Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Hub and Spice Network, best practice for 8 locations (RED or XG)

We have a multi-nation setup in Europe. The data center is in Zurich. All other locations only need a tunnel and a breakout ISP. All locations have <20 employees.

Basically we could simply use a single XG Firewall and 8 x "RED 50". Unfortunately, the RED 50 in full tunnel mode will use the main office internet connection and - what is worse - the public IP. People from Austria will find the Pizzeria in Zurich, people from France will not be able to access french stores (ip geo-block). This is not an option.

If we split the tunnel, the breakout route to the internet is unprotected and would need another "Firewall" and content filter setup.

As of now, we are stuck at a setup with an XG300+ at the datacenter and 8 x XG135 for the remote locations. This is a lot of XG and a lot of money for a simple IPSEC tunnel with some protection.

 

Any other suggestions on how to resolve the situation of different ISP in each country, of people wanting to eat a Pizza in their country while having access to the datacenter and still be protected by a firewall/web filter to prevent to usual phishing and distraction?



This thread was automatically locked due to age.
  • mjpmotw,

    this is the best option you have, as RED are just "stupid" boxes with no filtering capabilities.

    If you need only "some protection" go for a web and network protection license on XG in each locations. You can reduce it to Web but you will lose some IPS protection features.

    Regards

  • This is the answer I didn't want :)

    Having that many Firewalls simply adds a lof or recurring costs for a minimal service.

    Technically we could use simple DNS content filer service and the built-in firewall of a ISP Router (Dlink, Linksys etc.)

    I do understand that this is no the corporate solution but I also do feel a bit overwhealmed by the license costs for a simple IPSEC remote location.

  • You are not paying just for an IPSEC connection. This is wrong!

    Since in that location you have IT stuff,m you need to protect them with an adequate protection. You can go for other cheaper solutions but take note that since the branch office is part of your network, if it is compromised, even your HQ could be compromised.

    Always calculate the cost and risks with a proper Risk assessment.

    Regards