[142530] in North American Network Operators' Group
Re: Firewall Appliance Suggestions
daemon@ATHENA.MIT.EDU (-Hammer-)
Thu Jun 30 12:59:02 2011
Date: Thu, 30 Jun 2011 11:58:46 -0500
From: -Hammer- <bhmccie@gmail.com>
To: "Blake T. Pfankuch" <blake@pfankuch.me>
In-Reply-To: <CC75EEBF17C7374EA8309102B7B10C840C7F30@SHSBS.shenrons-house.local>
Cc: "nanog@nanog.org" <nanog@nanog.org>,
Claudio Salmin <claudio.salmin@googlemail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
I do. Your NOC Monkey reference is your biggest hurdle. What you are=20
asking for is a bit beyond "traditional" so finding something with a=20
pretty interface for a monkey may be tough. CheckPoint will require a=20
fat client. If that is an issue....
-Hammer-
"I was a normal American nerd"
-Jack Herer
On 06/30/2011 11:43 AM, Blake T. Pfankuch wrote:
> For those of you who responded quickly and usefully, do you have any ex=
perience with the CheckPoint/Juniper/Fortinet in an environment with mult=
iple protected subnets running on VMware? Simple enough for a NOC monkey=
to make changes to without breaking assuming he has half a brain and a p=
rocess in front of him to follow?
>
> -----Original Message-----
> From: -Hammer- [mailto:bhmccie@gmail.com]
> Sent: Thursday, June 30, 2011 9:57 AM
> To: nanog@nanog.org
> Subject: Re: Firewall Appliance Suggestions
>
> CheckPoint
>
> -Hammer-
>
> "I was a normal American nerd"
> -Jack Herer
>
>
>
> On 06/30/2011 10:50 AM, Blake T. Pfankuch wrote:
> =20
>> Howdy,
>> I am looking for something a little unique in a bit =
of a tough situation with some sticky requirements. First off, my requir=
ements are a little weird and I can't bend them a whole lot due to stipul=
ations being put on me. I am in need a firewall appliance which can be r=
un on VMware vSphere, with IPSEC support for multiple Phase 2 negotiation=
s within a single Phase 1. I am also in need of something that can suppo=
rt VLAN interfaces on the LAN side, and ideally something with multi zoni=
ng so I can keep LAN side networks separate from each without ridiculous =
firewall rules. Meaning build a zone for "Customer network 1" and it dis=
plays separately (ease of management and firewall config hopefully). I n=
eed a minimum of 10 "zones" on LAN side (/29 or /30), and NAT support for=
LAN to WAN (to dedicate all outbound connections to a single IP from a s=
pecific zone), ideally something extremely scalable (100-200 zones). And=
here is the super fun part! I need something that is going to be web ma=
naged primarily as minions will be doing most of the day to day maintenan=
ce, or very simple CLI config. Willing to pay for something if need be, =
but looking for something that can easily handly 50-100mbit of throughput=
=2E
>>
>> Any Ideas?
>>
>> Thanks!
>>
>> Blake Pfankuch
>>
>> =20
