topic Re: FTD 1120 multiple interfaces on single Security Zone in Network Security

FTD 1120 multiple interfaces on single Security Zone

FLTRU16 — Mon, 24 Mar 2025 15:07:09 GMT

We are spinning up a new set of core switches and changing the internal IP Address scheme at the same time. I was wondering if it was possible to have multiple internal interfaces in a single security zone. The goal is to complete the new switch configuration and test connectivity to the outside world and our multiple VPN sites. I could not find any document that said I could or could not but the FDM will let me combine them.

Thanks in advance.

Re: FTD 1120 multiple interfaces on single Security Zone

Sheraz.Salim — Mon, 24 Mar 2025 15:47:13 GMT

can you not create a seprate zone. as combine zone can fix the traffic and could lead of security risk plus its not good practice to combine the different interfaces in single zone.

Note: In my experience with FMC managed FTD deivces I have came across security zone issue where it complain about static rotue therefore be mindful of that.

Re: FTD 1120 multiple interfaces on single Security Zone

FLTRU16 — Mon, 24 Mar 2025 18:13:15 GMT

I could do that, just seams a little counter productive. I don't see an option to combine zones, could you expand on this? I previously came from the Silver Peak SD-WAN side so I am out of practice when it comes to Cisco.

Re: FTD 1120 multiple interfaces on single Security Zone

FLTRU16 — Thu, 27 Mar 2025 14:52:35 GMT

I have created a second internal zone but there is no traffic. I only have Meraki Switches connected into the new internal zone interface and now my switches are showing offline. There is a route configured for any-ipv4 to outside. I'm not sure what I am missing from this config.

Re: FTD 1120 multiple interfaces on single Security Zone

FLTRU16 — Thu, 27 Mar 2025 19:54:19 GMT

Here is a screenshot of what I am trying to accomplish. Port 1/2 and 1/3 both go to the inside network

Re: FTD 1120 multiple interfaces on single Security Zone

FLTRU16 — Fri, 28 Mar 2025 19:31:26 GMT

Found the solution. You can bridge multiple physical port to the inside-zone.

Configure the Bridge Group:
Step 1: Navigate to the FTD device configuration interface.
Step 2: Go to the Network section and select Interfaces.
Step 3: Click on Bridge Groups and create a new bridge group if one does not already exist.
Step 4: Add the two ports you want to include in the bridge group. Ensure that each member interface meets the following requirements:
The interface must have a name.
The interface cannot have any IPv4 or IPv6 addresses defined for it, either static or served through DHCP.
Step 5: Configure the bridge group interface (BVI) with an IP address for the inside network. For example, you can set the BVI1 inside network to 192.168.1.1/24.
Assign the Bridge Group to the Inside Network:
Step 6: Ensure that the bridge group interface (BVI) is assigned to the inside security zone.
Step 7: Configure any necessary security policies and access control lists (ACLs) to allow traffic between the inside network and other networks.
Verify the Configuration:
Step 8: Verify that the bridge group is correctly configured by checking the interface status and ensuring that devices connected to the two ports can communicate with each other and with the outside network.