https://community.cisco.com/t5/network-security/asa-zones/m-p/5009068#M1108591 <P>Basic thread-detection is disabled, but threat-detection statistics is enabled and ASDM doesn't like it. Threat-detection statistics can be quite helpful though as ASDM uses it for graphs on the firewall dashboard.</P><P>Be careful when assigning zone to an interface: this can remove static routes on the interface (CSCuu43360). This is documented: When you add an interface to a zone, all static routes for those interfaces are removed.</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 30 Jan 2024 13:52:16 GMT tvotna 2024-01-30T13:52:16Z https://community.cisco.com/t5/network-security/asa-zones/m-p/5004269#M1108332 <P>hi,</P><P>I need to implement one zone on asa withe several interfaces and no zones. I need to put two interfaces into that new zone. Will implementing this zone in any way break traffic toward other interfaces?</P><P>br</P> Wed, 24 Jan 2024 08:51:53 GMT https://community.cisco.com/t5/network-security/asa-zones/m-p/5004269#M1108332 DraganSkundric87318 2024-01-24T08:51:53Z https://community.cisco.com/t5/network-security/asa-zones/m-p/5004276#M1108334 <P>Can you more elaborate&nbsp;</P> <P>What platform you have fpr ftd ? Or asa?</P> <P>Thanks</P> <P>MHM</P> Wed, 24 Jan 2024 08:57:04 GMT https://community.cisco.com/t5/network-security/asa-zones/m-p/5004276#M1108334 MHM Cisco World 2024-01-24T08:57:04Z https://community.cisco.com/t5/network-security/asa-zones/m-p/5004278#M1108335 <P>asa</P> Wed, 24 Jan 2024 08:58:23 GMT https://community.cisco.com/t5/network-security/asa-zones/m-p/5004278#M1108335 DraganSkundric87318 2024-01-24T08:58:23Z https://community.cisco.com/t5/network-security/asa-zones/m-p/5004289#M1108336 <P>As I know there is secuirty level&nbsp;</P> <P>You can put interface in same secuirty level and permit intra and inter interface&nbsp;</P> <P>This allow traffic between interface to pass without need acl.</P> <P>If new interface have secuirty level different than old interface then sure you need acl.</P> <P>MHM</P> Wed, 24 Jan 2024 09:07:32 GMT https://community.cisco.com/t5/network-security/asa-zones/m-p/5004289#M1108336 MHM Cisco World 2024-01-24T09:07:32Z https://community.cisco.com/t5/network-security/asa-zones/m-p/5004303#M1108337 <P>but traffic bwtween interfaces should flow, respecting ACL of course, regadless of zone they are mebers of?&nbsp; One is in the zone and others are not member of any zone?</P> Wed, 24 Jan 2024 09:19:18 GMT https://community.cisco.com/t5/network-security/asa-zones/m-p/5004303#M1108337 DraganSkundric87318 2024-01-24T09:19:18Z https://community.cisco.com/t5/network-security/asa-zones/m-p/5004304#M1108338 <P>Friend there is no zone <STRONG>secuirty</STRONG>&nbsp;</P> <P>If old interface in same secuirty level with new then traffic flow no need acl (need only permit intra and inter)</P> <P>If the there is different in secuirty level' you need ACL.</P> <P>MHM</P> Wed, 24 Jan 2024 10:04:47 GMT https://community.cisco.com/t5/network-security/asa-zones/m-p/5004304#M1108338 MHM Cisco World 2024-01-24T10:04:47Z https://community.cisco.com/t5/network-security/asa-zones/m-p/5004310#M1108339 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1169250">@DraganSkundric87318</a> zones are only used on the ASA for ECMP (equal cost multi path) routing, you cannot not apply security controls (ACLs) based on the security zone. So normal ACL and security levels apply.