Solved: Firepower feature question

ChristopherCraddock66504 · ‎02-05-2021

Dear Community,

On the ASA there are a few options that dictate what traffic can flow between interfaces. These options are:

-Enable traffic between interfaces that are configured with the same security level

-Enable traffic between two or more hosts connected to the same interface

Do the Firepower appliances have equivalent settings? Or do they allow the traffic between any interface as long as there are the appropriate policies/rules (ACP, NAT etc)?

Thank you.

Marius Gunnerud · ‎02-08-2021

Well, the thing here is that security levels are in place so that access-lists are not needed. The second you configure an access-list for an interface the security-level is no longer used. I have never tried using the security-levels on the FTD but if the logic follows the same as ASA (which it should), if you have no access-lists configured for an interface / security zone, but you do have security-levels configured then traffic from the higher security-level to the lower security level should be allowed. I have never seen a purpose in using the security-levels and have always used access-lists on both ASA and FTD (ACP) so how this would work in reality would need to be tested.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Rob Ingram · ‎02-05-2021

@ChristopherCraddock66504

The commands you are referring to don't exist on the FTD (traffic between FTD interfaces is permitted by default). You are correct, you just permit traffic as per the ACP.

HTH

Marius Gunnerud · ‎02-05-2021

Security levels are still available on the FTD interfaces (as of 6.7) but the same-security-traffic commands are no longer present. Security levels need to be configured using flexconfig

interface GigabitEthernet0/0
nameif LAN
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 100

If you are looking to do hairpinning on the FTD then you can refer to the following link:

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215875-configure-anyconnect-vpn-client-on-ftd.html#anc14

ip address 192.168.0.20 255.255.255.0

--
Please remember to select a correct answer and rate helpful posts

ChristopherCraddock66504 · ‎02-08-2021

Marius,

We are running 6.4.0.9 code. Does this mean security level do not yet apply to my deployment as they were re-introduced in 6.7?

Thank you.

Marius Gunnerud · ‎02-08-2021

security-levels are available in 6.4 but as with 6.7 you need to configure it using flexconfig

--
Please remember to select a correct answer and rate helpful posts

ChristopherCraddock66504 · ‎02-08-2021

Marius,

Thank you for the quick reply! I currently do not have the security levels explicitly configured on any of my interfaces. Will this prevent traffic from being able to be routed between interfaces? Or do they only take effect after I enable the feature through Flexconfig? Im assuming they wont have any effect if theyre not configured?

Thank so much!

Marius Gunnerud · ‎02-08-2021

Well, the thing here is that security levels are in place so that access-lists are not needed. The second you configure an access-list for an interface the security-level is no longer used. I have never tried using the security-levels on the FTD but if the logic follows the same as ASA (which it should), if you have no access-lists configured for an interface / security zone, but you do have security-levels configured then traffic from the higher security-level to the lower security level should be allowed. I have never seen a purpose in using the security-levels and have always used access-lists on both ASA and FTD (ACP) so how this would work in reality would need to be tested.

--
Please remember to select a correct answer and rate helpful posts