topic Re: Best Practice for Data Center and Perimeter Firewall blades to enable in General Topics

Best Practice for Data Center and Perimeter Firewall blades to enable

Ihenock1011 — Sun, 11 Aug 2024 18:04:02 GMT

Hi All,

I want to follow best practices for enabling blades on perimeter and data center firewalls, given that Sandblast license has been acquired. what is the best practice to be enabled on Data center and Perimeter security gateway.

Thanks,

Re: Best Practice for Data Center and Perimeter Firewall blades to enable

Lesley — Sun, 11 Aug 2024 18:46:33 GMT

Depends on the blades, what blades you want to enable? Are you going to https inspection? What will the dc firewall protect? Servers, shares etc? And perimeter, only internet access or servers in DMZ? What licenses you have know purchased? What hardware we are talking about, is it maybe Maestro or VSX?

Re: Best Practice for Data Center and Perimeter Firewall blades to enable

Ihenock1011 — Sun, 11 Aug 2024 19:01:30 GMT

DC Firewall Protects the server farm while the perimeter gateway will protect the external facing servers and Internet. HA mode SG hardware appliance.

Re: Best Practice for Data Center and Perimeter Firewall blades to enable

Lesley — Sun, 11 Aug 2024 19:21:34 GMT

And this? Depends on the blades, what blades you want to enable? Are you going to https inspection? What licenses you have now purchased?

Re: Best Practice for Data Center and Perimeter Firewall blades to enable

Ihenock1011 — Sun, 11 Aug 2024 20:00:05 GMT

Sandblast License. I want to know which blades should be enabled based on best practices for perimeter and data center security gateways.

Re: Best Practice for Data Center and Perimeter Firewall blades to enable

Wolfgang — Sun, 11 Aug 2024 20:19:58 GMT

If you have all licenses and powerfull appliances you can enable all blades. Maybe you need some features only on one of the firewalls you can disable these, meaning as an example MobileAccessBlade only on perimeter firewall.

The answer is like a lot of other questions…. It depends 😉

Re: Best Practice for Data Center and Perimeter Firewall blades to enable

Lesley — Sun, 11 Aug 2024 20:22:57 GMT

Really depends on the network. For example if you do not have mail servers in dc or on perimeter then there is no point checking for the Anti-spam blade or the MTA setup. Or if you do not have SMB shares then you can skip that in the inspection for AV blade(and other blades) Same for FTP.

I don't think there is a general advice like 'if you must protect DC enable the following blades' Because you can have anything or almost nothing in a DC. Personally, I would go for all the threat prevention blades in combi with app and URL filtering. (Of course HTTS inspection, very important)

Re: Best Practice for Data Center and Perimeter Firewall blades to enable

Chris_Atkinson — Sun, 11 Aug 2024 23:40:15 GMT

Exploring Autonomous Threat Prevention (sk163593) is also an option to help manage the configuration.