Re: Multitenant FWs

[Christopher Morrow <morrowc.lists () gmail com>]

On Mon, May 2, 2011 at 12:20 AM, Stefan Fouant
<sfouant () shortestpathfirst net> wrote:
> > -----Original Message-----
> > From: christopher.morrow () gmail com
> > [mailto:christopher.morrow () gmail com] On Behalf Of Christopher Morrow
> >
> > one thing to keep in mind is that as near as I can tell no vendor (not
> > a singl eone) has actual hard limits configurable for each tenant
> > firewall instance. So, one can use all of the 'firewall rule'
> > resources, one can use all of the 'route memory' ... leaving other
> > instances flailing :(
>
> Ahem, actually ScreenOS does support just such a thing through the use of
> resource profiles - with this you can limit the amount of CPU, Sessions,
> Policies, MIPs and DIPs (used for NAT), and other user defined objects such
> as address book entries, etc. that each VSYS can avail.  This was one of the

good to know... I wonder how well it isolates.

> primary drivers behind our decision to utilize the NS-5400 for Verizon's
> NBFW (you remember that place right Chris, heh')

i do, occasionally via the twitching :)

> Stefan Fouant