Stonesoft StoneGate SG-3000 VPN/Firewall
An excellent management system designed to keep services running at all times.
With no redundant power supply, the system has to be used in a cluster to provide continuity of service.
A powerful system with a slightly different approach to system and firewall management.
SummaryThis product offers no less than ten 10/100/1000TX, auto-sensing network interfaces, backed up by twin Intel Xeon processors. Oddly, it has only one power supply unit, but as the unit is intended to be used in high-availability clusters, this is less of a problem than it might seem.
The initial installation was carried out by Stonesoft staff (a networked PC must first be designated as a management server). Up to 16 firewall appliances can be grouped into a single cluster and around 500 firewalls and clusters can be managed from one management server.
Once the device is set, communication between the appliances and the management server are done through an SSL encrypted link. The management system provides an update facility that applies software image updates stored on the server to the individual appliances.
It is possible to update clustered appliances individually, so there is no interruption in protection. The process creates a new image on the firewall in a separate partition while the firewall continues to run. The new image is not activated until the system is rebooted. A failed update process cannot compromise the existing system. With all updates carried out from the management server over secure connections, the firewalls can be at remote locations.
Rules are created using a drag and drop process, but this simplicity hides some powerful features. You can group network elements and then refer to them in rules as though they were single elements. This helps simplify rule generation. For example, a departmental subnet could be defined as an element and then referred to in rules that implement site or company policy. Elements can be used in "expressions" that define logical relationships between elements.
Sub rules are a useful function, stored in separate rule bases. A sub rule (analogous to a program sub routine) is invoked from another rule when a predefined condition occurs. This allows sets of rules to be devised for particular circumstances and applied as required. It allows complex rule sets to be handled in manageable sections.
The system provides many logging options and our port scans failed to detect any open ports on the device and could not identify it.