Ignite '17 edition, Reaper's favorites Part 1

by Community Manager ‎06-19-2017 04:17 AM - edited ‎06-22-2017 06:59 PM (12,442 Views)

From the many dozens of questions and answers posted on the wall, here are a few of my favorite questions:

 

How will NAT work with VWire?

 

This requires 2 routers to be set up with the vwire in between.

Since the firewall does not have an IP address (or a MAC address) for a physical interface, it will not be able to translate directly to an interface IP and will not be able to perform proxy ARP.

To make this setup work, the firewall needs to translate to/from an IP pool and the north and south routers need to have routing set up to each other's IP for the translated IPs.

 

Eg. internal-rtr1 with ip 10.0.0.1 , external-rtr2 with ip 10.0.0.2/24. vwire performs hide-nat for all clients connected behind internal-rtr1 as 198.51.100.0/24

External-rtr2 will need a static route for 198.51.100.0/24 pointing to internal-rtr1 10.0.0.1

Internal-rtr1 will have its default gateway 0.0.0.0/0 pointed at external-rtr2 10.0.0.2

The vwire will perform the translation in-line.

 

More information can be found here: NAT Configuration Examples

 

Why can't we do an object with IP range?

 

You can! In the Objects tab, you can create a new address object and set its Type to IP Range, which will allow you to define a range rather than a subnet:

ip range.png

 

What is a UserID?

 

This one caused several people to chuckle, but a good question if you're not used to having the power of User-ID at your fingertips!

In short, User-ID is the mapping of a Username to the IP address used by the endpoint (laptop, smartphone...) through several available mechanisms, and leveraging this information for reporting and policy enforcement.

 

More information can be found here: User-ID Tech Brief

 

What is best practice for User-ID for Mac OS-X? (to reduce timeout)?

 

I had a brief chat with this poster to ascertain what the underlying issue was, and found out their their Mac machines take much longer to create fresh entries on the Active Directory for User-ID to pick up than the Windows hosts.

 

Since their environment was a fairly static office environment (all servers were physical, users were using their own desks/cubicles most of the time) the advise in this case is to increase the User-ID Agent timeout from 45 minutes to 9 hours, which is approximately the same duration as the kerberos ticket timeout on Windows machines. Since most users will remain stationary throughout the day and DHCP leases last for 24 hours, the timeout does not need to be fast. To provide a quicker way to 'log off' inactive users, netbios probing could be enabled, which would periodically check if mapped IPs are still logged on, and remove mapping if the user has moved to a different IP or has gone home.

 

Can the WF-500 private cloud scan all the same file types as the public cloud?

 

Except for Android APK files, the WF-500 appliance can scan all the same file-types and can even follow e-mail links like the public cloud.

Ask Questions Get Answers Join the Live Community
Labels