3.2.1.1. Site

The biggest configuration entity most PNS systems consist of is the Site. A Site is a collection of network entities that belong together from a networking aspect.

From the firewall administration point of view, the Site is the collection of the machine nodes. If the company is large and/or has geographically separated subdivisions, more than one firewall may be required. If they are all administered by a single (team of) administrator(s), they can all fall under the supervision of a single MS host. In this case, the Site consists of a MS Host and a number of firewalls

The reverse of this setup is not possible: a single PNS firewall cannot be managed by more than one MS hosts, because this setup would cause indefinite and confused firewall states.

If you purchased the High Availability (HA) module for PNS too and therefore have two firewall nodes clustered, they can be administered as a single MS host. Clusters are described in detail in Chapter 12, Clusters and high availability.

MC machines do not belong to the Site(s) they administer technically, though physically they are located in close proximity to them.

A Site is a typical container unit and components of a Site (that is, the Hosts) share only few but important properties:

  • Zone configuration

    All Hosts (firewalls) belonging to the same Site share a common zone configuration. For more information on zones, see Chapter 6, Managing network traffic with PNS.

  • Public key infrastructure (PKI) settings

    PNS makes heavy use of PKI, for example, in securing communication between MS and the firewalls, in authenticating IPSec VPN tunnels, proxying SSL-encrypted traffic.

Although a Site can be managed by a single MS Host only, a MS Host can manage more than one sites.

Tip

A possible reason for a company to create more than one site may be to maintain different Zone structures for different sets of firewalls. This is a frequent requirement for geographically distributed corporations that have separated network segments defended by PNS firewalls, but want to maintain central (MS-based) control over their firewalls.

Another possible user of multi-site, single-MS setups is a support company that performs outsourced PNS administration for a number of clients. In this scenario all business clients are ordered into separate sites, but all these sites are managed by the support company's single MS Host.