Solved

ISG management

Posted on 2009-07-05
3
227 Views
Last Modified: 2013-11-16
I have around 10 remote site with 10 firewalls to apply management for all f/w which is better from the following:
1- manage from the assigned IP for the trust zone
2- advertising a management x.x.x.x/30 subnets in all routers for managing f/w
0
Comment
Question by:paintco
  • 2
3 Comments
 
LVL 18

Accepted Solution

by:
deimark earned 500 total points
ID: 24781357
Option 1 will mean that all access will need to come from the trust side, ie no remote mgmt, you will need to be either within the LAN or VPNed in.

Option 2 is possible but it a pain to manage, ie if any network changes take place, its a lot of work to manually update all of them.

Have you considered using mgmt software, ie Network and Security Manager (NSM)?  NSM comes into its own when you have around 10 devices to manage and especially if they are all ISGs, the size of your network seems to warrant it.

However, I would go for option 1 but with a secondary option of SSH open on untrust interface using a different manage-ip and also incorporate manager-ip to limit the access to a set of specific hosts.
0
 

Author Comment

by:paintco
ID: 24781390
sorry can you explain the last paragraph in more detail.
and also those 10 appliances some are ISG 1000 and some is SSG 350M
I'm looking for the best way to manage without purchasing the NSM
0
 
LVL 18

Assisted Solution

by:deimark
deimark earned 500 total points
ID: 24781628
The manage-ip is an extra IP on the interface that you use to connect to via web, ssh, ssl etc, all configured under the service options.

This manes that you can manage the box using a different IP from the actual interface IP.

The manager-ip is the IP address of known and trusted hosts that you want to be able to manage the box from.

This works on all screenos devices, so the ISG and SSG makes no difference at all here.

Have a look at www.junper.net/techpubs and drill down into screenos for the versions you are running.  The admin guide will shed some more light on the details here, but the essence is above.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Rule Iptables 1 63
Sonicwall Email los and Alerts 1 63
Any good reasons a Windows 7 PC in domain should have firewall disabled? 15 99
Firewall blocking images 4 77
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question