LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is a multinational / intercontinental network firewall architecture, and why have multiple Internet exits?

A global company has firewall-protected Internet exits in each region (USA, Europe, Asia), with the internal network spanning the globe via private WAN links. Each regional exit handles local Internet traffic — for performance, compliance, and resilience.

The architecture:

              [Internet]
                  ↑
               [FW Europa]
                  │
         ┌────────┼────────┐
[Internet]      [Intranet]      [Internet]
  ↑                │                ↑
[FW USA]           │              [FW Asia]
                                       
                                       

Why decentralized internet exits:

Reason Detail
Performance A user in Asia accessing a US-hosted site shouldn't traverse Europe
Latency Local exit = direct path to local CDN/SaaS = lower RTT
Compliance Some countries require traffic to stay within national borders (China, Russia)
Resilience If the European exit fails, users in Asia still have Internet via Asian exit
Bandwidth cost Backhauling all traffic to one exit is expensive

The Intranet challenge:

The Intranet itself is a private global network — typically MPLS, SD-WAN, or VPN-over-Internet. Devices in USA and Asia can address each other directly. The firewalls don't sit on internal traffic; they sit on each exit to the Internet.

The compliance dimension:

Modern data sovereignty laws complicate this:

Law Implication
GDPR (EU) EU personal data shouldn't leave EU without proper safeguards
DSG (Switzerland) Similar to GDPR
PIPL (China) Chinese data must stay in China
CLOUD Act (US) US-companies' data is reachable by US gov regardless of location

This means a global FW design often must keep certain data in certain regions — not just for performance.

SASE — the modern evolution:

SASE (Secure Access Service Edge) replaces the classic regional-FW design with cloud-delivered firewall services. Every user — wherever they are — connects to the nearest "PoP" (point of presence) which provides FW + proxy + DNS + DLP + ZTNA services. Products: Zscaler, Cato Networks, Palo Alto Prisma Access.

Tip: When designing global FW architecture, the question isn't just "where to put firewalls" but "how to enforce policy consistently across regions." Centralized management (single policy DB, distributed enforcement) is the killer feature in modern global FW products.

Go deeper:

From Quiz: INTROL / Firewall Fundamentals | Updated: Jul 14, 2026