Hi, new user here - and sorry if the answers are claer somewhere else, but I searched on several terms an came up empty.
We installed an sa2500 where the external interface was in our untrust zone, and the internal into trust - completely bypassing the ssg320! duh.
I've seen a diagram of recommended configurations (oddly, this was one of them) and have since wanted to make the internal side come into the firewall from our dmz zone. While working this through, it appeared we needed to permit the entire DHCP VPN range to a million ports into the trust zone, without somehow having assurances at the ssg320 firewall level the IP addresses have not been spoofed.
Can anyone assit on best practice, highly secure install?