TRAPS Multi-Tenancy

Reply
L0 Member

TRAPS Multi-Tenancy

Good morning guys!

I hope this question can provide some good ideas for your deployments

 

this is my question

 

Is it possible to use TRAPS as a multi-tenancy application?

 

My overall idea is if I, as a partner, can provide with one license different security policies and configuration to my customers. talking about the same TRAPS instance either on-premise or cloud version.

L7 Applicator

Re: TRAPS Multi-Tenancy

@jnaranjo,

The bigger thing here would be if you're violating any licensing aggrements or not, that would be a question for your account team. However, you can certaintly do this with the TMS or the on-site EMS servers by seperating different clients into different groups. 

L1 Bithead

Re: TRAPS Multi-Tenancy

Hello.

 

@BPrycome on, be serious ;-) How practically would you like to create these groups of clients? Based on what? Their IP addresses, names of computers or domain/workgroup they belong to? Each of these parameters and even all of them together don't make client unique.

 IMHO TMS and ESM are far-far away from multitenancy what really worries me. :-\

 

All the best :-)

 

 

L7 Applicator

Re: TRAPS Multi-Tenancy

@MarcinSt,

That's actually exactly how I would do it; but to be honest I'd probably make a new TMS instance for each client, because again I really doubt the licensing aggrements actually allow for the re-selling of Traps like this. 

In most instances where I was managing the environment I would have a few things to trigger on here. 

1) Clients usually have there own unique IP scheme that doesn't overlap, as it makes my life easier. 

2) Domain identification is easy with the tools that Palo Alto gives you; I don't have to worry about workgroups. 

3) Hostnames should be usable as they should follow some sort of naming scheme; and then you would just build a dynamic endpoint group. 

 

If we're talking about really small clients here it doesn't sound like you have anything that could be used to easily sperate them, and from that aspect I would argue that you should still seperate the instances as a best practice. Because of the information that Traps captures as a client I wouldn't really be that happy with sharing an instance with any other company; on the off chance they force you to give them access so they can manage their own policies.  

L4 Transporter

Re: TRAPS Multi-Tenancy

I agree with @BPry

virtual groups would allow you to accomplish what you desire in a single instance but would be cumbersome to administrate. 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!