Distributed Cloud Firewall Field Reference

This table describes the fields to configure when creating a Distributed Cloud Firewall rule.

Field Description

Name

Distributed Cloud Firewall rule name.

Source SmartGroups

The SmartGroups that originate traffic.

Destination SmartGroups

The SmartGroups that terminate traffic.

If you are using Distributed Cloud Firewall rules for egress purposes, you must select Public Internet as the Destination SmartGroup. Also, SNAT must be enabled on the Spoke Gateways that enforce the egress policy.

The 'Public Internet' Destination SmartGroup should be used if all of the following are true:

  • You are creating a new rule

  • The Destination SmartGroup has not already been modified

  • At least one WebGroup has been selected

WebGroups (must be created first)

Select the WebGroups that filter egress traffic.

Protocol

Select TCP, UDP, ICMP, or Any. If you select TCP or UDP you can enter a port number or port range.

The ICMP protocol is unavailable if a WebGroup is selected, because WebGroups are only supported for TLS traffic.

Enforcement

If this slider is On, the rule is enforced in the data plane.

If this slider is Off, the packets are only watched. This allows you to observe if the traffic impacted by this rule causes any inadvertent issues (such as traffic being dropped).

After the rule is created you can enable or disable rule enforcement from the vertical ellipsis 20 menu next to the rule.

Logging

If this slider is On, information related to the action (such as five-tuple, source/destination MAC address, etc.) is logged.

After the rule is created you can enable or disable logging from the vertical ellipsis 20 menu next to the rule.

Aviatrix recommends not logging Permit rules.

Action

Select Permit or Deny. This determines the action to be taken on the traffic

SG Orchestration

This slider is On by default and means the rule is available for Security Group Orchestration.

The SG Orchestration toggle is Off and disabled for new rules when any of the following conditions are true:

  • WebGroup is present in the rule

  • Source SmartGroup is 'Anywhere' and action is 'Permit'

  • Source SmartGroup is 'Anywhere'; Destination SmartGroup is 'Anywhere'; and action is 'Deny'

Ensure TLS

Turn On this slider if you want any traffic that matches the ports and Source and Destination SmartGroups, but that is not TLS, to be dropped. Traffic is also dropped even if it is HTTP traffic that matches the domains or URLs in the WebGroups.

TLS Decryption

If the rule action is Allow, you can enable TLS Decryption.

TLS decryption refers to the process of intercepting and deciphering encrypted data that is transmitted over a TLS-secured connection.

Intrusion Detection (IDS)

If Intrusion Detection is enabled, traffic is inspected for threats, and the results are displayed on the Detected Intrusions tab.

If Intrusion Detection and TLS Decryption are both enabled, the TLS stream is temporarily decrypted, and the decrypted data is examined for intrusions.

You must download the provided Aviatrix CA certificate (if using Controller 7.0) or upload your own certificate (if using Controller 7.1 or later) before creating a policy with IDS or TLS Decryption.

Place Rule

Select Above, Below, Top, Bottom, or Priority.

Existing Rule

If you select Above or Below (Place Rule), you must select the existing rule that is affected by the position of the new rule.

Priority

If you selected Priority (Place Rule), enter a priority number for the new rule. If an existing rule already has that priority, it is bumped down in the list. Zero (0) is the highest priority number.

You can change the rule priority after the rule is created (using the arrow icon next to that rule in the Rule table).