Configure cloud firewall for remote networks (Preview)
Implementation Effort: Medium
User Impact: High
Overview
In a Zero Trust security model, organizations must enforce granular, least-privilege access controls at every network boundary—including branch office egress traffic. Global Secure Access Cloud Firewall provides centralized, cloud-delivered firewall capabilities for branch offices using remote networks, operating at Layer 3/4 (network/transport layer) to complement the Layer 7 SWG controls.
Cloud firewall enables enforcement of 5-tuple rules based on source IP, source port, destination IP, destination port, and protocol (TCP/UDP) for all internet-bound traffic from branch locations. This allows organizations to block unauthorized egress traffic to specific IP addresses and ports while maintaining centralized policy management and comprehensive traffic visibility.
Implementation steps:
- Configure remote networks for Internet Access as prerequisite
- Create cloud firewall policy with default Allow action
- Add firewall rules with 5-tuple matching conditions (source IP, source port, destination IP, destination port, protocol)
- Assign priorities to rules (≥100, unique within policy, lower value = higher priority)
- Set action for each rule (Allow or Block)
- Link cloud firewall policy to baseline security profile (only one policy per baseline profile)
- Monitor traffic enforcement through Global Secure Access Traffic logs
Important considerations:
- Best practice: Create all firewall rules before linking to baseline profile (especially important when creating block-all rules followed by allow rules)
- Only baseline profile enforcement supported—cloud firewall policies linked to other security profiles have no effect
- Destination FQDNs not currently supported—use destination IP addresses only
- Policy updates may take 15-20 minutes to take effect
- Cloud firewall capability not supported with Global Secure Access clients (remote networks only)
- Rules use logical AND for matching conditions; "Not set" values are ignored