Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1867
Views
15
Helpful
5
Replies

Best Practice for Security Zones

Go to solution
alex.f.
Level 1
Level 1

‎11-09-2020 09:34 AM

A Customer will modernize a small/medium Network with seven FTDs (1120 / 2110) at  1 HQ and 3 Branches.

so I am looking for best practice example for Security Zones form CISCO to pitch my Migration Plan.

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to alex.f.

‎11-09-2020 12:24 PM

My best approach Lan side 1 Zone, Outside you can make any zones since the Lan side always is only 1Zone and trusted network. if you have more then you need to create more, but i prefer to make simple so easy to manage the network, rather a complex task for engineers when required to diagnosis the issue.

 

Inside LAN Zone 

Outside 1  Zone

WAN 2  Zone 

DMZ Zone

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

5 Replies 5

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎11-09-2020 09:38 AM

It all depends on how your exiting environment, are you looking exiting to migrate to FTD ?

 

or you looking to deploy FTD greenfield and migrate ?

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/621/asa2ftd-migration/asa2ftd-migration-guide-621/asa2ftd_migration_procedure.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
alex.f.
Level 1
Level 1
In response to balaji.bandi

‎11-09-2020 10:17 AM

We used the migration tool to import the existing access rules and the basic Configuration but ist created a zone for each interface.

The Customer is not so experienced and need the push in the right direction. Actually we have a Greenfield deployment of the new FTDs running with the old Concept.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to alex.f.

‎11-09-2020 12:24 PM

My best approach Lan side 1 Zone, Outside you can make any zones since the Lan side always is only 1Zone and trusted network. if you have more then you need to create more, but i prefer to make simple so easy to manage the network, rather a complex task for engineers when required to diagnosis the issue.

 

Inside LAN Zone 

Outside 1  Zone

WAN 2  Zone 

DMZ Zone

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Nicolai Borchorst
Level 1
Level 1

‎11-09-2020 10:35 AM

I usually create a zone per. interface and then create a category in the ACP section for each interface. I then place all access rules sourced from that particular interface under that category, so the ACP config will end up looking like en ASA Config. Example:

Category: INSIDE_ZONE

<All rules sourced from the Inside Zone>

Category: OUTSIDE_ZONE

<All rules sourced from the internet>

Best Regards
Nicolai Borchorst
CCIE Security #65775

Go to solution
Marius Gunnerud
VIP
VIP

‎11-09-2020 11:06 AM

Security zones are used to segment your network and make it easier to classify traffic.  Usually you would group interfaces that provide similar services.  For example, DMZ1, DMZ2, and DMZ3 could be grouped into a single security zone called DMZ.  Interface facing the internet could be placed in the Outside zone or a zone called Internet.

 

But it all boils down to what does your security policy dictate, and what are your network needs.

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card