Skip to main content

Configure cloud firewall for remote networks (Preview)

Implementation Effort: Medium

User Impact: High

Overview

In a Zero Trust security model, organizations must enforce granular, least-privilege access controls at every network boundary—including branch office egress traffic. Global Secure Access Cloud Firewall provides centralized, cloud-delivered firewall capabilities for branch offices using remote networks, operating at Layer 3/4 (network/transport layer) to complement the Layer 7 SWG controls.

Cloud firewall enables enforcement of 5-tuple rules based on source IP, source port, destination IP, destination port, and protocol (TCP/UDP) for all internet-bound traffic from branch locations. This allows organizations to block unauthorized egress traffic to specific IP addresses and ports while maintaining centralized policy management and comprehensive traffic visibility.

Implementation steps:

  • Configure remote networks for Internet Access as prerequisite
  • Create cloud firewall policy with default Allow action
  • Add firewall rules with 5-tuple matching conditions (source IP, source port, destination IP, destination port, protocol)
  • Assign priorities to rules (≥100, unique within policy, lower value = higher priority)
  • Set action for each rule (Allow or Block)
  • Link cloud firewall policy to baseline security profile (only one policy per baseline profile)
  • Monitor traffic enforcement through Global Secure Access Traffic logs

Important considerations:

  • Best practice: Create all firewall rules before linking to baseline profile (especially important when creating block-all rules followed by allow rules)
  • Only baseline profile enforcement supported—cloud firewall policies linked to other security profiles have no effect
  • Destination FQDNs not currently supported—use destination IP addresses only
  • Policy updates may take 15-20 minutes to take effect
  • Cloud firewall capability not supported with Global Secure Access clients (remote networks only)
  • Rules use logical AND for matching conditions; "Not set" values are ignored

Reference