topic Re: FTD security level 0 in Network Security

FTD security level 0

h.dam — Wed, 13 Jan 2021 08:21:54 GMT

Hello Guys,

I am new on the Cisco FPR 2130 device.

Some questions below after hands-on pratices:

1. The default config contains inside and outside interfaces. But why do they both have security-level 0 ?

Do I need to change it ? How ? (I didn't find out security-level on the FDM GUI)

2. I would like to create subinterface (802.1Q trunk) on the outside interface. Do I need to delete the outside interfacename first?

3. Do I need to create Policy rules if I want to allow ICMP, Traceroute traffic ? (as I did on ASA)

Thanks.

Rob Ingram — Wed, 13 Jan 2021 08:39:59 GMT

On FTD all interfaces have a security level of 0 (you cannot change this), this has changed from the way you are used to configuring an ASA.

You don't necessarily need to delete the name, but all interface names must be unique.

You will need to configure a Service Policy in order to allow traceroute.

CiscoBrownBelt — Thu, 30 Mar 2023 17:51:10 GMT

So to allow traffic you must always have ACLs applied, can't just allow inside zone to outside zone as an example?

Rob Ingram — Thu, 30 Mar 2023 17:54:01 GMT

@CiscoBrownBelt yes you can just allow traffic from one (inside) zone to another (outside) zone.

Or you could set the default action to allow, instead of drop.

CiscoBrownBelt — Thu, 30 Mar 2023 19:53:46 GMT

How do I verify that via FMC or CLI for FTD I cant even see it or find the documentation covering that?