Creating Multiple instances to match security zones on Firepower 4140

BirkJones7747 · ‎06-18-2019

Hi Guys,

Today i have a topology where i have a nexus 7K, where there are multiple VRFs that terminate on 4140 Cluster.

One or more VRF is part of a zone on the Firepower. the Firepower doesnt have any VRF. Policies are used to control access to the different zones.

Like I have zones Like this to name a few:

Engineering

Corporate

Dev

Requirements from security consultants wants us to have multiple Firepower instances for each of these zones. Still the VRFs will terminate on those different instances.

I am a bit confused on how to go about creating those instances, today i have for example port 1 in zone engineering for example and port 2 for dev and 3 for Corporate etc... and i have port 5 for external traffic that talks to an external firewall.

how would i go to create those instances to match what i have currently?
Any help would for sure be highly appreciated.

Thanks

Jones

nspasov · ‎06-18-2019

Hi there. Multi-instance was added with Firepower version 6.3. The actual configuration of each instance is done in FXOS. Below are a couple of links with additional information:

General Info/Overview:

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/multi-instance/multi-instance_solution.html

Configuration Walk through:

https://www.youtube.com/watch?v=YvlVZX9c8kY

I hope this helps!

Thank you for rating helpful posts!

BirkJones7747 · ‎06-19-2019

Hello

thanks for the reply, that was not my question. I know how to create it on FXOS.

My question was how match what I have currently in the zones to the new Instances.

Today the zones talk to each other, on a the firepower itself. For example, traffic coming from one zone engineering would talk to the other zones. Each zone is on a VRF on the Core switch that drops in the Firewall.

My question is more about design help here. If I create an instance lets say for Engineering and have a security zone defined for engineering, how do I make it talk to the other instances? What are my options from a design perspective?

Thanks

Regards

Jones

Warren Sullivan - Corp · ‎06-20-2019

Hi Jones,

I'm no expert so i could be completely wrong here, I would imagine to enable inter instance communication you would need a physical link between them? Picture them as completely separate firewalls exiting in their own right. From what i know there is no concept of "internal" linking of instances in firepower land....

Regards

Warren

nspasov · ‎06-20-2019

This would depend on the type of interface that you create/assign to each instance:

Interface Types

Each interface can be one of the following types:

Data—Use for regular data. Data interfaces cannot be shared between logical devices.
Data-sharing—Use for regular data. Only supported with container instances, these data interfaces can be shared by one or more logical devices/container instances (FTD-only). Each container instance can communicate over the backplane with all other instances that share this interface. Shared interfaces can affect the number of container instances you can deploy; see Shared Interface Scalability. Shared interfaces are not supported for bridge group member interfaces (in transparent mode or routed mode), inline sets, passive interfaces, or failover links.
Mgmt—Use to manage application instances. These interfaces can be shared by one or more logical devices to access external hosts; logical devices cannot communicate over this interface with other logical devices that share the interface. You can only assign one management interface per logical device.
Firepower-eventing—Use as a secondary management interface for FTD devices. To use this interface, you must configure its IP address and other parameters at the FTD CLI. For example, you can separate management traffic from events (such as web events). See the "Management Interfaces" section in the Firepower Management Center configuration guide System Configuration chapter. Firepower-eventing interfaces can be shared by one or more logical devices to access external hosts; logical devices cannot communicate over this interface with other logical devices that share the interface.
Cluster—Use as the cluster control link for a clustered logical device. By default, the cluster control link is automatically created on Port-channel 48. This type is only supported on EtherChannel interfaces.

Use the link below for more info, guidelines and best practices:

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/multi-instance/multi-instance_solution.html

Thank you for rating helpful posts!

Marvin Rhoads · ‎06-20-2019

I would take issue with this: "Requirements from security consultants wants us to have multiple Firepower instances for each of these zones."

A consultant should be assessing and describing the problem, not dictating the solution.

Multi-instance is overly complicated for what you need. Just create policies on the firewall that determine what (if anything) is allowed between your security zones.

nspasov · ‎06-20-2019

Great point mr. Rhoads!

Marvin Rhoads · ‎06-20-2019

Thanks Neno. Good to see you actively contributing once again!

nspasov · ‎06-20-2019

I wouldn't call it "actively" but I am definitely trying to get back into it :)