I have several “Plant” sites that are set up exactly the same (VLAN, firewall, outbound policies, etc), but with different IP addressing schemes. In the past, our security guy has set up a “Grouped Network” for each network segment representing a VLAN per device, then created a separate firewall config for each site based on a tag that’s present on the device.
I’m bringing up a few different sites, and making quite a few other changes to all of the existing sites. Is there a better way to do this? It would be great if firewall rules would accept vlans as option…
How devices are laid out in that respect would influence how you’d use Ic2 to manage them as the majority of settings are not organisation wide but group specific.
The Peplink firewall is fairly crude by modern standards in a lot of ways and features, full object based operation is not really possible (grouped networks like your colleague has set up kind of emulate that for IP ranges) and again it’s a shame that some of these things cannot be manipulated at an organisation level in Ic2.
Hmm, probably not a lot to do differently then from what you have described and I’d probably have done something similar to what you have:
Tag used to define a site, that tag would then be used to determine what config gets applied and use grouped networks to see if I could simplify rule creation and cut down on places I’d need to change things if subnets changed over time.
There is nothing to say you don’t make a grouped network that references subnets that might not be site specific, let’s just pretend you have a guest network at every site you could make a grouped network called “Guest Subnets” and reference every sites IP block.
How that works though might depend on how specific you need to be with the configuration and how locked down things need to be.
My co-worker and I were discussing this this morning, and came to the same conclusion… just create grouped networks with all of the IP blocks from all of the sites and apply to all of the peplinks. This makes it so we can not only block access from restricted networks heading out, but also give access from all of our “client” vlans to be able to print to any printer at any site, which we don’t have currently.