cancel
Showing results for 
Search instead for 
Did you mean: 

IC can push polices to firewall across differenent zones?

SOLVED
aeroplane_
Regular Contributor

IC can push polices to firewall across differenent zones?

Hi Experts,

My scenario is that I have SSG-320, which has untrust zone, DMZ1 and DMZ1 zones. Users from Untrust zone access the serves in DMZ1 and DMZ1. Now I place the IC in Untrust zone, which first check the identitiy and security status of end point before it acess the DMZ1 and DMZ2 servers.

My question is that how IC can push the appropriate resource policies to firewall from untrust zone to DMZ1 and DMZ2 respectively? How It knows this resource policy is from untrust to DMZ1 and that resource policy is from untrust to DMZ2 zone?

Many thanks

1 ACCEPTED SOLUTION

Accepted Solutions
mnarine_
Contributor

Re: IC can push polices to firewall across differenent zones?

Hi, With none IPSec routing policies, the IC just sends a policy based on resources. Doesn't matter the zone. When you setup the policy on the IC, you don't specify a zone. However, if you are doing a IPSec routing policy, it will require a zone. Just create IC resource policy based on protected resources and the IC will push the policies to the firewall. It'll work. Smiley Happy -Mike

View solution in original post

3 REPLIES 3
mnarine_
Contributor

Re: IC can push polices to firewall across differenent zones?

Hi, With none IPSec routing policies, the IC just sends a policy based on resources. Doesn't matter the zone. When you setup the policy on the IC, you don't specify a zone. However, if you are doing a IPSec routing policy, it will require a zone. Just create IC resource policy based on protected resources and the IC will push the policies to the firewall. It'll work. Smiley Happy -Mike

View solution in original post

aeroplane_
Regular Contributor

Re: IC can push polices to firewall across differenent zones?

Hi

But still I am confuse for ipsec routing policy how firewall will know the direction of policy means from untrust to DMZ1 or untrust to DMZ2?

Thanks

mnarine_
Contributor

Re: IC can push polices to firewall across differenent zones?

When you setup a policy on the SRX you, one of the action is to permit application UAC w/VPN. For the SSG is a bit different. On the SRX it seems the Zones does not make a difference when you specify them on the SRX. With the SSG it's a bit more integrated so it does matter which zone for either SRX or SSG and the firewall does know about it one way or the other.

-Mike