Skip to content

Bind a policy to a firewall

Publishing a policy makes it available, but doesn’t yet apply it to anything. The binding is what wires a specific firewall to a specific policy. Bindings are immutable in mode: a firewall is either CCX-bound (policy authored in this console) or GitOps-bound (policy in your repo, GPI mode). You can flip, but the operator is warned because the old binding’s policy is wiped.

  1. Sidebar → Bindings. You’ll see every firewall in your fleet with its current binding state.
  2. New engines show as Unbound in the policy-source column.

Bindings page Bindings — one row per firewall, current policy and source (CCX vs GPI).

  1. Find your firewall row.
  2. Click Apply policy on that row.
  3. The dialog lists the tenant’s CCX policies. Pick the one you just pushed (fleet-default).
  4. Confirm. The console writes the binding, the engine sees the change on its next config poll (within ~5 seconds).

Change policy dialog Change policy dialog — pick a published policy, confirm, the engine picks it up within seconds.

  1. Go to Firewalls. The row now shows the policy name and a green Synced chip with the SHA of the active policy.
  2. If the engine had any apply failure (parser / compile / kernel reject), you’ll see a red Parse error / Compile error / Apply error chip with the engine’s own error message inline.
  3. SSH into the engine and run nft list ruleset | head -40 if you want bare-metal confirmation — your rules show up in the enforza-fwd table.

Firewall detail page Firewall detail — shows the applied policy name and any apply errors inline.

From a host downstream of the engine (routed through it), try the action you blocked — e.g. nc -vz some-other-host 22. The connection should fail; the engine is now dropping that rule’s matching traffic.

Need to take a firewall out of policy enforcement? Bindings page → Unbind. The engine clears its applied policy on the next config poll and drops to its default action (typically drop-all, fail-closed). You can re-bind without restarting the engine.

  • The engine polls the cloud for its current config every few seconds.
  • When the binding changes, the cloud’s response includes the new policy URL + SHA.
  • The engine downloads the rendered YAML, compiles it through its in-kernel pipeline, and atomically replaces the active ruleset.
  • Apply result (success or error class) is pushed back to the cloud over WebSocket and surfaces on the Firewalls page.
  • 20 versions of every policy are retained — Versions tab on the policy → Roll back to this version if anything regresses.

Enforza is a trading name of Synvu Limited, a company registered (15761962) in the United Kingdom. Registered office address: 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.