Virtual Secure Web Gateway

Hello,

Need some explanation on these setting. I think i'm not understanding them correctly.

I am deploying SWG in inline mode, with 2 IP configuration. I have few vlans in my network: 192.168.3.0/24, 192.168.4.0/24, 192.168.5.0/24

1) management port - do they need to have a working IP address assign to them? If I want to add my SWG as an entry in the DNS server with IP address 192.168.14.152, this IP need to assign to management IP or the inline networks IP?

2) I'm connecting SWG as SWITCH-> SWG -> FIREWALL. Initally switch port no.12 is connected directly to firewall. Then if I install SWG, will it be my management port or LAN port that will connect to this switch port no. 12?

3) In the 2 IP configuration, MUST I connect my management port to LAN switch? What will happen if I do not connect them? Will user be able to access Internet?

4) Static route - all the vlans are connected to switch A (192.168.4.130). Is this the correct way to define my static route?

Static route 1

Destination: 192.168.3.0

Netmask: 255.255.255.0

Gateway; 192.168.4.130

Static route 2

Destination: 192.168.4.0

Netmask: 255.255.255.0

Gateway; 192.168.4.130

Sorry for the very long questions.

Thank you very much.

The management port does not require an IP but it is suggested it be attached to the internal/LAN switch. If you run with only on IP address it will the IP will be active on the LAN/WAN ports if the SWG is enabled and not in bypass mode, if the LAN/WAN ports go into bypass mode or the SWG services are disable the IP address moves to the management port. If the management port is not connected with two IPs configured you will not be able to access the Web UI on the management interface.

The LAN port should be connected to the switch were the firewall as previously connected, then firewall to the WAN port.

I do not know your network to state with certainty if your static routes are correct. But If the SWG is on the 192.168.1.0 network and needs to communicate with with a server on the 192.168.3.0 network what would be the gateway addressed used to do so? Static routes are not needed for samenetwork communication if the SWG is on the 192.168.1.0 network and the machine it is attempting to communicate with is on 192.168.1 network as well no static route is needed.

If I choose the 2 IP configuration, Will SWG still works if I do not connect the management port to the network?

In the implementation guide, stated "The management port must have access to the following:
■ Domain Name Server (DNS)
■ Access to the required Internet services
See “Ports and settings that Symantec Web Gateway uses” on page 35.
■ Domain controller (for authentication)

The management interface IP in the WEB UI, is it the IP for management port? Or its a different thing? (sorry if this sounds silly)

I have read somewhere is this forum that the static route gateway is IP address 1 hop away on SWG LAN side. It sounds like it is the switch/router IP. If i wrongly configured the static route, will user still be able to access internet?

Thank you.

Static route gateway(s) are dependent upon your network and configuration of your network equipment etc. If you are using inline mode and the static route configuration is incorrect the users still have internet access, but block pages will not display properly.

To test your static routes you can use the ping test feature, and attempt to ping a machine on one of the other subnets, if the ping fails it the static route to that network is likely the issue.

Typically the default gateway for the inline IP address should be the firewall/router.

You should be able to access the Web UI via either the Inline IP and Management IP.

That's a lot clearer now. I'm having problem with the SWG I deployed as above. I did not connect the management port to the network and ping test from LAN/WAN port to the inline default gateway IP address failed. I could not ping the SWG from internal network either.

I thought it's because I did not connect the management port.Now I can try other method to make my SWG work.