Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

How to deploy Symantec Web Gateway on Cisco ASA 5520 with several context (virtual firewalls)

Created: 03 Apr 2010 • Updated: 22 Oct 2010 | 3 comments

I have goverment customers buying the SGW and need help to deploy the box inline
when the customer have 2-3 virtuall firewalls on the same physical box (Cisco ASA 5520 with several context)
also sharing same physical interfaces.

One of the interfaces from Cisco ASA 5520 is dedicated physical interface (native, eg. no VLAN) connected to ISP (Internet provider)
but the other 3 physical interfaces consist of several VLAN for Servers, Klients, DMZ for each virtuall firewalls.

So, MGMT port of SGW is ok, connected to a core switch in the MGMT VLAN and is ok.

LAN port and WAN port of SGW i realy don't know where to connect.
Does the SGW understand VLAN? or can "see" all trafic for all VLAN?

Should I connect LAN to a port on core switch and TAG all VLAN's klient & servers to this?   
and then connect WAN port to core switch and untag the link net between all virtual firewalls?

Owe B. Robertsen

Discussion Filed Under:

Comments 3 CommentsJump to latest comment

Sergi Isasi's picture


Does the firewall and core switch share one dedicated interface for the virtual firewalls or are there separate interfaces?  As you probably know, there is one pair of WAN/LAN on the SWG-8450 and two pairs on the SWG-8490.  If we are talking 3 separate physical interfaces, you probably need multiple appliances.  If it's just the one - there is a release update due out for SWG soon (v4.5.3) that will allow for SWG to  understand VLAN tagged traffic through the interfaces.

For detailed information, you should contact your Symantec Pre-Sales Systems Engineers and they can work with you to design the best solution possible.

Senior Product Manager - Web Gateway

Owe B. Robertsen's picture

The problem is now:
external firewall have proxy in dmz, connected to VLAN100 on physical FE0/1.100
all trafic from core switch is also on several VLANs 1-99 on physical GE/0
Also all trafic from klient VLAN to server VLAN is routed on the virtual external firewall.
So we don't want to inspect all trafic inc. backup jobs through the Web Gateway appliance.

Looks like we only have one way to do this.
Redesign the internal network, and establish a new external firewall with linknet between other firewalls.
then with native VLAN, eg. all trafic going from internals firewalls will be routed on LAN interface on the SWG
and WAN interface on the SWG will go to the inside on the external firewall (and will then see all inside ip)

How to get the 4.5.3 (or early relase of the 4.6) upcoming version?

Owe Bernt 

Sergi Isasi's picture

Owe - are you planning installing SWG on a trunk interface?

Senior Product Manager - Web Gateway