</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa920/configuration/general/asa-920-general-config/interface-zones.html?bookSearch=true" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/asa/asa920/configuration/general/asa-920-general-config/interface-zones.html?bookSearch=true</A></P> <P>&nbsp;</P> Wed, 24 Jan 2024 09:27:54 GMT https://community.cisco.com/t5/network-security/asa-zones/m-p/5004310#M1108339 Rob Ingram 2024-01-24T09:27:54Z https://community.cisco.com/t5/network-security/asa-zones/m-p/5004331#M1108340 <P>I agree with&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>, if you are referring to the traffic zone then I would say the ASA traffic zone concept has nothting to do with some other vendors security zones concept such as Palo Alto for example. The traffic zone on the ASA could mainly be used to workaround some asymmetric routing scenarios and to allow some load balancing across multiple interfaces within a traffic zone which usually you can't do without a traffic zone. However, even with a traffic zone, the ACL and NAT for example will still be applied per interface basis, not per traffic zone basis.</P> Wed, 24 Jan 2024 09:53:16 GMT https://community.cisco.com/t5/network-security/asa-zones/m-p/5004331#M1108340 Aref Alsouqi 2024-01-24T09:53:16Z https://community.cisco.com/t5/network-security/asa-zones/m-p/5004338#M1108341 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1169250">@DraganSkundric87318</a>&nbsp;dont confuse&nbsp;</P> <P>Traffic zone is different than secuirty zone.</P> <P>Traffic zone is another long story.</P> <P>MHM</P> Wed, 24 Jan 2024 09:59:17 GMT https://community.cisco.com/t5/network-security/asa-zones/m-p/5004338#M1108341 MHM Cisco World 2024-01-24T09:59:17Z https://community.cisco.com/t5/network-security/asa-zones/m-p/5004358#M1108342 <P>I need to implement zone because of ECMP and just want to know if it will somehow negativelly impact existing traffic flow</P> Wed, 24 Jan 2024 10:21:44 GMT https://community.cisco.com/t5/network-security/asa-zones/m-p/5004358#M1108342 DraganSkundric87318 2024-01-24T10:21:44Z https://community.cisco.com/t5/network-security/asa-zones/m-p/5004359#M1108343 <P>thanks for clarify&nbsp;</P> <P>if you use Zone traffic then you need to make all interface in that traffic Zone in same security level&nbsp;</P> <P>and then as I mention before check the security level with other interface and use ACL if needed&nbsp;</P> <H3 class="title sectiontitle">from cisco doc.<BR />Security Levels</H3> <P class="p">The first interface that you add to a zone determines the security level of the zone. All additional interfaces must have the same security level. To change the security level for interfaces in a zone, you must remove all but one interface, and then change the security levels, and re-add the interfaces.</P> Wed, 24 Jan 2024 10:26:04 GMT https://community.cisco.com/t5/network-security/asa-zones/m-p/5004359#M1108343 MHM Cisco World 2024-01-24T10:26:04Z https://community.cisco.com/t5/network-security/asa-zones/m-p/5008903#M1108576 <P>ok, and now .... another problem. I can create zone but cannot add interfaces to it .... I have this message on ASDM&nbsp;</P><P>threat detection is enabled no interface can be associated with traffic zone</P><P>and threat detection is turned off. !?!?!?</P><P>&nbsp;</P><P>or is it not?&nbsp;</P><P>&nbsp;</P><P>no threat-detection basic-threat<BR />threat-detection statistics host<BR />threat-detection statistics port<BR />threat-detection statistics protocol<BR />no threat-detection statistics access-list<BR />no threat-detection statistics tcp-intercept</P><P>&nbsp;</P> Tue, 30 Jan 2024 10:21:38 GMT https://community.cisco.com/t5/network-security/asa-zones/m-p/5008903#M1108576 DraganSkundric87318 2024-01-30T10:21:38Z https://community.cisco.com/t5/network-security/asa-zones/m-p/5009068#M1108591 <P>Basic thread-detection is disabled, but threat-detection statistics is enabled and ASDM doesn't like it. Threat-detection statistics can be quite helpful though as ASDM uses it for graphs on the firewall dashboard.</P><P>Be careful when assigning zone to an interface: this can remove static routes on the interface (CSCuu43360). This is documented: When you add an interface to a zone, all static routes for those interfaces are removed.</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 30 Jan 2024 13:52:16 GMT https://community.cisco.com/t5/network-security/asa-zones/m-p/5009068#M1108591 tvotna 2024-01-30T13:52:16Z