Solved

Does ISG 1000 and SSG 350M supports Virtual system?

Posted on 2009-07-13
5
1,075 Views
Last Modified: 2013-11-16
Does ISG 1000 and SSG 350M supports Virtual system?
If yes shall I have a license to implement vsys or no need.
0
Comment
Question by:paintco
  • 3
  • 2
5 Comments
 
LVL 18

Assisted Solution

by:deimark
deimark earned 500 total points
ID: 24843707
ISG systems support virtual systems but they require licenses to work.

SSG platforms (all of them sadly) do not support vsys.

So in short, ISG 1000 needs a license and SSG350 does not support them

With regards to needing VSYS, can you give us a bit more info on what you are looking for?  as mebbe there is another option open to you,

0
 

Author Comment

by:paintco
ID: 24843862
there is around 10 sites each with two separate networks (two routers each with its own network) this design is point to point connection (leased line) - isolating the two networks is an security issue-.
so total there is 10 routers for the network A and another 10 router more for network B each site has two router this is the situation in production more than 5 years
now we implement MPLS network this is behind the running one we will move network A to run on MPLS each site equipped by router 3800 (or 2800) and ISG 1000 (or SSG 350M).
the design will be Router going to PSTN with BGP routing the other side for router going to ISG firewall and firewall going to core switch.

so I want to use same equipments for network A to be shared for Network B since the bandwidth of MPLS is more high than leased line
for routers I will do traffic shaping to limit the rate of Network B traffic
for ISG I want to make it two vsys
0
 
LVL 18

Assisted Solution

by:deimark
deimark earned 500 total points
ID: 24844107
For the ISG, buy the VSYS license and use VSYS

For the 300 series, there is what we call, the poor mans VSYS, and that is to use multiple v-routers.

Each v-router will have its own routing table (and associated routing protocols, MPLS etc).  Unless you add routes for each of the v-router to allow them to "talk" to each othere, there will be a degree of layer 3 separation.

Note, this is at the network layer, not a full security separation as per VSYS

An example is needing to have 3 customers sit on a an SSG firewall.

If we split the firewall into 6 virtual routers, we can then have 2 per customer, a trust and untrust-vr.  From this, we can add our own zones, interfaces and policies,

As above, its a poor mans VSYS but may assist giving the degree of separation you are looking for
0
 

Author Comment

by:paintco
ID: 24844288
thanks so shall I us it also with ISG 1000 if license will cost

for this situation there is in one site the scenario like
one router (3800) interfaces going to WAN (MPLS) the other interface is connected to ISG 1000, the ISG has 4 eth interfaces connected to router, one for DMZ, one for trust network. there are two VR used (trust-vr, untrust-vr)
The ISG suuports only 3 VRs. So I will creat test-vr also I will create test-zone the remaining interface on the ISG is eth1/4 I will  connect it to Network B and I will use the untrust interface which is going to the router to make sub-interface on it to route Network B
So is it better to locate the eth1/4 and the sub-interface on the same zone and same VR ?
0
 
LVL 18

Accepted Solution

by:
deimark earned 500 total points
ID: 24844376
VSYS license will cost bud, thats for sure

Although each firewall willhave 2 default vrs created, the trust and untrust vr, normally, we only ever use 1, the trust-vr.

If a "get route" shows no routes for the untrust-vr, then this one is free to be used again.

a "get license-key" will confirm the amount of vsys that the box will support, I was under the impression that the ISG supported more than 3.

I am not 100% sure on what you are trying to achieve, but if you need to separate traffic at layer 3, then have each site/link in their own v-router with their default route pointing to the untrust-vr with the route to the internet, ie mpls.

This gives the degree of separation at layer 3 between all zones and links.

Does this suit?
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now