Distributed Cloud Firewall Field Reference
This table describes the fields to configure when creating a Distributed Cloud Firewall (DCF) rule.
Field | Description | ||
---|---|---|---|
Name |
Distributed Cloud Firewall rule name. |
||
Source Groups |
The SmartGroup(s) that originate traffic. You must create the SmartGroups before creating a DCF rule.
|
||
Destination Groups |
The Destination Group can be:
|
||
WebGroups |
Select the WebGroups that filter egress traffic. These groups must be created before creating a DCF rule. When you monitor/protect a VPC/VNet, WebGroups are created automatically based on the trusted domains. If you select URL-based WebGroups, you must enable TLS Decryption. |
||
Protocol |
Select TCP, UDP, ICMP, or Any. If you select TCP or UDP you can enter a port number or port range. UDP and ICMP cannot be used with TLS Decryption. ICMP protocol is unavailable if a WebGroup is selected. WebGroups are only supported for TLS traffic. |
||
Ports |
Select the port that corresponds to the selected protocol. |
||
Action |
This determines the action to be taken on the traffic.
|
||
Logging |
If this slider is On, information related to the action (such as five-tuple, source/destination MAC address, etc.) is logged. After the rule is created you can enable or disable logging from the vertical ellipsis menu next to the rule.
|
||
Ensure TLS |
Turn On this slider if you want any traffic that is not TLS to be denied, even if the traffic matches the ports and Source and Destination Groups. Traffic is also denied (dropped) even if it is HTTP traffic that matches the domains or URLs in the WebGroups. |
||
TLS Decryption |
To enable TLS Decryption, the rule action must be Allow and the protocol must be TCP or Any. TLS Decryption decrypts and inspects all traffic sent over a TLS-secured HTTPS connection, and then re-encrypts with a user-side certificate. All inspection and policy enforcement occur within the customer’s cloud environment. You can also apply URL filtering policies before re-encrypting the traffic.
|
||
Place Rule |
Select Above, Below, Top, Bottom, or Priority. |
||
Existing Rule |
If you select Above or Below (Place Rule), you must select the existing rule that is affected by the position of the new rule. |
||
Rule Priority |
If you selected Priority (Place Rule), enter a priority number for the new rule. If an existing rule already has that priority, it is bumped down in the list. Zero (0) is the highest priority number. You can change the rule priority after the rule is created (using the arrow icon next to that rule in the Rule table). |