Migrate Firewalls to Cisco Isovalent.
Operate at Scale. Stay Compliant.
Fabrix converts firewall rules from VMware NSX, Palo Alto, Checkpoint, Fortinet, and Cisco into production-ready Isovalent CiliumNetworkPolicy — then gives your team the tools to manage, observe, and audit those policies across every Kubernetes and OpenShift cluster in your environment.
Works With Your Stack
Kubernetes · Red Hat OpenShift · Isovalent Cilium Enterprise · Cilium OSS · VMware NSX · Palo Alto Networks · Check Point · Fortinet · Cisco ASA · Cisco FTD · Cisco Hypershield (future)
Migration
Convert Legacy Firewall Rules to CiliumNetworkPolicy and Hypershield*
Your firewall configs aren't going to rewrite themselves. Upload a configuration export from Palo Alto, Checkpoint, Fortinet, Cisco ASA, or Juniper SRX — or connect directly to a VMware NSX environment. Fabrix parses every rule, resolves address groups and service objects to their actual values, and presents the full rule set in an interactive console.
Select the rules you need — individually or in bulk — and publish. Fabrix converts them to production-ready CiliumNetworkPolicy YAML and pushes directly to your Kubernetes clusters. A real-time log tracks every conversion as it happens. If something doesn't look right, one-click rollback reverts all published policies instantly.
For NSX environments, a dedicated migration analysis report assesses readiness before you commit — categorizing rules by conversion complexity and flagging anything that needs manual attention.
-
Multi-vendor support — Palo Alto, Checkpoint, Fortinet, Cisco ASA, Juniper SRX, VMware NSX
-
Bulk or selective publish — Convert everything at once or pick specific rules
-
Real-time conversion log — Watch rules transform as they publish
-
One-click rollback — Revert all published policies if needed
-
NSX migration analysis — Readiness assessment with categorized findings before you migrate
* Q3/Q4 2026
Policy Design
Design Network Policies Visually. Export as CNP.
Stop writing YAML by hand. Fabrix's policy canvas lets you design CiliumNetworkPolicy visually — drag workload tiers onto a canvas, draw connections between them, and configure protocols, ports, and L7 rules for each connection. The policy YAML is generated automatically.
Each tier represents a Kubernetes workload identity, configured with label selectors that match your actual cluster topology. Connections between tiers become the ingress and egress rules in your CiliumNetworkPolicy, labeled directly on the canvas with protocol and port information so the intent is obvious at a glance.
Build reusable App Objects — pre-configured tiers like "PostgreSQL" or "Redis" with their standard ports already defined — and share them across your team. When the design is ready, export the generated YAML or publish directly to a connected cluster.
-
Drag-and-drop tier nodes — Each tier maps to a Kubernetes workload identity with label selectors
-
Visual connections — Draw edges between tiers to define L3/L4/L7 allow rules
-
Auto-layout — Automatically organizes the canvas left-to-right by traffic flow
-
Reusable App Object library — Save and share common workload patterns across your team
-
Group containers — Visually group tiers into trust zones or application boundaries
-
Export or publish — Download CNP YAML, push directly to your cluster or Git repo
Operations
Automate Day 2 Policy Operations Across Clusters
Migration is day one. Fabrix handles every day after that.
Virtual Routers define automated synchronization jobs between your security platforms. Configure a Policy Router from NSX to a set of Kubernetes clusters, and Fabrix continuously translates NSX security group memberships into CiliumCIDRGroup resources — keeping external IP allowlists in sync without manual intervention. Schedule syncs on an interval, on specific days, or trigger them on demand.
The Operations console gives your team direct access to every CiliumNetworkPolicy and CiliumCIDRGroup on your clusters. Browse, inspect, edit, and manage policy objects without switching to a terminal. Every sync run is logged with timestamps, record counts, and status — giving you a complete operational history.
-
Virtual Routers — Automated policy sync jobs between platforms with visual flow diagrams
-
CiliumCIDRGroup lifecycle management — Create, edit, and delete CIDR groups for workload migrations
-
Live CNP management — Browse and edit CiliumNetworkPolicies and CRDS objects directly
-
Flexible scheduling — Interval-based, day-of-week, or on-demand sync
-
Full execution history — Every sync run logged with status, timestamps, and record counts
Observability
Live Hubble Flow Capture — Right From the UI
When a connection gets denied and nobody knows why, your team needs answers in seconds — not after a 20-minute kubectl session.
Fabrix connects directly to Hubble Relay via gRPC and streams network flows in real time. Drill into any pod from the workloads list and start recording. The flow table populates live — every TCP and UDP connection, color-coded by verdict. Forwarded traffic appears in green. Dropped flows appear in red immediately, showing you exactly which connection was blocked, by which policy, and between which pods.
