CHAPTER 9: Security Policy Examples
224 Vcontroller
Using a Firebox Vclass appliance in a VLAN
setting
If your SNMP management stations, DNS servers, OSPF
routers, RADIUS servers, and mail servers are located in a
VLAN-enabled network, you must explicitly define sepa-
rate policies that allow Firebox Vclass appliances to send
traffic to those devices. Otherwise, some Firebox Vclass
features, such as SNMP trap notification and DNS lookup,
will not work. Here is an example of a policy that allows
SNMP traps sent from a Firebox Vclass security appliance
to a SNMP management station in VLAN 20.
Creating policies for user-domain tenants
In addition to VLAN tenant-specific policies, Vcontroller
permits you to set up user domain—specific policies, which
enable the appliance to perform traffic management for
multi-tenant domains without the attendant VLAN hard-
ware.
The concept behind the definition of a user domain tenant
involves identifying the tenant and establishing the means
of authenticating that tenant. For example, the Vcontroller
administrator first defines a new user domain tenant (as
described in this section). At this time, the administrator
must link this entry to the relevant RADIUS system to pro-
vide authentication services. Next, the administrator can
create the policies necessary for this user domain (and the
tenants).
When a user domain tenant wants to initiate an Internet or
other external network connection through the Firebox
Vclass appliance, he or she would first log into the appli-
ance using the user name, password, and domain name
previously defined in the tenant record. After this is veri-
Src Dest Srvc In Tenant Firewall
PRIVATE_
PORT_IP
SNMP_
STATION
SNMP
trap
Internal VLAN_20 Pass
To Next Page
Loading...
