Screen OS

Hey there,

 

I'm new to ISG-Firewalls and need some help now. We have the ISG2000 with follwing Interfaces configured: 1/2 (zone LAN) and 2/1 (zone company-x). The network of company-x ist seperated into 4 VLAN's which should come over with a trunk. we have to set up each VLAN with an own policy for the access to our LAN-zone.

 

is that possible in some way? how can i build a trunk through the ISG on that interface and how can I set up each vlan which terminates on one single interface with own policies? means, how can i created more detailed policies, not only from zone to zone, we need access with different policies for each VLAN in another zone.

 

any help appreciated!

 

best regards

Hi, you create subinterfaces on the customer side with VLAN tagging. The suberterface can be in zones independent from the physical interface. So for each VLAN you create a subint, in the right zone. This way you configure a trunc with sepperated policies.

Thanks for your answer!

 

That means I've to create four subinterfaces on the company-x zone on my ISG. First of all I need to check if the firewall on the other side (which is not under my control) is able to tag the vlans.

 

When creating policies, I only see options to configure "from zone X to zone Y", but how can I configure the single VLAN's at this point and give them their own policy? Can I choose the subinterface under "Adressbook entry" then?

 

BR

No actualy for a good split you create four user defined zones and create the subint in this. Then you use this zones in your policies. If you want source natting you have to this in the policy, only trust to untrust has default source natting. Cleck on advanced settings in policy and select source nat "hide behind egress interface" for this.

great, thanks a lot for your help!

 

i'll try to do this as you advised!