Switch to a juniper firewall
Hi,
We have a 3750 as core switch with critical oracle servers ( production & development ) connected to this. The goal is to have these servers behind a firewall, which is to be done by logically routing the traffic towards the device.
Now, we need to connect the 3750 with two juniper srx firewall physically. The oracle server VLAN will be removed from 3750 and same layer 3 vlan will be created in the juniper firewall. How do i connect the 3750 to the two junipers.
what configurations will be involved, on a logical basis. I understand this is a cisco forum, but any logical ideas will be helpful.
Thanks.
Bleh Juniper lol, any ways I'm assuming you already have the firewalls connected to the 3750. So in that case why remove the Orcale Server VLAN from 3750 and add it to Juniper?
Leave it on the core, add an interface on the Juniper firewall for that VLAN. Connect that interface to the same VLAN on the 3750 and make the firewall interface IP default gateway on your Oracle servers.
Note: I would first test this scenario out like you can pick a completely separate IP scheme and setup a VLAN on 3750 and then setup the interface on the firewall, connect it to the switch and have a test server or computer connect to the same VLAN on the switch with the firewall interface as a gateway.
Similar Messages
-
Dataguard Configuration under Juniper Firewall
Dear Friends ,
We are using Oracle database 11g with Oracle Ent Linux 5.8. We are using active dataguard in this system . Recently we are deployed firewall both on PRIMARY and STANDBY end . we are using juniper firewall device . After deployment of Juniper Firewall on STANDBY end , we observe that Dataguard replication is not performed , i mean log of the PRIMARY server does not transmitted to the STANDBY end .
Does is there any recommendation using firewall device with DATAGUARD ?
How can I resolve this Dataguard replication problem under the Firewall ?The firewall simply placed on top of STANDBY database . nothing is configured in firewall . I mean all ports are open and no rules are applied yet .
Before firewall , redo transmitted successfully but after placing the firewall , it is not working .
It means you agree the firewall is blocking the transmission and it also means that ports are blocked.
On top of what have been said -
Check the connectivity to Standby from Primary as SYSDBA ?
Check the Primary database & Standby database alert log ?
Pradeep -
All,
when I tried to open a website I am getting request timed out after few minutes ,I have done a wireshark capture but unable to identify the problem particularly the url /timetracking/home.asp is not working ,can you help out here. please find attached capture from source to destination and vice versa.
Thanks in advance.Yes, I tried that. It did not work for me.
I have 4 site collections. The main site collection is the only one that I receive the error.
When the user clicks on the email link and opens the document for approval, they receive the following error when they click on "Open This Task".
Element '{http://www.w3.org/1999/xhtml}a is unexpected according to content model of
parent element '{http://schemas.microsoft.com/office/infopath/2009/WSSList/dataFields}Body'.
There is nothing wrong with the task list itself, just the link from the Office 2010 client.
I am wondering if there is a web config or other file on the server that is specific to the site collection??
Tracey -
LAN and Wireless Not communicate
Dear support,
I do have a Cisco router and Juniper firewall, which allow me to connect to internet.
Internally after the firewall, i connect it to switches and wireless AP.
Both switch and wireless AP must be able to talk to each other, when user pc connect to LAN via switch or wifi via wireless AP
My switch is Cisco 2960, and AP is AP1142N.
I do have application, IPhone which install an app, call media remote, this features enable me to remote control to my music device
IPhone connect using wifi
Music device connect using switch
Cisco router ------ Juniper firewall ------ Catalyst 2960 ----------- AP1142N . . . . IPhone
|
|
|
Music device
If in above scenario, my Iphone not able to detect music device
Cisco router ------ Juniper firewall ------ Catalyst 2960 ---------Hub ----------- AP1142N . . . . IPhone
|
|
|
Music device
I don't understand why if i using any brand hub, example 3com, belkin, buffalo, etc, which use only as hub, just connect to my cisco switch, and both music device and AP1142N, are able to talk (iphone able to search my music device)
If i replace the hub, as cisco switch, and use it as default setting, it not able to detect
The connection to hub, i am using access port, as we only have one vlan.
