Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ihenock1011
Advisor

Best Practice for Data Center and Perimeter Firewall blades to enable

Hi All,

I want to follow best practices for enabling blades on perimeter and data center firewalls, given that Sandblast license has been acquired. what is the best practice to be enabled on Data center and Perimeter security gateway.

Thanks,

0 Kudos
7 Replies
Lesley
Leader Leader
Leader

Depends on the blades, what blades you want to enable? Are you going to https inspection? What will the dc firewall protect? Servers, shares etc? And perimeter, only internet access or servers in DMZ? What licenses you have know purchased? What hardware we are talking about, is it maybe Maestro or VSX?

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Ihenock1011
Advisor

DC Firewall Protects the server farm while the perimeter gateway will protect the external facing servers and Internet. HA mode SG hardware appliance.

0 Kudos
Lesley
Leader Leader
Leader

And this? Depends on the blades, what blades you want to enable? Are you going to https inspection? What licenses you have now purchased? 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Ihenock1011
Advisor

Sandblast License. I want to know which blades should be enabled based on best practices for perimeter and data center security gateways.

0 Kudos
Wolfgang
Authority
Authority

If you have all licenses and powerfull appliances you can enable all blades. Maybe you need some features only on one of the firewalls you can disable these, meaning as an example MobileAccessBlade only on perimeter firewall.

The answer is like a lot of other questions…. It depends 😉 

Lesley
Leader Leader
Leader

Really depends on the network. For example if you do not have mail servers in dc or on perimeter then there is no point checking for the Anti-spam blade or the MTA setup. Or if you do not have SMB shares then you can skip that in the inspection for AV blade(and other blades) Same for FTP. 

I don't think there is a general advice like 'if you must protect DC enable the following blades' Because you can have anything or almost nothing in a DC. Personally, I would go for all the threat prevention blades in combi with app and URL filtering. (Of course HTTS inspection, very important)

-------
If you like this post please give a thumbs up(kudo)! 🙂
Chris_Atkinson
Employee Employee
Employee

Exploring Autonomous Threat Prevention (sk163593) is also an option to help manage the configuration.

CCSM R77/R80/ELITE

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events