Overview of Aviatrix Stateful Firewall
This functionality is deprecated after Controller version 7.1.1710. New deployments should use the Distributed Cloud Firewall feature for implementing firewall policy. |
Aviatrix Stateful Firewall
Aviatrix Stateful Firewall is a feature on the Aviatrix Gateway. It is a L4 stateful firewall that filters network CIDRs, protocols, and ports on the packet forwarding path.
The stateful firewall allows each individual rule to be defined as Allow, Deny and Force Drop, in addition to a base rule.
Aviatrix recommends that you not use the Stateful Firewall feature in HA pairs because the gateways do not synchronize the firewall state. |
Gateway inline L4 Stateful Firewall
Whenever there is traffic going through the Aviatrix gateway, you can apply IP address-based stateful firewall policies. This reduces the need to have to configure security groups of each instances in the VPC/VNet for traffic between VPC/VNets. There is no limit as to how many rules you can apply on Aviatrix gateway. Aviatrix solution solves these problems:
-
Security Rule Limits A cloud instance’s security group has a limit of 50 rules. How do I get around that?
-
Enforce Security Policies Developers don’t always follow the best practice when it comes to security, enforcing policies at the gateway takes that worry away.
-
Regulation We cannot use the AWS VPC Peering as it does not allow us to apply policies. We need an infrastructure presence that not only provides security but also enforce policies.
To learn how to set up the L4 firewall: Deploying the Aviatrix Stateful Firewall.
Tag Based Security Policy
Aviatrix Gateway security policies are implemented at each gateway. Key features are:
-
It is a L4 stateful firewall that filters on CIDR, protocol and port.
-
Each policy is associated with an Allow or Deny action.
-
A Base policy for "Allow" or "Deny" for the gateway can be used as a catch-all rule.
-
All security policy events as well as packets can be logged to Splunk, SumoLogic, Syslog, ELK, and Datadog.
With Tag Management, you can associate an IP address or a subnet with a name tag and use it as a shorthand to specify the source and destination for your security rules.
See Deploying the Aviatrix Stateful Firewall for more information.