topic Re: FMC: Security Zones and Interfaces on ASA Failover Pair in Network Security

FMC: Security Zones and Interfaces on ASA Failover Pair

swscco001 — Tue, 20 Apr 2021 07:59:50 GMT

Hello everybody,

I have just setup my first FMC (6.6.1) for a ASA Failover Pair (9.8(2)20)
with Firepower modules (6.6.1).

At the moment still no traffic will be handled by the module (neither
"sfr fail-open" nor " sfr fail-open monitor-only" is currently configured
in the policy-map under "class sfr".

The are still no zones in the FMC and I want to know how you would proceed
with creating zones.

Attached you find the zones on the ASA.

Do you put the interfaces with the same security level in the same zone,
or is there a better model? For example the outside interfaces on primary
and secondary ASA in the outside zone (see attached)?

Every hint is welcome!

Thanks a lot!

Bye
R.

Re: FMC: Security Zones and Interfaces on ASA Failover Pair

Marius Gunnerud — Tue, 20 Apr 2021 09:30:57 GMT

My normal "go to" is to create zones based on functions. So Internet goes in the outside zone, local lan goes in the inside zone, branch offices goes in another zone (for example branch_office or dmz-2), servers go in yet another zone (for example dmz).

Re: FMC: Security Zones and Interfaces on ASA Failover Pair

swscco001 — Tue, 20 Apr 2021 09:44:58 GMT

Hi Marius,

thanks for the reply!

I have searched for a 'how to' but could not find any.

I thought the security zones at Firepower are the equivalent to the security levels at the ASA. That's why I want to create the zones
according to the security levels.

Thanks a lot!

Re: FMC: Security Zones and Interfaces on ASA Failover Pair

Marius Gunnerud — Tue, 20 Apr 2021 10:17:18 GMT

Hi,

Zones and security levels in ASA and Zones in Firepower are two separate things, although they are similar to each other. Security levels on the ASA are used in absence of access lists on an Interface to define which interface is "more trusted", once you apply an access list to an interface the security levels have no meaning other than a visual representation of that trust. Zones in Firepower, however, are used to group interfaces together. How they are grouped is up to the administrator, but as I mentioned earlier I tend to group the interfaces together based on the services or functions that are provided. You would still need to apply access lists to allow traffic, but it adds an extra layer of security when you reference the Zone in the access list.