Transit FireNet Settings

You can configure the following settings for each FireNet.

Select a FireNet.
Click the Settings tab.
Configure the following for the selected FireNet:

Field	Description
Firewall Management Access	Advertise the Transit FireNet VPC/VNet CIDRS to on-prem. For example, if a firewall management console such as Palo Alto Networks Panorama is deployed on-prem, the Panorama can access the firewalls of their private IP addresses with this option configured.
Static CIDR Egress	Allow egress to a subnet of your IP address space from your on-prem data center to the Internet. Static CIDR egress is supported on Aviatrix Transit and AWS Transit gateways. You can add up to 20 subnets.
Exclude from East-West Inspection (not visible for Egress FireNet)	FireNet inspects all East-West (VPC/Vnet to VPC/VNet) traffic by default, but you may have an instance that you do not want inspected. The CIDRs listed here will not be subject to firewall policies/firewall policy errors CIDRs are excluded from East-West inspections only.
Firewall Forwarding	Select a 5-Tuple or 2-Tuple hashing algorithm. 2-Tuple hashes Source IP and Destination IP 5-Tuple hashes Source and Destination IP, Source and Destination Port, and Protocol Type. By default, FireNet and AWS TGW FireNet use the 5-Tuple algorithm to load balance traffic across different firewalls. However, you can select 2-Tuple to map traffic to the available firewalls.
TGW Segmentation for Egress (AWS TGW FireNet only)	Enable this feature to block traffic between network domains when the network domains do not have a connection policy defined between them and are connected to an Egress Firewall Domain.

Field

Description

Firewall Management Access

Advertise the Transit FireNet VPC/VNet CIDRS to on-prem. For example, if a firewall management console such as Palo Alto Networks Panorama is deployed on-prem, the Panorama can access the firewalls of their private IP addresses with this option configured.

Static CIDR Egress

Allow egress to a subnet of your IP address space from your on-prem data center to the Internet. Static CIDR egress is supported on Aviatrix Transit and AWS Transit gateways. You can add up to 20 subnets.

Exclude from East-West Inspection (not visible for Egress FireNet)

FireNet inspects all East-West (VPC/Vnet to VPC/VNet) traffic by default, but you may have an instance that you do not want inspected. The CIDRs listed here will not be subject to firewall policies/firewall policy errors

CIDRs are excluded from East-West inspections only.

Firewall Forwarding

Select a 5-Tuple or 2-Tuple hashing algorithm.

2-Tuple hashes Source IP and Destination IP

5-Tuple hashes Source and Destination IP, Source and Destination Port, and Protocol Type.

By default, FireNet and AWS TGW FireNet use the 5-Tuple algorithm to load balance traffic across different firewalls. However, you can select 2-Tuple to map traffic to the available firewalls.

TGW Segmentation for Egress (AWS TGW FireNet only)

Enable this feature to block traffic between network domains when the network domains do not have a connection policy defined between them and are connected to an Egress Firewall Domain.