Protecting Egress Traffic

Controller 8.0 and the enablement of the DCF feature is required to protect VPC/VNets.

On the Security > Egress > Egress VPC/VNets tab, you can protect VPC/VNets that are being monitored, to ensure that only trusted traffic is going to the Internet.

After VPC/VNets are protected:

  • The VPC/VNets continue to be monitored.

  • They are added to a Protected VPC/VNets SmartGroup and a Protected VPCs rule. Subsequent protected VPC/VNets are added to the same SmartGroup and Rule.

  • A new WebGroup is created for the selected trusted domains.

  • A new SmartGroup is created for the selected VPC/VNets.

  • A new "permit" rule is created that contains the trusted domains.

  • They are included in the Egress Security Score calculation.

To protect VPC/VNet egress traffic:

  1. On the Security > Egress > Egress VPC/VNets tab, select one or more monitored VPC/VNets and click Protect in the Actions menu.

  2. The Protect VPC/VNet dialog displays all trusted traffic flows observed in the selected VPC/VNet. Select one or more trusted flows to continue to allow traffic to flow to those domains. If there are no domains listed, you cannot click Next to proceed to the next step.

    You can use the AI FQDN Analyzer to view details on the domains and determine if you want to trust them.

400

  1. Click Next after selecting trusted traffic flows. The Review Distributed Cloud Firewall Rule Changes page displays.

    400

    This page displays the changes that will occur after protection is applied.

    • The selected VPC/VNets will be added to the Protected VPC/VNets SmartGroup (and removed from the Monitored-VPCs SmartGroup). This SmartGroup contains all VPC/VNets that are protected.

    • Another SmartGroup is created that contains just the VPC/VNets you selected.

    • The selected trusted domains will be added to a new WebGroup.

  2. Select where the new DCF rules will be placed. You can also enter a value for Starting at Rule Priority (if applicable).

    • A new DCF rule will be created for the selected VPC/VNets that permits traffic from the VPC/VNets to the trusted domains.

    • The Protected VPC/VNets Rule will be updated with the selected VPC/VNets. This acts as a Default Deny Rule.

  1. Click Protect.

  2. A message displays indicating any change in Egress Security Score.

300