The Endpoint Inspector visualizes five layers beneath each pod — from Kubernetes metadata through the network plane, the realized eBPF policy map, the declared Cilium policies, and the live flow observation layer. Click any layer to inspect it.
The built-in CNP Console provides DevTools-style access to your cluster's policy state — click a command, see full YAML output with syntax highlighting. No terminal required.
-
Live gRPC flow streaming — Connects directly to Hubble Relay, no proxy or CLI needed
-
Verdict color-coding — Forwarded flows in green, dropped flows in red — instantly visible
-
Isometric endpoint inspection — Five-layer visualization of every security layer beneath a pod
-
CNP Console — DevTools-style YAML inspection with syntax highlighting and command history
-
No kubectl skills required — Your security team gets full observability without cluster access
Compliance
Audit-Ready Compliance Reports. One Click.
Your auditor asks: "How do you know your Kubernetes network policies are actually enforced?" Fabrix gives you the answer in a single report.
One click generates a structured security posture assessment across seven automated checks — default deny verification, endpoint policy coverage, permissive rule detection, policy validation, eBPF enforcement confirmation, configuration drift detection (not available in Git mode), and change management auditing. Each check contributes a weighted score to an overall posture rating from 0 to 100.
Every finding maps directly to specific controls in SOC 2, ISO 27001, NIST 800-53, PCI-DSS v4.0, and HIPAA. The namespace posture breakdown shows exactly which namespaces have default deny enabled, what percentage of endpoints are covered by policy, and which specific pods are unprotected — by name.
Export the full report as Excel or JSON and hand it to your auditor. They'll have everything they need.
-
7 automated security checks — Default deny, endpoint coverage, permissive rules, policy validation, BPF enforcement, drift detection, change management
-
Weighted posture score — 0–100 rating with per-check contribution breakdown
-
Framework mappings — SOC 2, ISO 27001, NIST 800-53, PCI-DSS v4.0, HIPAA
-
Namespace-level posture — Per-namespace default deny status, coverage percentage, and unprotected pod identification
-
Excel & JSON export — Hand auditors a complete, structured report
Built for Every Kubernetes Distribution
☸ Kubernetes with Cilium
Works with any Kubernetes cluster running Cilium as the CNI — Amazon EKS, Azure AKS, Google GKE, or bare-metal on-prem. Fabrix connects via standard kubeconfig and communicates directly with the Cilium and Kubernetes APIs. No custom agents, sidecars, or cluster-side installation required.
⬢ Red Hat OpenShift
Full support for OpenShift's integrated networking stack with Cilium. Designed for air-gapped OpenShift deployments in regulated environments — no external dependencies, no call-home, fully self-contained.
🌱 Isovalent Cilium Enterprise
Native support for Isovalent's enterprise Cilium distribution including Hubble Enterprise for deep flow observability, Tetragon for runtime security events, and advanced policy features. Fabrix leverages the full Isovalent API surface to deliver richer observability and policy management capabilities than Cilium OSS alone.
Enterprise Ready
Built for production environments where security, auditability, and operational control are non-negotiable.
🔒 Role-Based Access Control
Group-based permissions with namespace-scoped datasource access. Control who can view, edit, or publish policies — down to the individual cluster and namespace level.
📈 Multi-Cluster Management
Manage Cilium network policies across dozens of clusters from a single console. Compare policy state between clusters, sync configurations, and maintain consistency at scale.
⏰ Scheduled Synchronization
Automate policy synchronization on configurable schedules — every N minutes, on specific days, or triggered by events. Virtual Routers keep your clusters in sync without manual intervention.
🛡 Multi-Vendor Firewall Support
Ingest and convert configurations from VMware NSX, Palo Alto Networks, Check Point, Fortinet, Cisco ASA, Cisco FTD, Cisco ACI, and Juniper SRX. One platform for every firewall in your environment.
🌐 Air-Gapped Deployment
Fully self-hosted with zero external dependencies. No CDN calls, no telemetry, no third-party API requests. Fabrix runs entirely behind your firewall — purpose-built for classified, regulated, and disconnected environments.
🔄 Git-Backed Policy Tracking
Every policy change is tracked with full commit history. Diff any two versions, trace who changed what and when, and maintain a complete audit trail for change management reviews. Git mode allows publishing CNP YAML to Git. CNP mode allows publishing directly to the cluster.
📋 Audit & Export
Export policies, compliance reports, and operational data as Excel, JSON, or YAML. Give auditors exactly what they need in the format they expect.
Ready to modernize your network security?
See how Fabrix migrates your firewall policies to Cilium, automates Day 2 operations, and keeps you audit-ready — in a live demo tailored to your environment.