External Connection (Site2Cloud) and Distributed Cloud Firewall

Distributed Cloud Firewall (DCF) rules can be pushed to Spoke or Transit Gateways as follows:

  • External connection terminating on Spoke (L7 DCF for Active/Passive; L4 DCF for Active/Active)

  • External connection terminating on Transit (L4 only for Active/Passive and Active/Active)

If you roll back your 7.2.4820 gateways to 7.1, any DCF rules that include External Connections will no longer be evaluated or enforced. This is expected behavior, because the DCF with External Connections feature was introduced in 7.2.4820.

External Connections with DCF Prerequisites

If the following conditions are met you can enforce Distributed Cloud Firewall (DCF) rules on External Connection (Site2Cloud) interfaces:

External Connections (S2C) with DCF Capabilities

External Connections (S2C) Capabilities Supported Not Supported

Gateways

  • Spoke Gateway

  • Transit Gateway

  • Standalone Gateway

  • PSF Gateway

Connection Type

  • BGP over IPsec

  • BGP over GRE

  • Static Route-Based (Mapped)

  • Static Route-Based (ActiveMesh)

  • Static Route-Based

  • BGP over LAN

  • Static Policy-Based

  • Static Policy-Based (Mapped)

  • Static Route-Based (Custom Mapped)

L4/L7 DCF

  • Spoke Gateway

  • Transit Gateway

No L7 enforcement on Transit Gateway

Cloud Type

  • AWS

  • Azure

  • AWS GovCloud

  • Azure Government

  • GCP

  • OCI

  • China CSPs