Virtual Secure Web Gateway

Hi to all,

We have a failover-cluster checkpoint firewall. Each node connects to different switch (in the same LAN of course) and everybody uses the virtual IP of the cluster as a gateway. We want to use Inline+Proxy operations mode in the SWG.

1. How many SWGs do we need?

2. If we need 2 SWGs, is there a possibility to work as a cluster, in order to have high availibility? 

We do not have external proxies. I did a test in my lab and connected the WAN int on a switch and the LAN int to another switch, both in the same subnet. I lost every network traffic until i disconnected  the WAN int!!! I assume that we need to connect the WAN int directly to the firewall and not in a switch which talks with with the other switches of the LAN. Am I right?

Thank you in advance. 

Hi,

I assume you are talking about a hardware appliance, not VM, right?. For VM, proxy only and tap modes are recommended.

It seems you have one default gateway for all the hosts so 1 SWG would do. SWG does not have clustering capability yet.

Inline + proxy mode requires you to have  2 IP addresses in different subnets, one for the MGMT interface and another for the Inline + Proxy interface, this is a SWG requirement.

You can indeed bring the net down with the wrong cabling.

If your enviroment suits, I'd try Inline + Proxy. Have a look at the pdf documentation that comes with SWG and check this article.

HTH,

Federico

Hi Federico,

Yes I am talking about an appliance. What you have missed is that we have 2 firewall appliances, working in cluster mode. Each node is connected to a different switch and those switches are interconnected. So, where do I plug the SWG? Maybe I need 2 SWGs? 

Is it true that I have to connect the WAN int directly to the firewall?

Hi,

one way is to add a switch in-between so it would be:

2 switches <--- 2 cables---> inbetween switch <--- 1 cable----> SWG

Would that work?

Federico

The SWG does not need to be attached to the WAN port of the firewall directly so long as the WAN port faces the firewall and the clients are all on the LAN port of the switch the traffic will get seen. So Switch <---> SWG <---> Switch <--->Firewall is okay, but if any traffic occurs on the switch between the SWG and firewall the SWG will not be able to monitor or block it.

Also the 8490 applaince has two WAN/LAN port pairs which could go from each switch to their corisponding firewall.

Switch 1<---> SWG  <---> FW1

Switch 2<---> SWG <---> FW2

Unfortunately no Federico. This creates a single point of failure on fully redudant environment. Thanks anyway for your help.

This is a good question and one I've never managed to get answered properly.  We have a client that currently has a single Firewall (also running as a proxy) and they also have a single inline SWG behind that running as a content filter.  They are implementing a clustered Firewall pair and wish to remove the firewall/proxy and add the v5 proxy functions from the SWG, but this leaves them with a single point of failure and also complexity issues if they fail over the Firewalls and/or switches.

What we are doing for them is implementing two inline + proxy SWGs managed by a Control Centre SWG running on their ESX environment.  This gives them manageability and removes the single point of failure.

I have to stress we haven't done it yet but this seems like the sensible (if more expensive) option.  SWGs are licensed by users or site I believe so there's no extra licensing cost, just the upfront hardware and support which in this case was affordable in the overall get well plan for the network.

I really hope that clustering gets added at some point but given that the proxy was delivered almost two years "late" I won't be holding my breath.