Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8239
Views
16
Helpful
4
Replies

Firepower threat Defense intra zone Communication

Parveen
Level 1
Level 1

‎04-01-2018 08:38 PM

Hi

I have read a statement same-security-traffic is not applicable on FTD. Traffic between FTD interfaces (inter) and hairpinning (intra) is allowed by default, so i thought multiple interface in same security zone in FTD by default allow Communication  even if default ACL policy is Block .. but its seem like its not like that .. i am not sure what that statement mean in FTD ..

Apart from i need one more clarification -  what configuration need to apply to Provide the communication between interface if they are Belong to same security zone ,

Labels:
4 Replies 4

Andre Camillo
Level 5
Level 5

‎04-01-2018 09:18 PM

Hi Berwal,

I believe you're trying to get 2 different physical interfaces (in the same security zone) to communicate with each other.

If this is the case, then you need to create a "flexconfig" , a PBR rule among these 2 interfaces.

See if this configuration video helps: https://www.youtube.com/watch?v=lakHhw9CR5Y

Parveen
Level 1
Level 1
In response to Andre Camillo

‎04-01-2018 09:32 PM

Thanks Andre For the Response,

, yes i am trying  to get 2 different physical interfaces (in the same security zone) to communicate with each other. in my case these 2 interface Belong to inside LAN ,  i can achieve communication  by creating an Access policy in which keeping source and destination zone is same ... but i still not understand the significance of crating a security Zone in FTD , i am assuming if i have put 2 interface in same zone that should communicate with each other without explicitly create a rule in ACL policy ..

and also trying to understand what that statement means " same-security-traffic is not applicable on FTD. Traffic between FTD interfaces (inter) and hairpinning (intra) is allowed by default "


Regards

Parveen

0 Helpful

goransx
Cisco Employee
Cisco Employee
In response to Parveen

‎04-06-2018 06:19 AM

Hi Praveen,

FTD is inherently a zone-based firewall, and same-security-traffic cli is not required to achieve intra and inter interface communication.  ACP rule is required to make this work, as you specify exactly what communication you want to allow within that security zone.

This is different from ASA, where interfaces in same security level and with same-security-traffic turned on will allow communication with out an ACL.

Thanks,

Goran

christopher.lambeth@gdt.com
Level 1
Level 1
In response to goransx

‎01-27-2023 03:06 PM

Yep, that does the trick.  An ACP from the inside zone to the inside zone is what solves this problem.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card