Distributed Cloud Firewall and Transit Egress

In a centralized FireNet configuration, a single FQDN standalone gateway enforces DCF rules on traffic from both Transit and Spoke gateways connected to the centralized Transit FireNet. This unified approach creates a comprehensive security framework where a single DCF rule referencing the centralized Transit FireNet gateway applies to all connected gateways. The primary advantage is simplified policy management through a single set of SNAT rules for all connected Spokes, eliminating the need to configure and manage separate rules for each Spoke. This centralization dramatically reduces operational complexity while ensuring consistent security posture across your multi-cloud network.

From a security and operational perspective, the centralized model routes all egress traffic through a designated inspection point, reducing security gaps while providing advanced capabilities such as SNI filtering for encrypted traffic. The architecture optimizes resource utilization by reducing enforcement points, resulting in lower infrastructure costs and simplified troubleshooting. As your network grows, this approach scales efficiently without proportionally increasing management complexity, enabling seamless expansion without reconfiguring security infrastructure. The model also integrates seamlessly with ExternalGroups including Threat Feeds and GeoGroups, allowing dynamic threat protection and real-time policy updates across all connected spokes.

To implement this solution, you must enable Transit Egress Capability on your Transit gateway, transforming it into a Transit FireNet gateway, and enable Egress under the Security > Egress > Transit Egress tab. For customized SNAT configurations, the SNAT on the Spoke transit tunnel propagates to the FireNet gateway rules, ensuring consistent address translation throughout the traffic flow. This configuration ensures comprehensive protection with minimal management overhead across your entire network infrastructure.