Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

ISG management

Posted on 2009-07-05
3
Medium Priority
?
232 Views
Last Modified: 2013-11-16
I have around 10 remote site with 10 firewalls to apply management for all f/w which is better from the following:
1- manage from the assigned IP for the trust zone
2- advertising a management x.x.x.x/30 subnets in all routers for managing f/w
0
Comment
Question by:paintco
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 18

Accepted Solution

by:
deimark earned 1500 total points
ID: 24781357
Option 1 will mean that all access will need to come from the trust side, ie no remote mgmt, you will need to be either within the LAN or VPNed in.

Option 2 is possible but it a pain to manage, ie if any network changes take place, its a lot of work to manually update all of them.

Have you considered using mgmt software, ie Network and Security Manager (NSM)?  NSM comes into its own when you have around 10 devices to manage and especially if they are all ISGs, the size of your network seems to warrant it.

However, I would go for option 1 but with a secondary option of SSH open on untrust interface using a different manage-ip and also incorporate manager-ip to limit the access to a set of specific hosts.
0
 

Author Comment

by:paintco
ID: 24781390
sorry can you explain the last paragraph in more detail.
and also those 10 appliances some are ISG 1000 and some is SSG 350M
I'm looking for the best way to manage without purchasing the NSM
0
 
LVL 18

Assisted Solution

by:deimark
deimark earned 1500 total points
ID: 24781628
The manage-ip is an extra IP on the interface that you use to connect to via web, ssh, ssl etc, all configured under the service options.

This manes that you can manage the box using a different IP from the actual interface IP.

The manager-ip is the IP address of known and trusted hosts that you want to be able to manage the box from.

This works on all screenos devices, so the ISG and SSG makes no difference at all here.

Have a look at www.junper.net/techpubs and drill down into screenos for the versions you are running.  The admin guide will shed some more light on the details here, but the essence is above.
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Suggested Courses

664 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question