Monthly Archives: February 2012

MDM Architecture – Part Tre III

Yesterday while jogging I was listening to RadioLab on Godel’s incompleteness theorem and the Barber Theorem. Basically what is the basis of all math: numbers or sets. Answer: Basically there is no answer.

Same with MDS’s. What is the basis of MDS’s….while Godel might say there is no answer it doesn’t prevent me from taking a whack at it.

The answer is: Objects.

Done deal. That wasn’t so hard. Am I the next Godel now?

For those of you who haven’t arrived at this conclusion I guess I’ll drool on for a bit.

Let’s look at what we have in an MDM system:

  • Objects: used to create policies
  • Policies: use objects to make rules
  • Firewalls: enforce rules on security zones
  • SmartCenters: Hold local policy and objects and apply to firewalls
  • MDSs: Hold global policy and objects and apply to SmartCenters

Do you see a pattern? Nice little hierarchy huh?

Who cares?

Well, if you are a large enterprise and you are hitting the 250 limit on MDS’s, how are you going to organize/group your MDM architecture?


  1. Determine your security zones (refer to my MDM Part II)
  2. Find common set of zones that share a huge swath of OBJECTS
  3. Group those zones into a Domain/SmartCenter and develop policies from those common OBJECT. Common rule of thumb is 10-15 policies per Domain/SmartCenter. Make sure you use the APPLYTO field so that the policies get loaded onto the right firewall (s).
  4. MDS Prime Directive: NEVER use global objects in local rules. So in a similar vein build MDSs around groups of global objects. For example: If you are international and you have a MDS for each country or region (North America), then build global objects for your SNMP mgr – g_NA_snmp_mgr.
  5. Build global policies from those global objects.
  6. Apply those global policies to a group of Domains. How big the group? Currently MDS starts creaking at 100 Domains but can hold up to 250.

The above process was built with the known limitations of MDS in mind:

  • MDS Prime directive
  • Can’t delete global objects used in local rules
  • MDS limit of 250 domains, avg of 100 domains
  • SmartCenter’s human administrative support limit of 10-15 policies

If these physical limits change with the advance of GAIA, I may revise the above process.

Well, time for a jog and more RadioLab. Maybe it will inspire my next MDM Nobel prize.

Later MDM geeks,



MDM Gossip

OK, this is all 10th word of mouth so put a grain of salt on it:

1) Since containers are history, what is an Enterprise to do if they have 1000 gateways and 750 policies???

In R75.20 there are no more containers. So the MOST Domains a MDS can contain is 250.  What are some companies doing? These are some examples I heard.

– Company A: Has XX MDS’s in XX countries
– Company B: Has 15-25 policies per domain. Each policy has target gateways
they are installed on. So you choose a policy, modify and click install and it
will get installed on the right gateway
– Company C: Has a rule that 100 maximum domains per MDS.
– (didn’t get all this, I can’t see it on SDM) From SDM, you can install policies

on individual gateways????

2) With GAIA coming out there will be 64-bit support for OS and utilities but NOT applications. So Smart Domain Manager (SDM) and MDS will not be compiled for 64-bit.I think?? the firewall process will be 64-bit because it can support 5 million connections up from 1 million..Check this.

3) SmartLog: FINALLY!!! A massive log database that takes in ALL logs from ALL
domains so you can do cross domain searches on ALL logs. FINALLY!! Basically
it will suck flat files from domains and put them into a massive database.

OPINION: This HAS to be integrated into SDM or I’ll go work at Palo Alto. Don’t let me down CP.

4) In R75.40 we will FINALLY get rules hits per rule. Shows up in SmartDashboard

5)  The MDS global database is FINALLY being migrated into an SQL database
instead of flat file. Probably two years down the road, but good first step.

6) Future Concept for MDM (from a customer, Tim M.): Policies on the left, List of gateways on the right. Connect the Policies with Gateways with drawing lines. Install.
Sounds OK, but how to put scope onto objects?

That’s all I got for now.

Verify and Install,


Helen's Loom

"Peculiar travel suggestions are dancing lessons from God." - Kurt Vonnegut

Life Stories from Dreez

These are stories from my travels. Generally I like to write stories about local people that I meet and also brag about living the retirement dream with my #1 wife Gaby. She is also my only wife.