Distributed Cloud Firewall Rulesets

Your Distributed Cloud Firewall (DCF) policies are essential for managing and securing network traffic across various parts of an organization.

Your DCF policies consists of multiple rulesets or other policies for easier management. You can use policies to apply a consistent security posture across multiple accounts, VPCs, or environments.

Each ruleset consists of a set of DCF rules. Rulesets allow for logical grouping of rules based on function, environment, geography, application, or any user-determined type. Each ruleset has a unique priority range (typically between 1000 and 8999) and is evaluated in order of priority.

It is crucial for different groups within an organization to collaborate and decide which rulesets take precedence. This collaboration ensures that the most critical rules are applied first.

You can switch between rulesets, but it is important to save changes on the Policies tab for a specific ruleset before switching to another. A rule can be used in more than one ruleset, providing further flexibility in managing network security.

Rules are the most granular unit in DCF. A rule defines a specific traffic control action, such as Permit or Deny, and is based on criteria such as source/destination IPs, ports, protocols, and SmartGroups. Each rule has a priority value that determines its evaluation order within a ruleset.

DCF rulesets are supported in Controller 8.0 or later.

If you started using DCF rulesets in Controller 8.0, two predefined rulesets were created: V1 Policy List (editable) and Post Rules Policy List (non-editable). The former contained all existing legacy rules (created prior to Controller 8.0) and the Greenfield Rule. The latter contained the DefaultDenyAll rule.

In Controller 8.0, two predefined rulesets will be available: V1 Policy List (editable) and Post Rules Policy List (non-editable). The former will contain all existing legacy rules (created prior to Controller 8.0) and the Greenfield Rule. The latter will contain the DefaultDenyAll rule.

After monitoring or protecting VPC/VNets, rules are added to the Egress Protection Policy List ruleset. This ruleset is created automatically when you monitor or protect VPC/VNets, and it contains the rules that are created as part of the monitoring or protection workflows.

  • The legacy DefaultDenyAll rule is moved from the Post Rules Policy List (8.0) to the Legacy Default Deny Ruleset, which can be deleted.

  • The Greenfield Rule will no longer be created by default and is being replaced by the zero trust Default Action Rule.