My configuration as below for my switch and wireless ap
I wonder why only normal hub able this two device to communicate, but cisco not.
ThanksThank a lot.
i already enable the igmp on switch
when i show igmp snooping at switch
Vlan4:
IGMP snooping : Enabled
IGMPv2 immediate leave : Disabled
Multicast router learning mode: pim-dvmrp
CGMP interoperability mode : IGMP-ONLY
Robustness variable :2
Last member query about :2
Last member query internal : 1000
Both vlan 1 and vlan 4 is the same
I already try enable igmp on firewall side as well, juniperSSG140
but still not work, anyone can help? -
Firewall reverse routing issue:
Dear Friends,
I am using ASA 5505 with base license and ISP connected directly on the firewall.While L# switch is connected through firewall also.
my configuration is :
ASA Version 7.2(4)
hostname CiscoFirewall03316
domain-name default.domain.invalid
enable password Ko5SCsPM2YQ1wt2G encrypted
passwd Ko5SCsPM2YQ1wt2G encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 10.192.32.11 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 112.23.24.25 255.255.255.248
interface Vlan10
no nameif
security-level 90
ip address 192.168.0.3 255.255.240.0
<--- More --->
interface Vlan50
no nameif
security-level 80
ip address 10.195.32.15 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 10
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 50
interface Ethernet0/6
interface Ethernet0/7
<--- More --->
ftp mode passive
clock timezone IST 5 30
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 121.242.190.181
name-server 121.242.190.210
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list in_out extended permit ip any any
access-list out_in extended permit ip any any
access-list out_in extended permit ip any 112.23.24.25 255.255.255.248
access-list cisco_splitTunnelAcl standard permit 0.0.0.0 255.255.255.0
access-list cisco_splitTunnelAcl_1 standard permit any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ciscouser 10.10.10.240-10.10.10.249 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
<--- More --->
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group in_out in interface inside
access-group out_in in interface outside
route inside 192.168.0.0 255.255.240.0 192.168.0.2 1
route outside 0.0.0.0 0.0.0.0 112.23.24.25 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.192.32.0 255.255.255.0 inside
http 112.23.24.0 255.255.255.248 outside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
<--- More --->
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set TRANS_ESP_DES_SHA
crypto dynamic-map outside_dyn_map 100 set pfs
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
client-update enable
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
<--- More --->
telnet 10.192.32.0 255.255.255.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet 112.23.24.0 255.255.255.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server none
vpn-tunnel-protocol l2tp-ipsec
group-policy cisco internal
group-policy cisco attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cisco_splitTunnelAcl_1
username test password tFqxsrS5ErBk4STW encrypted privilege 0
username test attributes
vpn-group-policy cisco
username admin password V5OS2TRb/vQZ7oZ9 encrypted
username ciscouser password 6aU35/UOvPoumpKWCFYSig== nt-encrypted privilege 0
username ciscouser attributes
vpn-group-policy DefaultRAGroup
<--- More --->
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup general-attributes
address-pool ciscouser
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
<--- More --->
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map type inspect im Google
parameters
match protocol msn-im yahoo-im
drop-connection log
service-policy global_policy global
prompt hostname context
Cryptochecksum:a883391680fa205ee31f05881761958c
: end
Everything is running fine on vlan 1 but vlan 10 is not running from user end.there is no ping from inside of 192.168.0.2
Please advise me.ThanksThere are 2 conflicting configuration:
interface Vlan10
no nameif
security-level 90
ip address 192.168.0.3 255.255.240.0
and "route inside 192.168.0.0 255.255.240.0 192.168.0.2 1"
How do you want to connect VLAN 10? is it on its own interface on the firewall? if it is, then you would need to configure a name for it, via the nameif command, and remove the above route inside
if it is going to be a routed subnet via the inside interface, then the above route needs to be modified as follows:
route inside 192.168.0.0 255.255.240.0 10.192.32.x
--> 10.192.32.x needs to be the next hop which is your L3 switch vlan 1 interface ip
and you would also need to shutdown interface vlan 10 on the ASA and remove the IP Address. -
Branch office setup with L3 switch and router with IOS security
Hello,
I am in the process of putting together a small branch office network and I am in need of some design advise. The network will support about 10-15 workstations/phones, 3-4 printers, and 4-5 servers. In addition we will eventually have up to 25-30 remote users connecting to the servers via remote access VPN, and there will also be 2-3 site-to-site IPSec tunnels to reach other branches.
