Hi, new user here - and sorry if the answers are claer somewhere else, but I searched on several terms an came up empty.
We installed an sa2500 where the external interface was in our untrust zone, and the internal into trust - completely bypassing the ssg320! duh.
I've seen a diagram of recommended configurations (oddly, this was one of them) and have since wanted to make the internal side come into the firewall from our dmz zone. While working this through, it appeared we needed to permit the entire DHCP VPN range to a million ports into the trust zone, without somehow having assurances at the ssg320 firewall level the IP addresses have not been spoofed.
Can anyone assit on best practice, highly secure install?
I would recommend dropping your external interface in your DMZ and your internal interface in your trust. Your policy from Untrust to DMZ would permit HTTPS to the SA (that's it). The SA, along with best practices around SA security, will handle the rest. I also prefer to lock down the admin realm to prevent unauthorized users from trying to brute force the login. Hope this helps.
John Judge JNCIS-SEC, JNCIS-ENT,
If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.