Solved: FWSM single mode vs Multi mode

MICHAEL CICCONE · ‎01-19-2007

I'm trying to find information comparing the two modes to decide which is the best fit for my company... Can anyone point me in the right direction?

Thanks

Jon Marshall · ‎01-23-2007

Hi Mike

Yes you can have multiple DMZ interfaces off each context. Had a quick check and it's 256 per context in routed mode.

HTH

View solution in original post

Jon Marshall · ‎01-20-2007

Hi

It really depends on what you are trying to achieve with your firewalls.

Multi mode is useful if you have service provider type setup where you can allocate a context to each customer and give them control of their own virtual firewall. It can also be useful if you have different depts. within your company which are responsible for their own security.

Having said that we use multi contexts on our firewalls in our datacentre. It allows us to segregate the firewalls based on server function which makes the access-lists more manageable and we can also create a context on the firewall which maps to a context on our ACE blades.

There are however some downsides to using multi context which may or may not be an issue for you.

1) The context licenses themselves are not cheap as you are in effect buying multiple firewalls.

2) You cannot run a routing protocol on the FWSM's. In single mode you can use RIP or OSPF on the FWSM's but in multi mode you can only use static routing.

3) We are currently running v2.3 on our FWSM's which means you cannot have a mixture of routed vs transparent contexts. I believe this restriction has been lifted on v3.1 but it's worth checking.

Overall i'm comfortable with the decision we made and haven't found any of the restrictions too onerous. What i would suggest is that you work out how much firewalling you are actually going to be doing in terms of access-lists, statics etc, who needs access to the firewall (is it under single management or not) and if you are planning to deploy any of the other sevice modules.

Any further questions let me know

HTH

MICHAEL CICCONE · ‎01-22-2007

Hello,

Thanks for the answers. I do have another question. When you run FWSM in single mode you can create x number of virtual firewalls correct? If that is true then I can create different access-lists for each virutal firewall? I like the idea of segregating my servers via virtual firewalls. For example, Webservers, applications servers and DB Servers. I Would want to have them on different firewalls (virtually) from each other. Can I do this in single mode?

BTW: Management will be done with a single person me, (the green guy :-))

Thanks

Jon Marshall · ‎01-22-2007

Hi

You can only create multiple virtual firewalls when your run the FWSM in multi-context mode.

In single mode the FWSM is just one big firewall with multiple DMZ interfaces (up to 256 If memory servers me right).

You do get 3 contexts with the default license 1 admin context + 2 others.

If you need more you have to buy virtual context licenses and they are not cheap.

HTH

MICHAEL CICCONE · ‎01-22-2007

So, with 1 admin and 2 other contexts, Can I have multiple DMZ interfaces off of each context?

Again, Thanks for the help

Mike

Jon Marshall · ‎01-23-2007

Hi Mike

Yes you can have multiple DMZ interfaces off each context. Had a quick check and it's 256 per context in routed mode.

HTH

MICHAEL CICCONE · ‎01-23-2007

HTH,

Thanks for all the help... That answer some troubling questions for me

Mike

Jon Marshall · ‎01-23-2007

No problem Mike. Thanks for using the rating system.