I have a 2911 (security bundle) router and 3560 IP Base L3 switch to work with. I have attached a basic diagram of my topology. My initial design plan for the network was to setup separate VLANs for workstation, phone, printer, and server traffic. The 3560 would then be setup with SVIs to perform routing between VLANs. The port between the router and switch would be setup as a routed port, and static routes would be applied on the switch and router as necessary. The thought behind this was that I'd be utilizing the switch backplane for VLAN routing instead instead of doing router-on-a-stick.
Since there is no firewall between the switch and router my plan was to setup IOS firewalling on the router. From what I am reading ZBF is my best option for this. What I was hoping for was a way to set custom policies for each VLAN, but it seems that zones are applied per interface. Since the interface between the router and switch is a routed interface, not a trunk/subinterface(s), it doesn't seem like there would be a way for me to use ZBF to control traffic on different VLANs. From what I am gathering I would have to group all of my internal network into one zone, or I would have to scrap L3 switching all together and do router-on-a-stick if I want to be able to set separate policies for each VLAN. Am I correct in my thinking here?
I guess what I am getting at is that I really don't want to do router-on-a-stick if I have a nice switch backplane to do all of the internal routing. At the same time I obviously need some kind of firewalling done on the router, and since different VLANs have different security requirements the firewalling needs to be fairly granular.
If I am indeed correct in the above thinking what would be the best solution for my scenario? That is, how can I setup this network so that I am utilizing the switch to do L3 routing while also leveraging the firewall capabilities of IOS security?
Any input would be appreciated.
Thanks,
AustinThanks for the input.
1. I agree, since I have only three to four printers, they need not be in a separate VLAN. I simply was compartmentalizing VLANs by function when I initially came up with the design.
2. Here's a little more info on the phone situation. The phones are VoIP. The IP PBX is on premise, but they are currently on a completely separate ISP/network. The goal in the future is to converge the data and voice networks and setup PBR/route maps to route voice traffic out the voice ISP and data traffic out the other ISP. This leads up to #3.
3. The reason a router was purchased over a firewall was that ASA's cannot handle routing and dual ISPs very well. PBR is not supported at all on an ASA, and dual ISPs can only be setup in an active/standby state. Also, an ASA Sec+ does not have near the VPN capabilities that the 2911 security does. The ASA Sec+ would support only 25 concurrent IPSec connections while the 2911 security is capable of doing an upwards of 200 IPSec connections.
Your point about moving the SVI's to a firewall to perform filtering between VLANs makes sense, however, wouldn't this be the same thing as creating subinterfaces on a router? In both cases you are moving routing from the switch backplane to the firewall/routing device, which is what I am trying to avoid. -
Edge Inspect works great except localhost pages being blocked by firewall
Hi,
I switch the Windows 7 firewall off and the localhost pages show up on the Edge Inspect app on the iphone4, so then I tried to re-configure the firewall, namely allow Edge Inspect, Bonjour, and Mobile Device related rules all allowed, but the localhost pages are still being blocked.
Any help with how to re-configure the Windows firewall for much more Edge Inspecting would be appreciated!
Kind Regards,
AndyHi saumishr,
I have placed the following rules both inbound and outbound to allow both Edge Inspect and Bonjour to use 7682 for all domains using the TCP protocol. (Is that the correct protocol?)
After applying these rules though the firewall still blocks Edge Inspect.
