The Diary of a Next Gen Firewall Engineer

OUR CLIENT: A UK based 400 user legal firm with 4 offices nationwide was experiencing downtime during the working day due to their outdated firewall. They required a replacement and were interested in a managed service which enabled them to optimise security and efficiency, whilst reduce costs significantly – providing a hassle-free and affordable solution.

Here we set out the process that NETprotocol used to ensure an effective and smooth installation of each firewall and highlight the benefits that this approach offered our client:

The Installation Process: 

Day 1: Setup Polices

This first stage was carried out off the client’s site on the management server, which meant we could take our time to make sure the security policies were correct. It meant less disruption for the client as we were not having to install hardware then carry out potentially days of config to bring it online. Instead we could look to bring the firewall online straight away once it had been installed on site. In this case there were a lot of policies across the 4 sites, so it was important to take our time and get the set up as accurate as possible before going live.

Day 2: Satellite Office Install

Once the polices were in place we started the physical roll out. We started with the satellite offices first to make sure when the main office was migrated that a VPN mesh existed between all sites. We arrived on site with the firewall fresh out of the box on the day. We had taken a USB key which contained the basic config details, as well as the address of our management server that it needed to connect to. Due to the preparation work that had taken place, it was a simple process from there to get the firewall started up. Once the firewall was connected to the management server, we pushed down the prebuilt config, checked connectivity was all good and tested the product to make sure all was working as it should be. We then moved on to the next site and repeated the process.

Day 3: Remote Office Install

One of the satellite offices was a good distance from the others. Due to the smooth set up of the other firewalls at the first two offices, we were able to ship the new firewall to them direct with the management server set and talk them through the process to get the firewall started up. Once it had then connected with the management server, we were able to take over remotely and apply the policies and testing process as we did at the first two sites.

Day 4: Main Site Install – Multi-Link Setup

On Day 4 we installed the main firewall pair in the central office. This was a similar process to the remote sites but varied slightly because we installed a cluster of 2 firewall nodes here. The flexibility of the connectivity meant we could connect 2 external links; the internal network; and a Guest network used by a wi-fi appliance for keeping guest users off the client’s corporate network. All this connectivity runs over a cluster where both firewalls are fully active and being used to full capacity. Once the external links were connected using the Next Gen Multi-link technology, they were both up and available to use. Inbound, outbound and VPN traffic could flow over and utilise both links according to how we configured it.

Day 5: Go Live Inbound Routing Allows Different Gateway

Once all the firewalls were in place, we started to migrate the inbound and outbound services over. Next Gen Firewall’s advanced network translation features meant that we could start to move inbound services over, such as mail and remote connectivity, without having to change the internal network infrastructure. This means we could migrate deliberately and methodically without making sweeping network changes then firefighting issues as they arose. When migrating outbound services, we were able to choose which link was used to reach the internet, based on both the service, the source IP, and other information – or we could choose to just use the fastest link possible.


As the migration has now been successfully completed, we are now required to continue to monitor and make sure updates and patches are applied as needed. Any changes that need to be made to the firewall in the future, such as new servers that need outbound access, or external parties that need access in – we will simply make these as part of our managed service. Through applying our technical experience to legal sector needs, we can make sure that any change needed does not compromise the security of the firewall, and at the same time advise on the right policies for the clients requirements.

Client Benefits of this NGFW solution: 

This client has multiple data connections coming into their main office. Before the upgrade, each line in was connected to a different firewall and was being used for different services. Through opting to install a NGFW solution, they have seen the following benefits:

  1. The client was able to make the most out of the multiple links by connecting them both to one firewall to give them failover connectivity, but also so they can be used to maximise the use of all the bandwidth they pay for.
  2. Rather than only being usable by a portion of the traffic that happened to go through a secondary firewall, the secondary link can now be used to a much greater extent on the main firewall and share the load.
  3. This is an active-active cluster which means failover to a secondary link is now completely transparent.
  4. Whilst both appliances in the cluster are operational they are both in active use, so our client is now working at x2/double efficiency.
  5. And finally, the solution is managed remotely through a centralised management portal by NETprotocol’s certified NGFW Engineers, taking away the worry of any day-to-day running and maintenance issues.

Ongoing Management Needs of the NGFW

NETprotocol will now fulfill the following responsibilities as part of our Managed Service to maintain the NGFWs for this client:

  • Apply all updates automatically ensuring a problem-free solution.
  • Make changes to the security policies as required on the client’s behalf.
  • Offer advice and support through our expert team of NGFW Engineers.
  • Optimise performance and efficiency of the hardware and configuration.
  • Ensure changes or configuration updates in future do not compromise or interrupt security & performance.
  • Make daily checks that Firewalls are fully up to date and running the latest definition files.
  • Manage modifications to rule sets closely so as to handle traffic and optimise network efficiency.
  • Eliminate any potential for downtime, service interruption and loss of network security.

NETprotocol has a team of highly certified expert NGFW Engineers who work primarily with legal clients. Our aim is to make this complex technology both affordable & simple to deploy for clients who don’t have this expertise in-house.

For more information on Forcepoint’s NGFW technology or NETprotocol’s Managed NGFW service, click below: