https://community.cisco.com/t5/network-security/best-practice-for-security-zones/m-p/4181076#M1075626 <P>I usually create a zone per. interface and then create a category in the ACP section for each interface. I then place all access rules sourced from that particular interface under that category, so the ACP config will end up looking like en ASA Config.&nbsp;Example:</P><P>Category: INSIDE_ZONE</P><P>&lt;All rules sourced from the Inside Zone&gt;</P><P>Category: OUTSIDE_ZONE</P><P>&lt;All rules sourced from the internet&gt;</P> Mon, 09 Nov 2020 18:35:28 GMT Nicolai Borchorst 2020-11-09T18:35:28Z https://community.cisco.com/t5/network-security/best-practice-for-security-zones/m-p/4181033#M1075620 <P>A Customer will modernize a small/medium Network with seven FTDs (1120 / 2110) at &nbsp;1 HQ and 3 Branches.</P><P>so I am looking for best practice example for Security Zones form CISCO to pitch my Migration Plan.</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 09 Nov 2020 17:34:52 GMT https://community.cisco.com/t5/network-security/best-practice-for-security-zones/m-p/4181033#M1075620 alex.f. 2020-11-09T17:34:52Z https://community.cisco.com/t5/network-security/best-practice-for-security-zones/m-p/4181035#M1075621 <P>It all depends on how your exiting environment, are you looking exiting to migrate to FTD ?</P> <P>&nbsp;</P> <P>or you looking to deploy FTD greenfield and migrate ?</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/firepower/621/asa2ftd-migration/asa2ftd-migration-guide-621/asa2ftd_migration_procedure.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/firepower/621/asa2ftd-migration/asa2ftd-migration-guide-621/asa2ftd_migration_procedure.html</A></P> <P>&nbsp;</P> Mon, 09 Nov 2020 17:38:06 GMT https://community.cisco.com/t5/network-security/best-practice-for-security-zones/m-p/4181035#M1075621 balaji.bandi 2020-11-09T17:38:06Z https://community.cisco.com/t5/network-security/best-practice-for-security-zones/m-p/4181066#M1075625 <P>We used the migration tool to import the existing access rules and the basic Configuration but ist created a zone for each interface.</P><P>The Customer is not so&nbsp;experienced and need the push in the right direction. Actually we have a Greenfield deployment of the new FTDs running with the old Concept.</P> Mon, 09 Nov 2020 18:17:56 GMT https://community.cisco.com/t5/network-security/best-practice-for-security-zones/m-p/4181066#M1075625 alex.f. 2020-11-09T18:17:56Z https://community.cisco.com/t5/network-security/best-practice-for-security-zones/m-p/4181076#M1075626 <P>I usually create a zone per. interface and then create a category in the ACP section for each interface. I then place all access rules sourced from that particular interface under that category, so the ACP config will end up looking like en ASA Config.&nbsp;Example:</P><P>Category: INSIDE_ZONE</P><P>&lt;All rules sourced from the Inside Zone&gt;</P><P>Category: OUTSIDE_ZONE</P><P>&lt;All rules sourced from the internet&gt;</P> Mon, 09 Nov 2020 18:35:28 GMT https://community.cisco.com/t5/network-security/best-practice-for-security-zones/m-p/4181076#M1075626 Nicolai Borchorst 2020-11-09T18:35:28Z https://community.cisco.com/t5/network-security/best-practice-for-security-zones/m-p/4181088#M1075630 <P>Security zones are used to segment your network and make it easier to classify traffic.&nbsp; Usually you would group interfaces that provide similar services.&nbsp; For example, DMZ1, DMZ2, and DMZ3 could be grouped into a single security zone called DMZ.&nbsp; Interface facing the internet could be placed in the Outside zone or a zone called Internet.</P> <P>&nbsp;</P> <P>But it all boils down to what does your security policy dictate, and what are your network needs.</P> Mon, 09 Nov 2020 19:06:15 GMT https://community.cisco.com/t5/network-security/best-practice-for-security-zones/m-p/4181088#M1075630 Marius Gunnerud 2020-11-09T19:06:15Z https://community.cisco.com/t5/network-security/best-practice-for-security-zones/m-p/4181125#M1075633 <P>My best approach Lan side 1 Zone, Outside you can make any zones since the Lan side always is only 1Zone and trusted network. if you have more then you need to create more, but i prefer to make simple so easy to manage the network, rather a complex task for engineers when required to diagnosis the issue.</P> <P>&nbsp;</P> <P>Inside LAN Zone&nbsp;</P> <P>Outside 1&nbsp; Zone</P> <P>WAN 2&nbsp; Zone&nbsp;</P> <P>DMZ Zone</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 09 Nov 2020 20:24:00 GMT https://community.cisco.com/t5/network-security/best-practice-for-security-zones/m-p/4181125#M1075633 balaji.bandi 2020-11-09T20:24:00Z