Forwarding Service Object (Egress / East-West)
Forwarding service objects are used in the forwarding rules. The traffic that matches this type of rule/service is not proxied, and is forwarded as-is. This means there is no deep packet inspection and no Application ID on encrypted traffic.
Note | We strongly recommend using this for East-West traffic. |
If the connection type is set to Forwarding, the TCP session is passed through the gateway instance and terminated at the destination. No decryption is performed in this case. Forwarding is typically used when no decryption is required and matching on L3, L4, and L5 header information to allow or deny traffic is sufficient. Forwarding is also useful for traffic flows that are latency sensitive.
Although advanced security profiles such as Network Intrusion (IPS/IDS) can be turned on for rules that are Forwarding traffic, TLS decryption in conjunction with IPS is highly recommended for maximum protection against all malicious activity. If TLS decryption is not used, then an advanced security engine like IPS relies on heuristic scanning against a known database, which may result in false positives.
Use the following procedure to create and add a forwarding service object:
Procedure
Step 1 | In the Security Cloud Control platform menu, choose . | ||||||||
Step 2 | Navigate to . | ||||||||
Step 3 | Click Create. | ||||||||
Step 4 | Click Forwarding. | ||||||||
Step 5 | Provide a name and description. | ||||||||
Step 6 | Multicloud Defense supports source NAT on a per service level. For traffic that requires source IP preservation (e.g. East-West traffic), disable SNAT. For Egress traffic, SNAT must always be enabled. | ||||||||
Step 7 | Configure port parameters as defined below.
|