[142531] in North American Network Operators' Group
RE: Firewall Appliance Suggestions
daemon@ATHENA.MIT.EDU (Leigh Porter)
Thu Jun 30 13:01:15 2011
From: Leigh Porter <leigh.porter@ukbroadband.com>
To: "Blake T. Pfankuch" <blake@pfankuch.me>, -Hammer- <bhmccie@gmail.com>,
Claudio Salmin <claudio.salmin@googlemail.com>, "nanog@nanog.org"
<nanog@nanog.org>, William Cooper <wcooper02@gmail.com>
Date: Thu, 30 Jun 2011 17:01:13 +0000
In-Reply-To: <CC75EEBF17C7374EA8309102B7B10C840C7F30@SHSBS.shenrons-house.local>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
I use JuNOS Juniper for just this and it works well. However, I have not u=
sed the GUI for configuring it, but the command line is very usable.
However, if you have a NOC Monkey, I would be tempted to create your own f=
ront end for configuring stuff and have an XML interface to the real boxes=
..
--
Leigh
________________________________________
From: Blake T. Pfankuch [blake@pfankuch.me]
Sent: 30 June 2011 17:45
To: -Hammer-; Claudio Salmin; nanog@nanog.org; William Cooper
Subject: RE: Firewall Appliance Suggestions
For those of you who responded quickly and usefully, do you have any exper=
ience with the CheckPoint/Juniper/Fortinet in an environment with multiple=
protected subnets running on VMware? Simple enough for a NOC monkey to m=
ake changes to without breaking assuming he has half a brain and a process=
in front of him to follow?
-----Original Message-----
From: -Hammer- [mailto:bhmccie@gmail.com]
Sent: Thursday, June 30, 2011 9:57 AM
To: nanog@nanog.org
Subject: Re: Firewall Appliance Suggestions
CheckPoint
-Hammer-
"I was a normal American nerd"
-Jack Herer
On 06/30/2011 10:50 AM, Blake T. Pfankuch wrote:
> Howdy,
> I am looking for something a little unique in a bit of =
a tough situation with some sticky requirements. First off, my requiremen=
ts are a little weird and I can't bend them a whole lot due to stipulation=
s being put on me. I am in need a firewall appliance which can be run on =
VMware vSphere, with IPSEC support for multiple Phase 2 negotiations withi=
n a single Phase 1. I am also in need of something that can support VLAN =
interfaces on the LAN side, and ideally something with multi zoning so I c=
an keep LAN side networks separate from each without ridiculous firewall r=
ules. Meaning build a zone for "Customer network 1" and it displays separ=
ately (ease of management and firewall config hopefully). I need a minimu=
m of 10 "zones" on LAN side (/29 or /30), and NAT support for LAN to WAN (=
to dedicate all outbound connections to a single IP from a specific zone),=
ideally something extremely scalable (100-200 zones). And here is the su=
per fun part! I need something that is going to be web managed primarily =
as minions will be doing most of the day to day maintenance, or very simpl=
e CLI config. Willing to pay for something if need be, but looking for so=
mething that can easily handly 50-100mbit of throughput.
>
> Any Ideas?
>
> Thanks!
>
> Blake Pfankuch
>
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email=20
______________________________________________________________________
