Global Pro Express, which I tested in our Syracuse University Real-World Labs®, combines its management and reporting servers on a single Sun Microsystems Netra T1 machine. Global Pro 3.0, the larger version, separates management and reporting services, and supports historical reporting via an Oracle database.

I was impressed with Global Pro, but I think it should include a process scheduler, support for external user authentication and more intelligent rule processing. These details aside, Global Pro Express' device-group management and role-based administration should provide robust tiered management of large numbers of devices.

The Dressing

Global Pro Express comes in two parts: the Arbitrator and the Policy Manager. The Arbitrator is preinstalled on a Sun Netra and lets multiple administrator clients attach and manage devices. As the central management server, the Arbitrator provides record locking so two administrators don't stomp over each other's configurations and allows for log consolidation and role-based access control, to name a few of its features.

The Policy Manager, a standalone Java-based application, is installed on the administrator's desktop. In addition to providing all the policy and provisioning tools required to manage individual and groups of firewalls, the Policy Manager offers a graphical view of the firewalls, called the Global View, against a map background. Unfortunately, this map shows only firewall locations and VPN connections.

As with other firewall-management applications, firewalls have to be added to Policy Manager first. Then the Global View places them on the map, or you can add them directly to the Devices tab in Policy Manager. You can add and configure the firewalls and policies prior to distributing the firewalls, giving you time to plan policy and configuration settings. Global Pro Express can import existing static-device configuration, such as IP addressing, but the individual policies have to be rebuilt.

Because all configuration and policy information resides in Global Pro Express, NetScreen devices need only the barest configuration. Unfortunately, Global Pro Express can only push policies to devices, so I had to wait until I knew the NetScreens were booted to update their configurations. Having the firewall poll for configurations at boot time would make configuration management easier.

The Beef

Once the firewalls have been added to the Policy Manager, the Devices tab lists all the firewalls in the domain. Open the Devices tab and double click on one of the firewalls to bring up configuration options--such as IP configuration, protected resources, and DHCP and L2TP configuration--specific to that firewall.

The next step is to move the firewalls into logical groups so they can be easily managed. A group can contain one device, multiple devices or even other groups. Next, you build the policies and place the groups into the policies that apply to them. Groups can be put in more than one policy if necessary, and, likewise, a policy can contain more than one group. This is one way that NetScreen's product differs from the competition: Instead of building and applying a policy for each group of firewalls, you build polices and place devices or groups of devices into that policy.

All the security parameters--firewall rules, administrator roles, defense mechanisms and system monitoring--are defined in Policy Manager. VPNs, however, must be configured elsewhere.

To reuse polices as much as possible and to avoid re-entering the same configuration options again and again, you can make devices members of multiple policies. For example, I created a group called "All" that included every firewall in our system. I then built a policy that defined common configuration options, such as syslog, SNMP, URL filtering and monitoring, and added the "All" group to that policy.

For my security policies, I wanted to allow inbound SMTP and DNS access, so I created a policy allowing SMTP and DNS access to specific servers and the added the devices and groups of devices that protected those servers into the policy membership.

Unfortunately, Policy Manager does not make a distinction about which subnets and hosts are protected by which firewalls, so all members of a policy membership receive the same rules regardless of which host resides behind a specific firewall (see "NetScreen-Global Pro Policy Problems").

Because NetScreen has gone to the trouble to build a central management system, applying the firewalls rules properly should be a given. Unfortunately, if you want to build granular policies, which you would do for inbound traffic anyway, you will have to build individual polices for each firewall.

The Gravy

Building a VPN with Global Pro Express is straightforward. Add a new VPN, then add members to it. Members are the firewalls' protected subnets and not the firewalls themselves. For example, a firewall may have two or more subnets defined as protected resources, but you may not want them all to in a VPN, so simply select the resources you want in the VPN and define the parameters, and Policy Manager will sort it out.

Mesh, hub-and-spoke and branch-to-main VPNs are all easily configured with a few clicks. Adding remote users is just as simple, except that you have to add each user into Policy Manager so the user's group configuration can be used. That means maintaining two user databases. NetScreen says it is planning to migrate group affiliation to RADIUS in an upcoming release.

Once the configuration changes are complete and saved in Global Pro Express, they have to be distributed. A few mouse clicks, and the policies are built and sent to each NetScreen firewall selected. The GUI kept me apprised of which firewalls were being updated and how far the update had gotten. Any failures were also noted.

Vendor Information NetScreen-Global Pro Express 3.0, starts at $5,995 for 25 devices. Available: Now. NetScreen Technologies, (800) 638-8296, (408) 730-6243; fax (408) 730-6100. www.netscreen.com

I did have a problem after I pushed my policies out. I checked the firewalls using the Web interface and found that my firewall rules weren't set properly. Like many seasoned administrators, I like to see what a management application is going to do. NetScreen has built in a configuration summary tool that lists all the CLI commands that it sends to each NetScreen firewall. I ran the summary, and sure enough the rules I wanted applied were not built. NetScreen officials I contacted told me I had misconfigured the firewall in NAT mode when it should have used router mode. Shame on me.

Had I not checked the configuration or at least looked at the command summary, I wouldn't have known the policies I intended to send were not sent. Shame on NetScreen.

Monitoring

Real-time monitor is NetScreen's monitoring console and offers a variety of robust reporting tools. Unfortunately, there is a disconnect between Global Pro Express and the real-time monitor. You have to re-create users in both applications and import firewalls from one application to another. In my opinion, these two applications should be sharing this data. I like to log a lot of data so I can sort through it as I see fit, and one of the hardest problems is being able to define the types of filters that will present me with the information I need to see.

Through the real-time monitor's display filters, I created granular filters by selecting the devices and types of events that I wanted to see. Each display filter has its own histogram showing total events. Double clicking on the histogram brings up a detail view. Unfortunately, with Global Pro Express, the display filters show only the events that occurred while the monitor is running. However, individual firewalls can be monitored as well.