About Transit FireNet Settings

Advertise the Transit FireNet VPC/VNet CIDRS to on-prem. For example, if a firewall management console such as Palo Alto Networks Panorama is deployed on-prem, the Panorama can access the firewalls of their private IP addresses with this option configured.

If Egress is enabled for the Transit FireNet (can also be Egress Transit FireNet or AWS TGW FireNet), this setting allows traffic from Spoke gateways to these subnet addresses to egress via the firewall attached to the selected Transit FireNet before going to the Internet. You can add up to 20 subnets.

You only enable this setting if you also have a Site2Cloud external connection that is advertising this CIDR via a BGP or static connection.

Transit FireNet inspects all East-West (VPC/Vnet to VPC/VNet) traffic by default, but you may have an instance that you do not want inspected. The CIDRs listed here will not be subject to firewall policies/firewall policy errors. You can add a maximum of 200 CIDRs.

CIDRs are excluded from East-West inspections only.

Select a 5-Tuple or 2-Tuple hashing algorithm:

By default, FireNet and AWS TGW FireNet use the 5-Tuple algorithm to load balance traffic across different firewalls. However, you can select 2-Tuple to map traffic to the available firewalls.

Enable this feature to block traffic between network domains when the network domains do not have a connection policy defined between them and are connected to an Egress Firewall Domain.