Security Profiles in VDOMs when all traffic runs through the Root.

Forum|Forum|1 year ago
November 27, 2024
3 replies
1666 views

I've got a couple of VDOMs set up using a shared internet connection through Root. Root has to have firewall policies to allow/foward/nat the traffic from the VDOMs to the internet. I will have the security profiles implemented at the individual VDOM level so does it make any sense to have the same security profiles enabled on the Root VDOM firewall rules? Seems to me like it would just be wasting system resources. Basically would be checking traffic that's already been checked. Thoughts? I'm thinking no security profiles at the Root VDOM, just rely on the individual VDOMs security profiles.

Best answer by Toshi_Esumi

I would agree to your idea. In your set up, the root vdom is a separate NAT router in front of FW(vdom)s. We do NAT in multivdom setup (vdom per customer) at customer vdom, where each customer has own public IP(s). So root vdom is just an internet router routing public IPs from/to internet to/from all vdoms. There are only two policies in root vdom with zones in-to-out and out-to-in without any inspection.

Toshi

Toshi_EsumiAnswer

SuperUser

I would agree to your idea. In your set up, the root vdom is a separate NAT router in front of FW(vdom)s. We do NAT in multivdom setup (vdom per customer) at customer vdom, where each customer has own public IP(s). So root vdom is just an internet router routing public IPs from/to internet to/from all vdoms. There are only two policies in root vdom with zones in-to-out and out-to-in without any inspection.

Toshi

IrbkOrrumAuthor

Explorer III

Thanks, good to know I'm not not only one thinking that.

sjoshi

Staff

you can use the security profile in the internet facing vdom where wan interface are part of and yes the same traffic is not required to do multiple inspection in each vdom as it will be resource intensive

Thanks, Salon