Problem description
Right now, if I have a fleet of 1000 network devices and each device needs to be added to an ACL, the network presumably slows down with the number of devices because each device is a rule in the nftable. Having groups of devices would let us manage the network devices as a single group so that the size of network devices doesn't change the ACL size.
Proposed solution
Ideal: Even if an SSO provider is used for user groups, a static mapping of device -> Defguard group so that network devices can be managed as a single group and scale things better.
Workaround: The ability to deny/allow an IP range. Combined with static IPs in defguard 2., it might accomplish the same thing, just less elegantly and flexibly as the IP range has to be partitioned statically up-front for the groups we want to have + the number of devices we expect to have within a group.
Alternatives considered
Currently we're going to add devices to the ACL list but this is going to slow down as we ramp up.
Impact
Important
Problem description
Right now, if I have a fleet of 1000 network devices and each device needs to be added to an ACL, the network presumably slows down with the number of devices because each device is a rule in the nftable. Having groups of devices would let us manage the network devices as a single group so that the size of network devices doesn't change the ACL size.
Proposed solution
Ideal: Even if an SSO provider is used for user groups, a static mapping of device -> Defguard group so that network devices can be managed as a single group and scale things better.
Workaround: The ability to deny/allow an IP range. Combined with static IPs in defguard 2., it might accomplish the same thing, just less elegantly and flexibly as the IP range has to be partitioned statically up-front for the groups we want to have + the number of devices we expect to have within a group.
Alternatives considered
Currently we're going to add devices to the ACL list but this is going to slow down as we ramp up.
Impact
Important