Skip to content

The two ways to run (CCX vs GPI)

Enforza ships the same firewall engine with two ways to author and ship policy. The choice is your team’s workflow, not a difference in capability or billing — both are equal first-class modes.

The GUI-driven console, for network-operations teams.

You compose policies in the console — no YAML editing — across the three traffic sections, with drag-to-reorder rules and reusable objects. Publishing runs the policy through a schema gate and (optionally) your bound compliance guardrail packs, then you bind the published version to one or more firewalls. Live logs, fleet view, and log exporters are all driven from the console.

Start here:

Policy-as-code / GitOps, for platform-engineering teams.

Your policy is a single YAML file in your GitHub repository. Changes flow through your pipeline — review, checks, merge — and the control plane ships the merged policy to the bound engines. The same compliance guardrails run as a pipeline check. This is the mode for teams that want firewall policy to live in version control alongside the rest of their infrastructure.

Start here:

Both modes drive the same single-pass packet classification and verdict engine, the same three traffic sections, the same first-match evaluation, and the same flat per-firewall licence. A tenant can run both — some firewalls bound to console-authored policy, others to pipeline-authored policy — at the same time.

See how it works for the engine architecture both modes share.

Enforza is a trading name of Synvu Limited, a company registered (15761962) in the United Kingdom. Registered office address: 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.