Skip to main content

DiscrimiNAT Firewall

The DiscrimiNAT is a solution to being unable to specify hostnames/FQDNs in Google Cloud Firewall Rules and AWS Security Groups for scalable egress filtering. It works by monitoring and blocking traffic without decryption, with our Deep Packet Inspection engine, inline as a high-availability NAT Instance on the egress of your VPC network.


We've made the configuration of this firewall as simple as possible. Just specify the allowed destination FQDNs in the applications' outbound rules itself and the firewall will take care of the rest. See our 2-minute GCP or AWS video demos for how straightforward this is. Alternatively, get a demo from our engineers.


With the built-in monitoring mode, it's quick & easy to discover which FQDNs your applications need egress connectivity to. This can be done individually per group of VMs, and as and when new applications are added to your deployment, so the principle of least privilege is also applied to egress controls. Our library of videos and logging service queries make it fast & simple to figure out the precise allowlists for each egress micro-segment of your network.


From complete multi-zone network configurations that work with a single click and have safe defaults, to DIY instance deployments so you can configure the networking around it, we have all templates ready to go in our CloudFormation library for AWS and as a Deployment Manager template for Google Cloud. You can even use the Infrastructure-as-Code framework of your choice (such as Terraform) without any special inclusions.


A Deep Packet Inspection firewall can help you reach compliance standards by limiting the egress routes of your network to only allowed destinations. What's more, is the DiscrimiNAT Firewall enforces the use of contemporary encryption standards such as TLS 1.2, TLS 1.3 and SSH v2 with bidirectional in-band checks. Anything older or insecure will be denied connection automatically.


The DiscrimiNAT also conducts out-of-band checks, such as DNS, for robust defence against sophisticated malware and insider threats. Gets your VPC ready for a proper pentest.


The firewall logs each connection allowed and disallowed straight into AWS CloudWatch or Google Cloud Stackdriver with rich metadata for analysis. Again, no configuration or setup required. Just pick one of our CloudFormation templates or the Google Cloud Deployment Manager template, and everything is set up out of the box.


A Deep Packet Inspection firewall does not require TLS termination or configuration of applications to use an outbound proxy. This results in a significantly faster, end-to-end secure connection to the destination with no impact on component substitutability or configuration changes. What more could microservice deployments ask for?


Have a look at our comprehensive case studies, and product reviews at G2. G2 ensure the individuals leaving the review are real customers. All our marketplace listings also syndicate reviews from G2.

Frequently Asked Questions  Get a Demo