Firewall Network (FireNet) FAQs
What is the difference between the firewall network and the Transit FireNet?
The Firewall Network is when we insert the firewall in the AWS TGW. Transit FireNet is when we insert a firewall in the Aviatrix Transit VPC/VNet, which works in all clouds.
Who programs the TGW to send traffic to the appropriate FW?
Aviatrix Controller will orchestrate VPC and TGW routes to send traffic to Aviatrix Gateways in the Firewall Network VPC. From there, Aviatrix Gateways will load balance traffic between available FWs.
Can you have more than one HA pair of FireNet systems sitting with the Transit Gateway for further bandwidth?
Absolutely, Aviatrix supports up to 10 Firewall instances per AZ (20 per Transit FireNet VPC) in AWS, for example.
Do the Transit Gateways and FireNet systems have the ability to handle Malicious IP filtering and IDS/IPS?
Yes, this is handled by the Aviatrix Gateways (Transit, Spoke, and Standalone) and part of the data plane. This is called Aviatrix ThreatIQ with ThreatGuard. FireNet can provide an additional layer of defense.
What capabilities do customers have to manage cross-Availability Zone traffic flowing through an Aviatrix Gateway as part of a FireNet design?
Customers do not need to manage Cross AZ traffic affinity. The Aviatrix Controller takes care of it in the background. When TGW forwards packets to the FireNet VPC, it applies AZ affinity in the best effort manner. That is, packets coming from a source VPC instance in AZ-a will be forwarded to the gateway whose ENI is in AZ-a.
Can third party devices be configured/managed from the Aviatrix controller?
Yes. In the FireNet service, we provide integration with Palo Alto, Check Point and Fortinet. We also provide a service called CloudWAN, where we provide integration with Cisco devices.
FireNet is turn-key solution where Aviatrix deploys and integrates FWs for the customer. Does the customer have a choice of cloud as to where the FW is deployed?
Yes, you can deploy the FWs next to the Transit GWs in any supported cloud.
Is the state information exchanged between Aviatrix Gateways?
We have 5-tuple and 2-tuple hashing that takes care of session stickiness. As a packet from VPC1 arrives at the FireNet gateway via the TGW, it does a 5-tuple (source IP, destination IP, source port and destination port, protocol) hash calculation to decide if it should forward the packet to one of the associated firewall instances or forward to the HA FireNet gateway.
What is a FireNet VPC?
FireNet VPC is a configuration option for a VPC where a NGFW will be inserted.
How can we remove SNAT with a firewall especially when doing Active Active deployment?
You don’t need SNAT for E-W and N-S flows. You only need SNAT for Egress/Ingress. If a specific FW fails, the flow is directed to another FW.
Can Aviatrix help extend east-west traffic across multiple cloud vendors? App servers in AWS, DB in Azure and Web in GCP.
Yes. Transit FireNet on both sides whatever NGFW you want to use.
As for the Aviatrix solution, are you using software firewalls or are you just managing the security features in the cloud providers?
Palo Alto, Check Point, Fortigate, and Aviatrix have a firewall built in. Check out FireNet, our NGFW firewall solution.
Is an Network Domain similar to a Zone based Firewall? Does it allow filtering based on applications or only L4/L3 parameters?
Netwrok Domains are VPC level segmentation. If FW inspection is required, then traffic is steered to the Firewall Network.