Distributed Cloud Firewall
This section describes the Distributed Cloud Firewall (DCF) functional area of Aviatrix CoPilot.
DCF Constraints
-
For any VNets that have Security Group Orchestration applied, and that are included in a rule that is not enforced, the application security group (ASG) in the network security group (NSG) rule remains associated with the VM even though the NSG rule using the ASG is not present.
-
Logging can consume a significant amount of disk space. You can manage disk space settings and retention settings. You can also configure how long to keep your Distributed Cloud Firewall logs.
-
A SmartGroup traffic flow can belong to more than one rule. If this occurs, the priority of the rule determines the action that is taken first.
-
DCF rules with WebGroups (Layer 7) do not support asymmetric traffic.
-
If there are cases where egress and east-west traffic DCF rules may overlap, Layer 4 rules should have a higher priority than Layer 7 (WebGroups-based) rules.
DCF Prerequisites
Before applying Distributed Cloud Firewall:
-
Your version of CoPilot must be 2.0 or greater.
-
Your version of Aviatrix Controller must be 6.7 or greater.
-
Gateways must have their image updated to version 6.7 or greater.
-
Network reachability should be configured between the VPCs that contain applications that require connectivity. You configure network reachability using Connected Transit/MCNS.
-
Enable SNAT on the Spoke gateways enforcing Egress filtering.
-
If you plan to use Cloud Tags in your SmartGroups, Cloud resources must be tagged appropriately.
-
Create the following groups, if you want to use them in your Distributed Cloud Firewall configuration:
If you select a WebGroup when creating a rule, the Destination Group must be 'Public Internet'. Any Spoke gateways that are part of the Source Group must contain a VPC/VNet Resource Type that has Local Egress enabled (Spoke gateway).
Enabling the Distributed Cloud Firewall Feature
If you see a message on the Distributed Cloud Firewall page (Security > Distributed Cloud Firewall) that you require the Aviatrix Universal Subscription, in the cloud marketplace you must subscribe to and accept terms for the correct Aviatrix subscription. For more information on subscribing, see Aviatrix Licensing. Take note of your Customer ID (license) for this offer. If there is no pre-existing customer ID (you are a new user), you entered this customer ID when logging on to CoPilot. You do not need to reset the Customer ID on the License tab before enabling the feature. If you have already subscribed to the Aviatrix Universal Subscription license, you do not need to subscribe again. You can just enable the feature from Configuration > Settings > License in CoPilot. |
If you configured the ThreatIQ and/or Geoblocking features prior to Controller version 7.2.4820, in 7.2.4820 you automatically receive a free Distributed Cloud Firewall (DCF) license. If you did not configure the ThreatIQ and/or Geoblocking features prior to Controller version 7.2.4820, you are expected to purchase a DCF license. This will include the ExternalGroup feature. |
To enable the Distributed Cloud Firewall (DCF) feature:
-
In CoPilot, go to Security > Distributed Cloud Firewall > Policy.
-
Click Enable Distributed Cloud Firewall.
-
Click Begin Using Distributed Firewall.
-
On the Distributed Cloud Firewall message that displays, click Begin.
The Rules tab now displays the rules in the system-defined V1 Policy List ruleset. You can add rules to the system-defined rulesets.
If desired, you can enable DCF from the Add-on Features area under Settings > Configuration > License, and then go to the Security > Distributed Cloud Firewall > Policy tab to begin using DCF. |
DCF-Related Features
Assuming that the Distributed Cloud Firewall add-on feature is enabled from the Settings > Configuration > License tab under Add-on Features, you can enable the following:
-
Enforcement on PSF Gateways and/or Enforcement on External Connections from the Feature Previews list. After one or both of these features are enabled, you can enforce DCF on PSF Gateways and/or External Connections.
-
DCF on Kubernetes Clusters from the Feature Previews list. After this feature is enabled, you can enable Discovery of Kubernetes Resources from the Groups > Settings tab.
Placeholder and Default Distributed Cloud Firewall Rules
After you enable the Distributed Cloud Firewall feature (either from the License tab or the Policy tab), a Greenfield Rule and a DefaultDenyAll rule are created.
