Last year i was evaluating Prover-1 and stucked into a problem that could be
really a good unsolved feature.
The option to enable administrators that can only create rule and objects
that will remain inactive till approved
by a higher level aministrator.
This way i could have local administration staff coneccting into Provider-1
and submiting their only rules for
approval of the Main office IT guys... speeding up the global process.
Or better... inform Provider-1 at an special smartcenter instance to enable
objects and rules creation at an specific
point of the rulebase... think that the rules NOT auto-numbering and you
specifing ranges for each administrator.
Anyway... some kind of customization that can allow some level of rulebase
administration that can avoid a major
problem for such inexperience local administrators that, althought, need to
have the hability to perform some control
of theyier network resources.
[]'S
--
Antonio Costa
acosta AT Odebrecht DOT com
TI - Analista de Redes e Segurança
CCSE PLus / CCNA
MCSE / LinuxAdmin
Odebrecht Engenharia e Construção
Matriz Villa Lobos - São Paulo/SP
Av. Nações Unidas 4777, 1o. Andar
Tel.: +55-11-3443-9813/9000
Fax.: +55-11-3443-9861
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM]On Behalf Of cisco4ng
Sent: Thursday, August 25, 2005 8:01 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] smartcenter question
Yes, Provider-1 will do the job for you. Basically, You will purchase
Provider-1 MDS
Provider-1 (manager+container MDS-5). Furthermore, to meet your
requirements, you will
also have to purchase 4 different CMAs to manage the 4 firewalls.
Think of it this way. Provider-1 is a supper Server that will contain 4
SmartCenters within
itself so that you do not have to have 4 different SmartCenters to manage 4
different firewalls.
Provider-1 is widely by Service Providers Security Service Providers and big
Enterprise
Customers. Provider-1 has been available since CP 4.1 and only Solaris;
However, Provider-1
has been available in SPLAT since NG with AI R55. I've been using
Provider-1 NG with AI
R55w on SPLAT for almost 6 months now and in general, happy with it.
Having said that, Provider-1 is quite expensive. I don't know exactly the
cost but I know CP
is charging an arm and leg for it. One word of caution, whatever CP tells
you, do NOT run
Provider-1 on Solaris or Linux, only run it in SPLAT. That way, those CP
TAC bastards will
have no choice but to help you instead of blaming the problems on the OSes.
Furthermore,
do not let them talk you into purchasing a Provider-1 with HA CMAs solution
because High
Availability CMAs is crap. You'll be sorry about it.
I think in your situation, a Dell, IBM or Compaq Server with 2GB or RAM and
dual CPU
should be plenty to run Provider-1 SPLAT. My Provider-1 is running on a
dual 500Mhz CPU
box with 1GB of RAM. It has 3 CMAs on there and managing about 20 firewalls
and work
fine.
Good Luck!
cisco4ng
Having said, P
"Diego F. Lastra S." <dlastra AT XERTIX DOT COM> wrote:
The product Provider-1 from checkpoint, is one of the options I know it does
the job. But the thing is it costs a lot of money..
-----Mensaje original-----
De: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] En nombre de Quick,
Richard A.
Enviado el: Thursday, August 25, 2005 2:25 PM
Para: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Asunto: [FW-1] smartcenter question
Hey all,
Currently I have (4) smartcenters managing (4) different
firewalls/networks. These networks are totally isolated from one
another by a router outside the firewalls. I'd like to upgrade to NGX
in next 6 months or so but, the nokia's I have won't run NGX and I don't
have money for 4 new firewalls. I was hoping to decommission 3
smartcenters and build them as splat enforcement points. That way I
only need to buy one more server. It would also be nice to have all the
logs in one smartcenter.
I took one of the smartcenters today and made a new policy but I was
still able to see all the objects from the old policy. Is there a way
to have one smartcenter manage multiple enforcement points with
different rulebases but "agency 1" not to be able to see the objects
from "agency 2-4" when they look at their policy.
I also thought about limiting the user's abilities to Tracker. That way
they couldn't see the rules at all. Who knows what kind of political
nightmare that might stir up though?
TIA
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
---------------------------------
Start your day with Yahoo! - make it your home page
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
