Example: deploying Virtual Firewalls for MSSP customers
An example of configuring Master NGFW Engines and Virtual Firewalls in an MSSP environment.
Company A is an MSSP (Managed Security Services Provider). Customer 1 and Customer 2 are customers of Company A. The customers each want one Virtual Firewall with two Physical Interfaces. The administrators at Company A decide to use their existing NGFW appliance as a Master NGFW Engine to host Virtual Firewalls for Customer 1 and Customer 2. Separate administrative Domains have already been configured for each customer. The engine already has a license that allows the creation of Virtual Resources.
The administrators at Company A:
- Create a Master NGFW Engine element in the Shared Domain.
- Create one Virtual Resource element for each customer’s Virtual Firewall and select the appropriate Domain for each Virtual Resource:
Table 1. Virtual resources details Virtual resource name Domain Customer 1 Virtual Resource Customer 1 Domain Customer 2 Virtual Resource Customer 2 Domain - Create the following Physical Interfaces on the Master NGFW Engine:
Table 2. Physical interfaces details Interface ID Description 0 Physical Interface for the Master NGFW Engine’s own traffic 1 Physical Interface for hosted Virtual Firewall traffic - Add an IPv4 address for each Master NGFW Engine node to Physical Interface 0.
- Add the following VLAN Interfaces to Physical Interface 1 and select the appropriate Virtual Resource for each VLAN Interface:
Table 3. VLAN interfaces details Interface ID Virtual resource Description VLAN 1.1 Customer 1 Virtual Resource VLAN Interface for the first Physical Interface on the Virtual Firewall for Customer 1 VLAN 1.2 Customer 1 Virtual Resource VLAN Interface for the second Physical Interface on the Virtual Firewall for Customer 1 VLAN 1.3 Customer 2 Virtual Resource VLAN Interface for the first Physical Interface on the Virtual Firewall for Customer VLAN 1.4 Customer 2 Virtual Resource VLAN Interface for the second Physical Interface on the Virtual Firewall for Customer 2 - Create a Virtual Firewall element for each customer and select the appropriate Virtual Resource for each Virtual Firewall:
Table 4. Virtual firewall details Virtual firewall Virtual resource Customer 1 Virtual Firewall Customer 1 Virtual Resource Customer 2 Virtual Firewall Customer 2 Virtual Resource - Add IP addresses to the Physical Interfaces on the Virtual Firewalls.
- Refresh the policy on the Master NGFW Engine.
- Refresh the policy on the Virtual Firewalls.