Forum Discussion
Usama_Saleem
Aug 14, 2023Brass Contributor
Integrating multiple vendor firewalls with Sentinel - What's the best practice?
Hello,
One of my client has 16 firewalls in 2 different regions.
8 in region A.
8 in region B.
Firewall vendors are Fortinet and Palo Alto.
Now, my I have a task to integrate all these firewalls with sentinel. I was wondering what is the best practice in this scenario?
Should I configure only one CEF Collector and collect all the firewalls logs there? or should I use multiple CEF collector?
Thanks in advance!
- Clive_WatsonBronze ContributorThis is probably a 'it depends' reply. A count could be the right thing, often the decision will be data volume based. Sometimes 1 FW will send as much traffic as 10 - do you know what they do today?
A. If you have to keep data in Region you may need to collect in multiple workspaces anyway - so need at least two collectors.
B. If you have highly used Firewalls you may need multiple CEF collectors (the AMA supports 5000-8000 EPS). Do you need load balancing or auto scale in that case the collectors could be in Azure ?- Usama_SaleemBrass ContributorIn my case, there are 4 internal, 4 external, 4 WAN firewalls and 4 WAF. All these firewalls are in Azure and CEF collector will be in azure too. I am not sure about the data volume but majority of the traffic will be from external and WAN firewalls.