Virtual Secure Web Gateway

 View Only

  • 1.  How to deploy Symantec Web Gateway on Cisco ASA 5520 with several context (virtual firewalls)

    Posted Apr 03, 2010 01:34 PM
    Hi.
    I have goverment customers buying the SGW and need help to deploy the box inline
    when the customer have 2-3 virtuall firewalls on the same physical box (Cisco ASA 5520 with several context)
    also sharing same physical interfaces.

    One of the interfaces from Cisco ASA 5520 is dedicated physical interface (native, eg. no VLAN) connected to ISP (Internet provider)
    but the other 3 physical interfaces consist of several VLAN for Servers, Klients, DMZ for each virtuall firewalls.

    So, MGMT port of SGW is ok, connected to a core switch in the MGMT VLAN and is ok.

    LAN port and WAN port of SGW i realy don't know where to connect.
    Does the SGW understand VLAN? or can "see" all trafic for all VLAN?

    Should I connect LAN to a port on core switch and TAG all VLAN's klient & servers to this?   
    and then connect WAN port to core switch and untag the link net between all virtual firewalls?

    Regards
    Owe B. Robertsen


  • 2.  RE: How to deploy Symantec Web Gateway on Cisco ASA 5520 with several context (virtual firewalls)

    Posted Apr 07, 2010 06:19 PM
    Owe,

    Does the firewall and core switch share one dedicated interface for the virtual firewalls or are there separate interfaces?  As you probably know, there is one pair of WAN/LAN on the SWG-8450 and two pairs on the SWG-8490.  If we are talking 3 separate physical interfaces, you probably need multiple appliances.  If it's just the one - there is a release update due out for SWG soon (v4.5.3) that will allow for SWG to  understand VLAN tagged traffic through the interfaces.

    For detailed information, you should contact your Symantec Pre-Sales Systems Engineers and they can work with you to design the best solution possible.


  • 3.  RE: How to deploy Symantec Web Gateway on Cisco ASA 5520 with several context (virtual firewalls)

    Posted Apr 14, 2010 07:09 AM
    The problem is now:
    external firewall have proxy in dmz, connected to VLAN100 on physical FE0/1.100
    all trafic from core switch is also on several VLANs 1-99 on physical GE/0
    Also all trafic from klient VLAN to server VLAN is routed on the virtual external firewall.
    So we don't want to inspect all trafic inc. backup jobs through the Web Gateway appliance.

    Looks like we only have one way to do this.
    Redesign the internal network, and establish a new external firewall with linknet between other firewalls.
    then with native VLAN, eg. all trafic going from internals firewalls will be routed on LAN interface on the SWG
    and WAN interface on the SWG will go to the inside on the external firewall (and will then see all inside ip)

    How to get the 4.5.3 (or early relase of the 4.6) upcoming version?

    Regards
    Owe Bernt 
     



     


  • 4.  RE: How to deploy Symantec Web Gateway on Cisco ASA 5520 with several context (virtual firewalls)

    Posted Apr 21, 2010 02:05 PM

    Owe - are you planning installing SWG on a trunk interface?