LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

How do you handle multiple external network connections (Internet + B2B partners) in a firewall architecture?

B2B partner networks are external but trusted differently from the Internet — they need their own zone with their own rules. Two designs: route partners through the same firewall as the Internet, or use a dedicated separate firewall for partner traffic.

Two firewall designs for multiple external connections: one firewall with a separate leg/zone per partner, or a dedicated second firewall for partner traffic.

* Two ways to place multiple external connections: one firewall with many zones, or a dedicated partner firewall. *

Design 1 — single FW, many legs: each external network (Internet, Partner X, Partner Y) gets its own "leg" (zone) on the same firewall, which also fronts the DMZ and Intranet. Pros: simpler, one management point. Cons: all partners share the same firewall — a misconfiguration affects all.

Design 2 — dedicated partner FW: a separate firewall (FW₂) sits between the Intranet and the B2B partners, while FW₁ handles the Internet + DMZ. Pros: total separation of policy domains; the partner FW can be run by a different team. Cons: more hardware, more management.

Why B2B traffic deserves special treatment:

Concern Solution
Partner network security may be weaker than yours Treat partner zone as semi-trusted, not fully trusted
Specific protocols (SAP, EDI, AS2) used Custom rules different from Internet-facing rules
Compliance (e.g., automotive supplier networks) Dedicated logging and monitoring
Regulatory audits Partner traffic must be auditable separately

The "mehrere externe Netz" reality:

In a typical large enterprise, you'll see:

  • 1 Internet connection (or 2 for redundancy)
  • 5-50 B2B partner connections (suppliers, customers, payment processors, banks)
  • Multiple cloud connections (AWS Direct Connect, Azure ExpressRoute)
  • Multiple branch offices via SD-WAN/MPLS

Each is a "zone" with its own policy.

Tip: Modern FW designs use zone-based policy — rules are written between zones (Internet, DMZ, Intranet, B2B-PartnerX) rather than between specific IPs. New connections from a partner just join the existing zone and inherit its policy. This is far more maintainable than per-IP rules.

Go deeper:

From Quiz: INTROL / Firewall Fundamentals | Updated: Jul 14, 2026