About Distributed Cloud Firewall Settings

Security Group Orchestration

This feature is available with Controller 7.1.1710 or greater.

If you are using Controller 7.0, you can click Manage on the Security Group Orchestration panel and enable or disable Security Group Orchestration for selected VPC/VNets. The rest of the functionality below is not available.

When the Security Group Orchestration feature is disabled, this card shows how many VPC/VNets are available to configure.

When the Security Group Orchestration feature is enabled, you can:

  • See how many VPC/VNets have Security Group Orchestration enabled.

  • Pause the Security Group Orchestration process for VPC/VNets that have had Security Group Orchestration enabled before upgrading your Controller. After upgrading, you can resume the Security Group Orchestration process.

    The states are Complete, In Progress, Completing Current Cycle, and Paused.

  • View the Security Group Orchestration configuration in the topology.

  • Click Manage to enable or disable Security Group Orchestration.

The Aviatrix Controller will not remove original ASGs, or apply Aviatrix ASGs, on Azure ScaleSet instances.

Decryption CA Certificate

This feature described below is available with Controller 7.1.1710 or greater. Aviatrix strongly recommends replacing the default Aviatrix CA certificate with your own CA certificate.

If you are using Controller 7.0, you can only download the provided default Aviatrix CA certificate; you cannot replace it with your own CA certificate.

The decryption CA certificate (the Aviatrix certificate, or your own) must be distributed to all of your client machines so that signature checks are successful.

Decryption CA certificates must be private.

The CA certificate is used when you create a policy that has TLS Decryption enabled. You can:

Uploading Your Own Certificate

It is best to upload your own certificate (must be in .pem format), since you likely have this certificate in use throughout your environment. You can remove the default Aviatrix CA certificate first, if desired.

  1. On the Settings tab, on the Decryption CA Certificate card, click the arrow next to Download Certificate and click Upload New Certificate.

  2. In the Upload New Certificate dialog, you can upload, remove or replace a certificate and its corresponding certificate key.

300
  1. Both fields must be populated. Click Upload.

Downloading the Aviatrix Certificate

You can download the currently applied Aviatrix CA certificate and add it to your trust bundle.

To download the CA certificate provided by Aviatrix:

  1. Navigate to Security > Distributed Cloud Firewall > Settings.

  2. On the Decryption Trust CA Certificate card, click Download Certificate.

300
  1. Ensure that the downloaded file is saved to the appropriate location on your computer, and any client machines involved in your Distributed Cloud Firewall (DCF) configuration.

Renewing Your Certificate

You must renew your Aviatrix CA certificate when it is about to expire.

When you click Renew Certificate, the certificate renews automatically.

Uploading, Removing, or Replacing Trust Bundle

A trust bundle is a list of trusted CA certificates. If a gateway terminates the TLS connection and negotiates a new TLS connection to the origin certificate, then the origin certificate must be signed by one of the trusted CA certificates if running in the Strict Enforcement mode.

You can upload a trust bundle that has an expired certificate, but you will see a warning.

To upload, remove, or replace a trust bundle (must be in .pem format):

  1. On the Settings tab, on the Decryption CA Certificate card, click the arrow next to Download Certificate and click Upload Trust Bundle.

  2. In the Upload Trust Bundle dialog, you can remove or replace the trust bundle.

  3. Click Upload.

Editing Enforcement

Use the Enforcement option to determine how Distributed Cloud Firewall handles origin certificates that are not signed by a trusted Certificate Authority.

Aviatrix strongly recommends changing the enforcement level to Strict.

To edit the enforcement level:

  1. On the Settings tab, on the Decryption CA Certificate card, click the arrow next to Download Certificate and click Edit Enforcement.

  2. In the Edit Enforcement dialog, select an Enforcement level:

    • Strict: terminate connection for incorrect signatures

    • Permissive: generate a syslog message if the certificate is not signed by a CA, but continue with the connection

    • Ignore: certificate signatures are not checked

Removing a Certificate

To remove a certificate and replace it with your own:

  1. On the Security > Distributed Cloud Firewall > Settings tab, on the Decryption CA Certificate card, click the arrow next to Download Certificate and click Remove Certificate.

  2. When prompted, click Delete to remove the certificate.

  3. Upload your own (private) certificate.

Verifying the Decryption CA Certificate

  1. Replace the default Decryption CA Certificate with a private decryption CA certificate.

  2. Enable TLS Decryption on the DCF rules to match your traffic.

  3. Import the Decryption CA signer or root CA into your VMs.

  4. Generate traffic for the above rule(s).

  5. To verify that the Decryption CA Certificate chain or root is imported correctly to the VM, navigate to the relevant URL in your web browser.

    If you see 'Untrusted' warnings, you should run through these steps again.

    If the import was successful, you should see the new certificate chain with the Decryption CA as the signer of the website.

    You can also use Postman, Ubuntu, or another, similar tool to test the certificate.

    If you use Ubuntu, you see the following messages, depending on the outcome:

    • Successful CA import: You see messages that TLS handshakes are established.

    • Unsuccessful CA import: You see messages that there is an SSL certificate problem, and that the legitimacy of the server could not be verified.

Compatibility and Enforcement

This table displays the Gateway Type, the number of gateways of each type with IDS and WebGroups enabled, and the number of gateways of each type with enforced DCF rules.

400

If you click Spoke Gateway or Specialty Gateway in this table, you see the full list of gateways that meet this criteria, along with their gateway function (Specialty Gateway only), region, instance size, if IDS/WebGroups are supported, and if rules are being enforced on that gateway.

Enforcement on PSF Gateways

Legacy PSF gateways and PSF gateways using DCF cannot run at the same time.

Legacy Security features enabled on the PSF gateways prior to Controller version 7.2.4820 must be disabled.

The Enforcement on PSF Gateways feature will enforce DCF rules on non-image upgraded (Controller version prior to 7.2.4820) PSF gateways as well as any upgraded PSF gateways. Make sure all of your PSF gateways created prior to Controller version 7.2.4820 are image-upgraded.

Enable or disable the enforcement of DCF rules on Public Subnet Filtering (PSF) gateways.

  • Enabling enforcement: On the Enforcement on PSF Gateways card under Security > Distributed Cloud Firewall > Settings tab, click Enable.

  • Disabling enforcement: On the Enforcement on PSF Gateways card under Security > Distributed Cloud Firewall > Settings tab, click Disable.

Enforcement on External Connections

Enable or disable the enforcement of DCF rules on External Connections (S2C).

  • Enabling enforcement: On the Enforcement on External Connections card under Security > Distributed Cloud Firewall > Settings tab, click Enable.

  • Disabling enforcement: On the Enforcement on External Connections card under Security > Distributed Cloud Firewall > Settings tab, click Disable.

Intrusion Signatures

Shows when the Intrusion Detection Signatures were last updated.