We have a fleet of XG's and SG's. When vendors install gear at a customer site and request port forwarding I usually push back and require VPN access. For the larger vendors, with tens of support engineers, this is untenable and I understand that. I began thinking about the WAF feature because it terminates/tears down those remote connections, inspects/scans/etc then re-creates the connection to the virtual server (I believe that's how it works). However, I am not sure that the WAF is designed or will work for all of these vendor devices. In short, if the local device has a web interface could it then qualify as a supported system for this option? I am thinking about a hotel client in particular who has just installed a local appliance which will manage the thermostats. It's all IP based. We allow SSH/HTTP from their network only.
If port forwarding truly is the only option, what are some extra measures we could take to increase the security?
Thanks for reading.
TA
This thread was automatically locked due to age.
