Example: deploying Virtual Firewalls for MSSP customers

An example of configuring Master NGFW Engines and Virtual Firewalls in an MSSP environment.

Company A is an MSSP (Managed Security Services Provider). Customer 1 and Customer 2 are customers of Company A. The customers each want one Virtual Firewall with two Physical Interfaces. The administrators at Company A decide to use their existing NGFW appliance as a Master NGFW Engine to host Virtual Firewalls for Customer 1 and Customer 2. Separate administrative Domains have already been configured for each customer. The engine already has a license that allows the creation of Virtual Resources.

The administrators at Company A:

  1. Create a Master NGFW Engine element in the Shared Domain.
  2. Create one Virtual Resource element for each customer’s Virtual Firewall and select the appropriate Domain for each Virtual Resource:
    Table 1. Virtual resources details
    Virtual resource name Domain
    Customer 1 Virtual Resource Customer 1 Domain
    Customer 2 Virtual Resource Customer 2 Domain
  3. Create the following Physical Interfaces on the Master NGFW Engine:
    Table 2. Physical interfaces details
    Interface ID Description
    0 Physical Interface for the Master NGFW Engine’s own traffic
    1 Physical Interface for hosted Virtual Firewall traffic
  4. Add an IPv4 address for each Master NGFW Engine node to Physical Interface 0.
  5. Add the following VLAN Interfaces to Physical Interface 1 and select the appropriate Virtual Resource for each VLAN Interface:
    Table 3. VLAN interfaces details
    Interface ID Virtual resource Description
    VLAN 1.1 Customer 1 Virtual Resource VLAN Interface for the first Physical Interface on the Virtual Firewall for Customer 1
    VLAN 1.2 Customer 1 Virtual Resource VLAN Interface for the second Physical Interface on the Virtual Firewall for Customer 1
    VLAN 1.3 Customer 2 Virtual Resource VLAN Interface for the first Physical Interface on the Virtual Firewall for Customer
    VLAN 1.4 Customer 2 Virtual Resource VLAN Interface for the second Physical Interface on the Virtual Firewall for Customer 2
  6. Create a Virtual Firewall element for each customer and select the appropriate Virtual Resource for each Virtual Firewall:
    Table 4. Virtual firewall details
    Virtual firewall Virtual resource
    Customer 1 Virtual Firewall Customer 1 Virtual Resource
    Customer 2 Virtual Firewall Customer 2 Virtual Resource
  7. Add IP addresses to the Physical Interfaces on the Virtual Firewalls.
  8. Refresh the policy on the Master NGFW Engine.
  9. Refresh the policy on the Virtual Firewalls.