Distributed Cloud Firewall Field Reference

This table describes the fields to configure when creating a Distributed Cloud Firewall (DCF) rule.

Field Description

Name

Distributed Cloud Firewall rule name.

Source Groups

The SmartGroup(s) that originate traffic. You must create the SmartGroups before creating a DCF rule.

You must include at least one SmartGroup.

Destination Groups

The Destination Group can be:

  • Public Internet (SmartGroup)

  • DNS Hostname SmartGroup

  • ExternalGroup

  • Threat Feed

  • Country

WebGroups

Select the WebGroups that filter egress traffic. These groups must be created before creating a DCF rule. When you monitor/protect a VPC/VNet, WebGroups are created automatically based on the trusted domains.

If you select URL-based WebGroups, you must enable TLS Decryption.

Protocol

Select TCP, UDP, ICMP, or Any. If you select TCP or UDP you can enter a port number or port range.

UDP and ICMP cannot be used with TLS Decryption.

ICMP protocol is unavailable if a WebGroup is selected. WebGroups are only supported for TLS traffic.

Ports

Select the port that corresponds to the selected protocol.

Action

This determines the action to be taken on the traffic.

  • Permit: Rule is enforced (pushed to gateways); logging is optional

  • Deny: Rule is enforced (pushed to gateways); logging is optional

  • Watch: Rule is not enforced and logging is automatically enabled

Logging

If this slider is On, information related to the action (such as five-tuple, source/destination MAC address, etc.) is logged.

After the rule is created you can enable or disable logging from the vertical ellipsis menu next to the rule.

Aviatrix recommends not logging Permit rules.

Ensure TLS

Turn On this slider if you want any traffic that is not TLS to be denied, even if the traffic matches the ports and Source and Destination Groups. Traffic is also denied (dropped) even if it is HTTP traffic that matches the domains or URLs in the WebGroups.

TLS Decryption

To enable TLS Decryption, the rule action must be Allow and the protocol must be TCP or Any.

TLS Decryption decrypts and inspects all traffic sent over a TLS-secured HTTPS connection, and then re-encrypts with a user-side certificate.

All inspection and policy enforcement occur within the customer’s cloud environment.

You can also apply URL filtering policies before re-encrypting the traffic.

Decryption CA Certificates should be trusted by the Source SmartGroup virtual machines when TLS Decryption is enabled for proxy.

Place Rule

Select Above, Below, Top, Bottom, or Priority.

Existing Rule

If you select Above or Below (Place Rule), you must select the existing rule that is affected by the position of the new rule.

Rule Priority

If you selected Priority (Place Rule), enter a priority number for the new rule. If an existing rule already has that priority, it is bumped down in the list. Zero (0) is the highest priority number.

You can change the rule priority after the rule is created (using the arrow icon next to that rule in the Rule table).