The biggest configuration entity most Zorp systems consist of is the . A is a collection of network entities that belong together from a networking aspect.
From the firewall administration point of view, the is the collection of the machine nodes. If the company is large and/or has geographically separated subdivisions, more than one firewall may be required. If they are all administered by a single (team of) administrator(s), they can all fall under the supervision of a single ZMS host. In this case, the consists of a ZMS Host and a number of firewalls.
The reverse of this setup is not possible: a single Zorp firewall cannot be managed by more than one ZMS host, because this setup would cause indefinite and confused firewall states.
If the High Availability (HA) module is also purchased for Zorp and therefore there are two firewall nodes clustered, they can be administered as a single ZMS host. Clusters are described in detail in Chapter 12, Clusters and high availability.
ZMC machines do not belong to the (s) they administer technically, though physically they are located in close proximity to them.
A is a typical container unit and the components of a (that is, the s) share only a few but important properties:
Zone configuration
All s (firewalls) belonging to the same share a common zone configuration. For more information on zones, see Chapter 6, Managing network traffic with Zorp.
Public key infrastructure (PKI) settings
Zorp makes heavy use of PKI, for example, in securing communication between ZMS and the firewalls, in authenticating IPSec VPN tunnels, proxying SSL-encrypted traffic.
Although a can be managed by a single ZMS only, a ZMS can manage more than one site.
| Tip |
|---|
|
A possible reason for a company to create more than one site may be to maintain different Zone structures for different sets of firewalls. This is a frequent requirement for geographically distributed corporations that have separated network segments defended by Zorp firewalls, but want to maintain central (ZMS-based) control over their firewalls. Another possible user of multi-site, single-ZMS setups is a support company that performs outsourced Zorp administration for a number of clients. In this scenario all business clients are ordered into separate sites, but all these sites are managed by the support company's single ZMS . |
Published on May 30, 2024
© BalaSys IT Ltd.
Send your comments to support@balasys.hu
