Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Does ISG 1000 and SSG 350M supports Virtual system?

Posted on 2009-07-13
5
Medium Priority
?
1,094 Views
Last Modified: 2013-11-16
Does ISG 1000 and SSG 350M supports Virtual system?
If yes shall I have a license to implement vsys or no need.
0
Comment
Question by:paintco
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 18

Assisted Solution

by:deimark
deimark earned 1000 total points
ID: 24843707
ISG systems support virtual systems but they require licenses to work.

SSG platforms (all of them sadly) do not support vsys.

So in short, ISG 1000 needs a license and SSG350 does not support them

With regards to needing VSYS, can you give us a bit more info on what you are looking for?  as mebbe there is another option open to you,

0
 

Author Comment

by:paintco
ID: 24843862
there is around 10 sites each with two separate networks (two routers each with its own network) this design is point to point connection (leased line) - isolating the two networks is an security issue-.
so total there is 10 routers for the network A and another 10 router more for network B each site has two router this is the situation in production more than 5 years
now we implement MPLS network this is behind the running one we will move network A to run on MPLS each site equipped by router 3800 (or 2800) and ISG 1000 (or SSG 350M).
the design will be Router going to PSTN with BGP routing the other side for router going to ISG firewall and firewall going to core switch.

so I want to use same equipments for network A to be shared for Network B since the bandwidth of MPLS is more high than leased line
for routers I will do traffic shaping to limit the rate of Network B traffic
for ISG I want to make it two vsys
0
 
LVL 18

Assisted Solution

by:deimark
deimark earned 1000 total points
ID: 24844107
For the ISG, buy the VSYS license and use VSYS

For the 300 series, there is what we call, the poor mans VSYS, and that is to use multiple v-routers.

Each v-router will have its own routing table (and associated routing protocols, MPLS etc).  Unless you add routes for each of the v-router to allow them to "talk" to each othere, there will be a degree of layer 3 separation.

Note, this is at the network layer, not a full security separation as per VSYS

An example is needing to have 3 customers sit on a an SSG firewall.

If we split the firewall into 6 virtual routers, we can then have 2 per customer, a trust and untrust-vr.  From this, we can add our own zones, interfaces and policies,

As above, its a poor mans VSYS but may assist giving the degree of separation you are looking for
0
 

Author Comment

by:paintco
ID: 24844288
thanks so shall I us it also with ISG 1000 if license will cost

for this situation there is in one site the scenario like
one router (3800) interfaces going to WAN (MPLS) the other interface is connected to ISG 1000, the ISG has 4 eth interfaces connected to router, one for DMZ, one for trust network. there are two VR used (trust-vr, untrust-vr)
The ISG suuports only 3 VRs. So I will creat test-vr also I will create test-zone the remaining interface on the ISG is eth1/4 I will  connect it to Network B and I will use the untrust interface which is going to the router to make sub-interface on it to route Network B
So is it better to locate the eth1/4 and the sub-interface on the same zone and same VR ?
0
 
LVL 18

Accepted Solution

by:
deimark earned 1000 total points
ID: 24844376
VSYS license will cost bud, thats for sure

Although each firewall willhave 2 default vrs created, the trust and untrust vr, normally, we only ever use 1, the trust-vr.

If a "get route" shows no routes for the untrust-vr, then this one is free to be used again.

a "get license-key" will confirm the amount of vsys that the box will support, I was under the impression that the ISG supported more than 3.

I am not 100% sure on what you are trying to achieve, but if you need to separate traffic at layer 3, then have each site/link in their own v-router with their default route pointing to the untrust-vr with the route to the internet, ie mpls.

This gives the degree of separation at layer 3 between all zones and links.

Does this suit?
0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question