topic Re: Firepower feature question in Network Security

Firepower feature question

ChristopherCraddock66504 — Fri, 05 Feb 2021 21:05:10 GMT

Dear Community,

On the ASA there are a few options that dictate what traffic can flow between interfaces. These options are:

-Enable traffic between interfaces that are configured with the same security level

-Enable traffic between two or more hosts connected to the same interface

Do the Firepower appliances have equivalent settings? Or do they allow the traffic between any interface as long as there are the appropriate policies/rules (ACP, NAT etc)?

Thank you.

Re: Firepower feature question

Rob Ingram — Fri, 05 Feb 2021 21:10:56 GMT

@ChristopherCraddock66504

The commands you are referring to don't exist on the FTD (traffic between FTD interfaces is permitted by default). You are correct, you just permit traffic as per the ACP.

HTH

Re: Firepower feature question

Marius Gunnerud — Fri, 05 Feb 2021 22:10:14 GMT

Security levels are still available on the FTD interfaces (as of 6.7) but the same-security-traffic commands are no longer present. Security levels need to be configured using flexconfig

interface GigabitEthernet0/0
nameif LAN
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 100

If you are looking to do hairpinning on the FTD then you can refer to the following link:

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215875-configure-anyconnect-vpn-client-on-ftd.html#anc14

ip address 192.168.0.20 255.255.255.0

Re: Firepower feature question

ChristopherCraddock66504 — Mon, 08 Feb 2021 13:31:58 GMT

Marius,

We are running 6.4.0.9 code. Does this mean security level do not yet apply to my deployment as they were re-introduced in 6.7?

Thank you.

Re: Firepower feature question

Marius Gunnerud — Mon, 08 Feb 2021 13:59:48 GMT

security-levels are available in 6.4 but as with 6.7 you need to configure it using flexconfig

Re: Firepower feature question

ChristopherCraddock66504 — Mon, 08 Feb 2021 16:49:33 GMT

Marius,

Thank you for the quick reply! I currently do not have the security levels explicitly configured on any of my interfaces. Will this prevent traffic from being able to be routed between interfaces? Or do they only take effect after I enable the feature through Flexconfig? Im assuming they wont have any effect if theyre not configured?

Thank so much!

Re: Firepower feature question

Marius Gunnerud — Mon, 08 Feb 2021 19:28:49 GMT

Well, the thing here is that security levels are in place so that access-lists are not needed. The second you configure an access-list for an interface the security-level is no longer used. I have never tried using the security-levels on the FTD but if the logic follows the same as ASA (which it should), if you have no access-lists configured for an interface / security zone, but you do have security-levels configured then traffic from the higher security-level to the lower security level should be allowed. I have never seen a purpose in using the security-levels and have always used access-lists on both ASA and FTD (ACP) so how this would work in reality would need to be tested.