I appreaciate your help. Thankyou -
Question on best practice for NAT/PAT and client access to firewall IP
Imagine that I have this scenario:
Client(IP=192.168.1.1/24)--[CiscoL2 switch]--Router--CiscoL2Switch----F5 Firewall IP=10.10.10.1/24 (only one NIC, there is not outbound and inbound NIC configuration on this F5 firewall)
One of my users is complaining about the following:
When clients receive traffic from the F5 firewall (apparently the firewall is doing PAT not NAT, the client see IP address 10.10.10.1.
Do you see this is a problem? Should I make another IP address range available and do NAT properly so that clients will not see the firewall IP address? I don't see this situation is a problem but please let me know if I am wrong.Hi,
Static PAT is the same as static NAT, except it lets you specify the protocol (TCP or UDP) and port for the local and global addresses.
This feature lets you identify the same global address across many different static statements, so long as the port is different for each statement (you CANNOT use the same global address for multiple static NAT statements).
For example, if you want to provide a single address for global users to access FTP, HTTP, and SMTP, but these are all actually different servers on the local network, you can specify static PAT statements for each server that uses the same global IP address, but different ports
And for PAT you cannot use the same pair of local and global address in multiple static statements between the same two interfaces.
Regards
Bjornarsb -
Oracle Standby setup for firewall
Hi,
Recently one of my client separated their primary and standby databases with Juniper firewall. After the activity, some primary database servers were unable to ship the archives whereas some of the primary databases were shipping the archives but the archives at standby site getting corrupted.
telnet from both the sides are happening properly.
telnet <ip_address> <listener_port>-----------------------> works fine
My question is:
Is there any recommended setting for Juniper Network firewall, which can be used for Oracle databases?
What are ports which needs to opened for a standby to work? (Apart from opening ports, Is there any other setting which can hinder physical-standby setup)
Regards,Hello;
Make sure SQL ALG is enabled.
"set alg sql ena" to enable it.
Connect Oracle Behind a Firewall
http://forums.juniper.net/t5/ScreenOS-Firewalls-NOT-SRX/oracle-behind-firewall/td-p/23096
Might also be of interest
http://forums.juniper.net/t5/SRX-Services-Gateway/sqlnet-protocol-and-Oracle-10-problems/td-p/34684
Best Regards
mseberg
Edited by: mseberg on May 7, 2012 12:17 PM -
WLC 4402, LAP1242AG APs and Layer 2 Switch Network Design
Hi Every One,
I am new designer in the Wireless technology. During design i came accros through a confusing/complex existing topology which i have to integrate with WLC 4402 as below;
Existing:
1: I have 12 Switches; all vtp mode server. all in single vlan 1 with single subnet 192.168.0.0/24. All users ports in this single vlan 1.
2: All of these are old switches including 2950G, 350GXL, 4912.
3: All the switches gateway is Pix Firewall (192.168.0.1).
To Do:
1: I have to implement 1 * WLC 4402, 22 *LAP1242AG Access Points.
2: WLC will be connected to 350GXL or 4912 through Fiber.
3: Access Points will be connected to all other 20 switches randomely.
Confusion:
1: In my design i created separate vlan 450 for WLC and APs management. But this is not doable in this current setup because all the switches are vtp mode server. Also the gateway is Firewall. Which will require configuration on all existing switches + Pix.(I DONT WANT TO GO FOR THIS OPTION).
2: To make my work easy, is this possible to Put the WLC, APs in the same vlan 1 (192.168.0.0/24) that is currently used by the existing switches? The gateway for these WLC and APs will be Pix (192.168.0.1).
3: I tried to search Cisco examples, but in every example Cisco has made a separate vlan for WLC, APs management. So will Point 2 worK?
4: Do i require any specific changes for this?
5: ANY OTHER DESIGN SUGGESTION?????????
Please find the attached Diagram for more information.Thanks for the reply.
1: U mean dat the switch port config will be as below;
int g0/10
description connected to WLAN Controller
switch mode access
switch access vlan 1
int g0/23
description connected to AP
switchport mode access
switchport access vlan 1
so below wil b the sumary of config:
All switches, WLC, APs, Wireless users and Wired users will be in the same subnet (192.168.0.0/24). Is it ok??
