Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kaspars_Zibarts
Authority
Authority

5 Year celebration hangover - Q regarding dynamic network object in R81.20

@Tomer_Noy - thanks for really outstanding presentation yesterday! Made many notes regarding R81.20!

One thing that I loved most is dynamic network object list / feed. I generally love dynamic objects and we strive to go away from static rulebase managed by FW administrators to more dynamic build - i.e updatable objects, domain objects, old school dynamic objects, API based updates etc etc

And this new network feed object type would perfectly fit our bill! It would allow us to delegate responsibility to service owners and cut many "middle-man" hours. Plus it's less complex than API and does not require policy install! Win-win

How does it fit together with generic datacentre object that was released in R81? It seems to be doing the same thing but is just more cumbersome to manage (format requirements etc)

Will it require any additional licensing? I.e. to deploy IOC feeds (that are somewhat similar with exception that they would only allow blocking traffic) you need AB or AV license.

Thanks again for insights!

0 Kudos
6 Replies
Tomer_Noy
Employee
Employee

Thanks for the positive feedback Kaspars!
It means a lot coming from a skilled and veteran customer 😀

I'm glad that this new feature is a good fit for your plans to further modernize your policy management. I hope that many customers adopt it.

Regarding your questions:

  1. How do "Network Feeds" fit together or compare with "Generic DataCenter" objects?
    • The benefits of Generic DataCenter is that it supports hierarchy of objects, so a single feed can provide multiple objects for the policy. Also, it can be installed on R81.10 gateways.
    • The benefits of Network Feeds are that they are much simpler to define and use (no strict formatting), the gateway independently updates content from the feed (so Management maintenance / downtime will not affect it), and it's scalable for a lot of IPs.
    • IMO, if you are in doubt, go with the Network Feeds. We hope that this feature will reach the masses as there is not widespread adoption of Generic DataCenter.
  2. Unlike IoCs, Network Feeds are an Access Policy feature, so they do not require an additional license.
    • BTW, IoCs are a great feature and support many more blocking constructs (such as URLs, regular expressions, ...). These are actually used by many customers and we continue to encourage that.

I hope the above clarifies things.

Please continue to share feedback (also if you have on other content in the demo), and if you have experience later on with adopting R81.20.

Kaspars_Zibarts
Authority
Authority

You know that I have been planning in my head a "centralised tool to manage old school dynamic objects" just like network feeds does.. you stole my idea from my head! 🙂 Oh well, I have time now for other 100 ideas in my head! And can you please port it to R80.40 as i doubt it very much that we will venture to R81.20 anytime soon 🙂 plus the log sending to two servers! 

0 Kudos
Tomer_Noy
Employee
Employee

Unfortunately, we cannot port these features to older versions. They depend on new schema configuration in the DB and functionality in the gateway that cannot be added in JHF.

Note that the log sending to multiple servers (distributed logging) was already added in R81.10, so it's GA.

I can only recommend a swift upgrade strategy to at least R81.10 right now, and soon to R81.20 as those releases bring many improvements on all fronts (quality, performance, features).

0 Kudos
Kaspars_Zibarts
Authority
Authority

We will try of course! To upgrade..

One last Q Tomer - Network Feeds, will they be available as Global objects in MDS?

0 Kudos
Tomer_Noy
Employee
Employee

Hi @Kaspars_Zibarts,

It took me a little while to get a verified answer, but you'll be happy to hear that: Yes, Network Feeds can be defined as global objects in MDS environments 😀

Kaspars_Zibarts
Authority
Authority

Awesome! 🙂 really good news! Time to plan to upgrade MDS then!

0 Kudos