Solved

ISG management

Posted on 2009-07-05
3
230 Views
Last Modified: 2013-11-16
I have around 10 remote site with 10 firewalls to apply management for all f/w which is better from the following:
1- manage from the assigned IP for the trust zone
2- advertising a management x.x.x.x/30 subnets in all routers for managing f/w
0
Comment
Question by:paintco
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 18

Accepted Solution

by:
deimark earned 500 total points
ID: 24781357
Option 1 will mean that all access will need to come from the trust side, ie no remote mgmt, you will need to be either within the LAN or VPNed in.

Option 2 is possible but it a pain to manage, ie if any network changes take place, its a lot of work to manually update all of them.

Have you considered using mgmt software, ie Network and Security Manager (NSM)?  NSM comes into its own when you have around 10 devices to manage and especially if they are all ISGs, the size of your network seems to warrant it.

However, I would go for option 1 but with a secondary option of SSH open on untrust interface using a different manage-ip and also incorporate manager-ip to limit the access to a set of specific hosts.
0
 

Author Comment

by:paintco
ID: 24781390
sorry can you explain the last paragraph in more detail.
and also those 10 appliances some are ISG 1000 and some is SSG 350M
I'm looking for the best way to manage without purchasing the NSM
0
 
LVL 18

Assisted Solution

by:deimark
deimark earned 500 total points
ID: 24781628
The manage-ip is an extra IP on the interface that you use to connect to via web, ssh, ssl etc, all configured under the service options.

This manes that you can manage the box using a different IP from the actual interface IP.

The manager-ip is the IP address of known and trusted hosts that you want to be able to manage the box from.

This works on all screenos devices, so the ISG and SSG makes no difference at all here.

Have a look at www.junper.net/techpubs and drill down into screenos for the versions you are running.  The admin guide will shed some more light on the details here, but the essence is above.
0

Featured Post

Ready to trade in that old firewall?

Whether you need to trade-up to a shiny new Firebox or just ready to upgrade from whatever appliance you're using now, WatchGuard has the right appliance for you! Find your perfect Firebox today with appliance sizing tool!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question