2: Wat do u mean by vtp config; Please clarify???
As i mentioned all switches are in vtp mode server. vtp domain name is configred on 12 out of 15 switch. Do i need to config same vtp domain name on all switches? I also have to check vtp pass?? -
Batch Monitor and the Mac OS X Firewall
This is more or less what people have been saying for a few years now, "When I use Compressor the Mac OS X firewall repeatedly asks permission to allow incoming connections for the Batch Monitor! Why?!?!"
No matter how many times you click to approve or deny, the firewall alert reappears every five to twenty seconds. There seem to be many, many people with this problem. So far, the only solutions are to:
1) Shut off the Mac OS firewall
2) Switch the Mac OS firewall to "Allow only essential services" every time I want to use Compressor (a cumbersome solution at best)
2) Keep clicking the buttons
3) Don't use Compressor
While some might argue that Compressor is a poor substitute for a real video conversion utility, for the vast majority of users, it's the only game in town.
So, dear Apple, I humbly beg you on behalf of the literally thousands of users who deal with this problem, please either create a solution or suggest one.
I'm still on Final Cut 6 and Compressor 3. So, if anyone knows that the latest release solves this issue, I'd love to hear it.I'm dealing with this same problem and have actually noted that you are confirmed about the YEARS because I found this problem posted December 6, 2007
http://discussions.apple.com/message.jspa?messageID=6563672
It's unfortunate that a 'Bad Taste' was left after that reply from the guy who called you a 'nitwit' - I didn't even pay attention to his name - at least you have one demiankz - and took the time to start this post. I humbly thank you.
At any rate, I was determined to find out - because I have always been struggling to 'Allow' it and last night I decided to 'block' it.
Does anyone know what is the right setting?
Also - one work around that has been working for me is this:
1) when the popup comes up (leave it up) - Open the firewall, unlock the settings padlock at the bottom left (if it is locked) -
2) find batch monitor and whatever the setting is - force a toggle i.e. if it is "allow" select "block" and visa versa - back to whatever you desire it to be. Just to force it to recognize you are changing it.
3) NOW answer the popup to match whatever you toggled to in the firewall.
4) lock the padlock again.
I've compressed a lot of jobs and I notice once I perform this it goes away for my entire job, provided I leave it alone until it finishes.
If you do something like browse the internet or work on other things, the message tends to pop up again.
Of course, after your job finishes, you will have to do this again - and that's why I wish people would keep responding to this post until we get an answer.
Persistence causes results. Negativity just causes - well, just ignore that.
At least attempt to be helpful, which I felt I have tried. It may work, it may not, or it may cause someone to recognize what the real problem is.
Good luck and hope we get an answer soon!
Message was edited by: Jonefer
Message was edited by: Jonefer -
IPSEC Tunnel between JUNIPER (SSG 20) and CISCO PIX 501
I have successfully established the IPSEC tunnel with juniper firewall by using cisco Pix 501 (6.3 version). The problem I am facing, I have network layer connectivity but after time interval I am not able to send the traffic on destination IP address on specific port, but can successfully PING the destination IP. On both firewalls the IPs are permitted for all ports.
Dear Mr.
The same problem has occured with me. -
Hello,
While trying to figure out why some of the ports that I had set to forward were not forwarding I did two things:-
1) Placed the PC that I was having " bother " with in the " DMZ " Zone
2) Switched off ( disabled ) the firewall in my HH2.
Running two different " port scan " programs from the Internet showed that there was no response ( timeout ) from my IPAddress, which incidentally, changed each time I went from " DMZ " to not " DMZ ".
Does this mean that the DMZ and FIREWALL on my HH do absolutely nothing ?? so it doesn't matter what setting you have.
or does it mean that the Port Scan programs are giving a false sense of security ??
