- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-03-2018 02:35 PM
Hello brothers,
Plz i really need your help, we have a big project with a big Service Provider, it's the MSSP, i know the concept but technically i don't know anything.
As i understood, the MSSP is a security as a service, the Service Provider host the Firewalls Appliances in his own local, and sell the security service to its clients, but the biiig question is!! for example a client ask us for 2Gb Throughput, 100 globalProtect connexion... how we can offer this for him ?? the service provider has 100 PA-5060 with 500gb throughput for example but the client need just 2Gb Throughput, how i can manage this !!
Plz i really need your help
04-05-2018 06:49 AM
Generally what you would do in these situations is setup proper QoS statements that held a Maximum Egress/Ingress of whatever the Throughput requirements are. However I would generally implement this on switches, not the firewall itself; although I'm sure that you can utilize the firewall itself without too much of an issue as long as you take advantage of the vsys feature. I would hope as a MSSP that each customer is given their own VSYS, so that shouldn't be too much of an issue.
To limit the number of GlobalProtect connections you'll actually find that option under GlobalProtect > Gateways > Gateway Name > Agent > Tunnel Settings under the name 'Max User' you would enter 100. With this configuration GlobalProtect would allow up to 100 users at any given time, with subsequent users being denied access with a message that indicates the max number of users has been rached.
04-09-2018 01:54 PM
hi brother @BPry
Thanks very much for ur ansewr, i think the Qos is a good idea, but vsys i don't think so, cos when enable the vsys you give the client all the features and capabilities of the used Firwal model.
04-09-2018 02:24 PM
I am interpreting your meaning of MSSP correctly right; Managed Security Service Provider?
I'll agree to disagree on the vsys thing; in my mind whenever you have multiple different customers sharing a sole firewall you segregate them using VSYS, and this is one of the great examples of why VSYS exists at all. You can completely seperate out traffic while still sharing the same physical infrastrucutre, but maintaining a logical seperation.
04-09-2018 02:52 PM
Yes , normally that right, but i didn't negociate the real need of the custumers, anyway if i'll need help when we begun this big project i'll comme back here 🙂
the best comunity with the best members 🙂
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!