Distributed Cloud Firewall Supported Capabilities

Ranges

Capability	6.8	6.9	7.0	7.1	7.2
Number of CIDR-Based Groups	500	500	500	500	1,400
Number of Domains per WebGroup				3,000	3,000
Number of CIDRs per Group	3,000	3,000	3,000	3,000	10,000
Total Number of CIDRs			10,000	10,000	300,000
Number of DCF Rules	2,000	2,000	2,000	2,000	5,000

Supported Features

The following are supported on AWS, Azure and GCP unless otherwise noted.

PV = feature is in Preview
GA = feature is Generally Available
If a cell is blank the feature was not supported in that release.

Feature

6.8

6.9

7.0

7.1

7.2

DCF Rules

Layer 4 Rules

GA

Rules with Domain WebGroups

PV

GA

Rules with URL WebGroups

PV

Rules with ThreatGroups and GeoGroups

GA

DCF on Public Subnet Filtering Gateways

PV

DCF on Site2Cloud (L4 only on Transit)

PV

Security Group Orchestration (not supported on GCP)

PV (Azure)

PV (Azure, AWS)

PV (AWS), GA (Azure)

Deep Packet Inspection

Transparent TLS Decryption

PV

Suricata IDS (Egress only)

PV

Advanced Features

Dynamic Signature Update

PV

Import Decryption Certificate

PV

Logging

Layer 4 logging (+Domain)

GA

Layer 7 logging (URL)

PV

IDS/IPS logging

PV

Log export via Syslog

GA

Asset Groups/SmartGroups

SmartGroups (EC2/VPC/Subnet)

GA

Domain WebGroups

PV

GA

URL WebGroups

PV

ThreatGroups

GA

GeoGroups

GA

SmartGroups (S2C)

GA

Additional Capabilities

Overlapping IPs have been supported since Controller Version 7.0. Distributed Cloud Firewall (DCF) understands any defined SNAT/DNAT rules and updates the address for each gateway, enforcing the DCF rules.
DCF auto-prunes all rules and pushes only related rules to specific gateways.
SmartGroups dynamically change the resources inside the groups by tracking EC2 changes (AWS, Azure, GCP).
Log Export to Splunk HTTP Event Collector