I'd be interested to hear from anyone who has some experience of this..I have a question in regarding to the location of the (oracle) application server in front of or behind the firewall:
The router to be used has a firewall function built in. Now if I place the (oracle) application server behind this firewall, can the public users still access this (web) app server (even through this firewall)? If so, what parameters should I generally configure?
In DMZ you should put web server ( apache+webcache) and behind firewall a middle tier with the other components of iAS (depend what you want) -
Conversion from Juniper Configuration to Cisco Config
Hi,
I have a Juniper firewall config of 32,000 lines. I want to convert this into Cisco ASA v.8.3. Is there any pearl script available which can do that for me?
regards,
MohsinThe first question is if you are migrating a ScreenOS config or a JunOS config. If you are migrating a ScreenOS config, the process is rather simple and can be done with the use of notepad/word to do search and replaces for key words and excel for re-ordering columns (ScreenOS puts the permit after the services, we put it before the services, etc). I have helped with a few migrations myself using this process and have found it much more reliable than even Juniper's ScreenOS to JunOS tool. (Perhaps because it is a firewall-firewall migration, as opposed to a firewall-router migration.) Your account team can provide you with documentation to support this process.
Now, if you are migrating a JunOS config to an ASA config, there are also tricks that allow you to do it. However, it is not as straight forward as the JunOS config looks very different. This process is most efficiently done using the output of some show commands rather than the config itself. In this case, I would strongly recommend you contact your account team for more details.
In either case, welcome to Cisco's firewalls. I am sure you will feel like one who has emerged from black and white movies to technicolor!!
Maria -
Firewall/Security Vendor Suggestion
Hey,
Please bare with me before we start the main content...
First, I would need your suggestion. Especially if you got hand-on experience with the following vendor products.
Second, If you could help list Pros and Cons for the suggested vendor/product, that will be great.
Third, prefer to not to make this to be a hugh feature comparison plus no personal attack plz (u know what would happen if someone saying others are better than Cisco here )
So here is what I need suggestion for: we are solely a Cisco shop when selling firewalls to customer, mainly SMB customers. Now we would like to expand our product offering portofolio on the network security side. So we wont stuck with one product(we had a really bad experience end last year of a particular Cisco product). After some digging, I narrow down to followings:
Checkpoint
fortinet
watchguard
There is a big ISP re-selling juniper firewall here in town. So might not be a good idea to join fight with them...
So what is your suggestion? Maybe there are also other vendors/products I missed? Please keep in mind, our target market is mainly SMB.
Also from certification perspective, the value of the cert from vendor? I had CCSP (now called CCNP Security) but expired in 2010 ...
Thanks,
/SIMO UTM is strictly a marketing term. In the real world I have yet to see a device that can do everything. A router is not always more money. For example an ASA5505 with unlimited users is more money than an 891 Security router. A 50 user license with Anyconnect is within a couple of hundred dollars of an 891. If you buy a 10 user count license, then the ASA has a lower cost. The nice thing about routers is that they have such a rich feature set. Features like DMVPN, QoS, AVC, Multicast, GRE, PBR, etc that ASA's can't do. The features in IOS should be an easy sell to the customer.
Maybe you are looking for
-
Price change summary report & approach of price change on Sales Orders
Hi, I have made the setups for updating the price on Sales Order via profile options (i update the list price field on SO line the SO line price gets updated). The Customer have manual price overide in their existing system in place so they want same
-
Regenerating Application System ~Template~ Zip files
Hi All, For some reason, not yet fully understood (maybe human error), we found missing templates and dimension files in one application in the file share. This subsquently generated an error when downloading client files 'missing measure informatio
-
Smartform- ADS form conversion error
Hello, I have to migrate a Smartform to ADS form by using the embedded function in SMartforms transaction. After I have converted the form I got the ADS interface and ADS form. If I see the interface I can see the old parameters (i.e. printer options
-
help me please
-
Security question verification mail dont show in email when sent HELP
i forgot the answers to my security questions so i go to reset them when they send the email of the verification it doesnt appear in my email neither in my second email i keep refreshing my email if it appears but nothing then i keep resending the ve