If using Controller 8.0, the Greenfield Rule is created under the Post Rules Policy List. The DefaultDenyAll rule is created under the V1 Policy List. |
The placeholder Greenfield Rule prevents traffic from being dropped before you start configuring the rest of your rules. After you create additional rules you can move the Greenfield Rule where needed in your rule priority list. You can edit or delete the Greenfield Rule later, if desired.
The Greenfield Rule is only enforced on gateways, and not on Security Groups in the cloud.
By default (if you selected the recommended Permit All Traffic option), the rule has the following attributes:
-
Source/Destination Groups: Anywhere (0.0.0.0/0)
-
Protocol: Any
-
Action: Permit
-
Logging: On
The DefaultDenyAll Rule blocks traffic to any CIDR covered in Distributed Cloud Firewall rules. This rule is not editable.
Creating Groups for Distributed Cloud Firewall
SmartGroups
A Distributed Cloud Firewall (DCF) SmartGroup contains one or more filters to identify cloud endpoints that map to an app domain. A filter specifies resource matching criteria. Matching criteria could be a cloud tag; a resource attribute (such as account name or region); a list of IP prefixes; or a Site2Cloud external connection. All conditions within the filter must be satisfied to be matched. A tag or resource attribute-based filter must be associated with a resource type (VPC/VNet, subnet, or VM).
WebGroups
A DCF WebGroup contains one or more domain names or URLs that assists in filtering (and providing security to) Internet-bound traffic.
Creating Distributed Cloud Firewall Rules
After creating your groups, you create Distributed Cloud Firewall (DCF) rules within one of the system-defined rulesets to define the access control to apply on the traffic between those groups.
If your SmartGroups contain Spoke Gateways, ensure that those Spoke Gateways have Egress enabled. |
If you have upgraded to Controller 8.0, you can use the Policy tab to create and manage DCF rulesets. |
For example, in the workload isolation use case, all traffic (i.e., ports and protocols) between the ShoppingCart application and the Product Logging app must be blocked (Denied). You can decide which policies to enforce, and if you want to log the actions related to a rule. These rules are enforced (if enabled) on your Spoke gateways, and are executed against the Spoke gateways in the order that they are shown in the rule list.
Creating a rule for the workload isolation use case would resemble the following:
-
Source Group: Shopping Cart application
-
Destination Group: Product Logging app
-
Action: Deny
-
Protocol: Any
-
Ports: 0-65535 (Any)
-
Logging: Off
-
Enforcement: On
To create a new Distributed Cloud Firewall rule:
-
In CoPilot, navigate to Security > Distributed Cloud Firewall > Policy.
-
Select a ruleset from the Ruleset list.
-
Click + Rule. The Create Rule dialog displays.
-
Use the Distributed Cloud Firewall Field Reference to create your rule.
If the Rule Behavior Action is Deny, the SNI Verification toggle is not displayed. The SNI Verification feature is only available with Controller 8.0. |
Tips for Rule Creation
-
Always specify the port and protocol for HTTP/TLS or non-HTTP/TLS when the domain names overlap.
-
Or, you can prioritize HTTP/TLS rules in the DCF Rules list (but this means that non-TLS/HTTP traffic will always be pulled through the web proxy).
-
Save any changes on the Policy tab (changes to logging or enforcement) before switching to another ruleset.
-
When configuring TLS Decryption in DCF, note that while the configuration is applied per rule, its operation is global. Once a connection is decrypted to check a URL filter, it remains decrypted even if it does not match that rule’s filter. The connection may match a later rule without decryption requirements, but it will already be decrypted due to the earlier rule. Therefore, carefully consider the placement of rules requiring decryption.
Viewing DCF Rule Details
You can click a DCF rule on the Security > Distributed Cloud Firewall > Policy tab to view its configuration details, source and destination entities, and statistics in the right-hand pane.
On the Configuration tab, clicking on a source or destination opens the details for this source or destination (SmartGroup, ExternalGroup, WebGroup).