12 Replies Latest reply: Apr 5, 2018 12:47 AM by Adam Norman RSS

Connecting A Steelhead CX570/770/3070 in front on Forcepoint NGFW Cluster

Adam Norman

Hi All

I am trying to move away from VPN's where we have a Cisco router on out remote site with a VPN connection to a Cisco router in our DC, onto using a VPN connected with our Forcepoint (aka Stonesoft) NGFW's. However we are dependent on connection optimisation using Riverbed appliances that are between our internet nets and the internal interface of the Riverbed appliance. We use NGFW's in cluster configuration. Has anyone successfully put riverbed appliances in front of clustered firewalls? If so how, or any tips? Cheers

From the user machine, all their outbound traffic (web or VPN destined) will go via the riverbed before the FW. The riverbed would be configured to pass-through (not optimise) connections to external sites (such as for web browsing) then pass on to the firewall for local web breakout, probably with inspection enabled. Any connections destined for RFC1918 addresses (on remote sites) will be optimised then passed onto the firewall to traverse the VPNs.

We use CX570, CX770 and CX3070's all with two in path interfaces. I am hoping that i can connect one between the switch and each cluster member on the trunk connection. However I do not know if they work as layer 2 interfaces. I have only ever deployed them with IP addresses applied to the inpath interfaces. - I guess that is the biggest question... Unless there is another way to do it that you can suggest??