Professional Documents
Culture Documents
Appendix: What’s
new in NGFW 6.5
•• SD-WAN
NGFW System Architecture
dashboard
•• Application routing
SMC Components
•• Route
NGFWmetrics
Systemand monitoringExample
Deployment
•• ECMP routing Platforms and Capacity
SMC Supported
•• Dynamic routingCommunication
NGFW System in load balancing cluster
• Node initiated management connection for clusters
• Locations and Contact Addresses
• UID integrated to NGFW
• Easy ECA rollout
• DHCP relay for IPv6
• Keep alive option for Ipsec VPN
• Auto scale support for Azure
• Dynamically resolved DNS elements
• Provides information from VPN and netlink health and various other statistics.
• VPN health is taken from multilink VPN monitoring.
• For Netlinks link utilization is monitored.
• NGFW can forward certain web applications, for example O365, directly to internet
while other web traffic is sent to datacenter over MPLS.
• All web traffic is forwarded to cloud proxy using IPsec tunnel or proxy forwarding.
Netflix traffic is forwarded directly to internet.
• Multiple internal web servers can be NAT to single public NAT address and port. NAT
selection is done based on URL.
• While sending all the web traffic to proxy bypass proxy for certain
applications. Select different NAT for bypassed applications.
• Destination NAT based on URL list element. It allows having multiple server
behind same NAT IP while using different destination ports.
• Customers need high availability for static routes. If firewall routes packets out
of failed link communication does not work.
• In 6.4 and older versions there were two ways to achieve this:
• Multilink: It requires always NAT and it is not always desired by customers.
• Dynamic routing: Adds complexity to the environment.
• Route metrics can be used to create active and standby route to same
destination network using static routing without the needs of using Multilink.
• Define different metrics on each route. Route with smallest metric is
considered better.
• Enable route monitoring on necessary routes.
• Similar end result like using multilink but does not require NAT.
• Packets between same IPs is sent over same connection in order to avoid
packet reordering.
• ECMP weight must be same on all routes. If it is not SMC will prevent saving in
engine editor and show validation error
• With Easy ECA Rollout SMC server hosts web server where clients can download
software bundle including client software, configuration and certificate.
• Intended to be used in POC and small evaluations where third party tools for
certificate management and software distribution are not available.
• ECA client, configuration and certificate are downloaded from SMC using
browser.
• Supported use case is one where cluster is located behind device(s) doing
dynamic NAT.
• When in use NGFW will contact to management server using TCP port 8906.
• Intended only for POC or evaluation use. Performance is much worse than with
FUID.
• Integrated software in engine does what FUID and DC Agent do in normal setup.
• Keep Alive options for IPSEC: VPN tunnels are teared down if there is no traffic
sent over them. Keep alive options provides easy built-in way to keep VPN
tunnels up all the time.
• Dynamically resolved DNS address: You can run a script on the NGFW Engine
that resolves dynamic element names specific to a cloud platform to IP
addresses.
• Auto-Scale Support for Azure: Auto scale deploys new instances of cloud
installed NGFW based for example on load.
• Dynamic Routing in Load Balancing Clusters:You can now use dynamic
routing in Firewall Clusters that use load-balancing mode. In load-balancing
mode, all nodes in the cluster are online at the same time and traffic is balanced
between the nodes, increasing performance for inspection and VPN traffic.