Creating Distributed Cloud Firewall Rules

After creating your groups, you create Distributed Cloud Firewall (DCF) rules to define the access control to apply on the traffic between those groups.

If your SmartGroups contain Spoke Gateways, ensure that those Spoke Gateways have Egress enabled.

microseg policies

For example, in the workload isolation use case, all traffic (i.e., ports and protocols) between the ShoppingCart application and the Product Logging app must be blocked (Denied). You can decide which policies to enforce, and if you want to log the actions related to a rule. These rules are enforced (if enabled) on your Spoke gateways, and are executed against the Spoke gateways in the order that they are shown in the rule list.

Creating a rule for the workload isolation use case would resemble the following:

  • Source SmartGroup: Shopping Cart application

  • Destination SmartGroup: Product Logging app

  • Action: Deny

  • Protocol: Any

  • Ports: 0-65535 (Any)

  • Logging: Off

  • Enforcement: On

To create a new Distributed Cloud Firewall rule:

  1. In CoPilot, navigate to Security > Distributed Cloud Firewall.

  2. Click +Rule. The Create Rule dialog displays.

400

  1. Use the Distributed Cloud Firewall Field Reference to create your rule.