Segmenting workload with third-party firewalls

ColorTokens’ Zero Trust Security platform can dynamically provide policy updates for workloads managed by Xshield agents. However, some of the systems in an organization, such as hardened operating systems and mainframes, do not allow agent installation. Customers cannot achieve dynamic or granular segmentation for these systems as it is extremely difficult to maintain.

Xshield now enables customers to automate dynamic policy updates in such environments by integrating with third-party firewalls and eliminating the need for manual policy updates for every new workload. Users will be able to push policy updates by onboarding the firewall and configuring relevant policies from xShield.

Implementing Firewall Integration

Onboard the Firewall: Users onboard multiple firewalls or a firewall management solution by providing the following details from Settings >> Configure >> Firewall Integration >> External Firewall Setup:
- FQDN or IP address of Firewall Management Console
- API Key
- Serial ID
Create a Segment: Users create a new segment/group type called Managed Networks and associate a firewall for policy enforcement. Once created, users can filter them under Network Groups. This will also be shown in the Visualizer.
Create Segmentation Policies: Users create policies for the managed network group. Policies can be created between the managed network group and the following groups:
- Workload Group
- Network Group
- Domain Group
Policy Enforcement: Policy enforcement can be done in the following modes:
- Observe: Users can monitor defined policies but cannot push them to the firewall.
- Observe (Block): Users can push Deny policy rules to the firewall to block unwanted traffic. This mode cannot be combined with the Enforced mode.
- Enforce: Users can push policy rules to the firewall. Here, policies are dynamically updated. A default deny rule is not added by the ColorTokens platform to avoid any business disruptions caused by interference with other firewall policy rules.