12-05-2024 11:35 PM
Dear Community,
We have 2 server subnets "vlan 130 -10.72.12.0/25" & "vlan 140 -10.72.12.128/25" configured as SVIs on L3 switch. Both these vlans are working as a part of inter-vlan routing on L3 switch without any restrictions. Now as a part Segmentation project we need to configure L3 interfaces on FPR-3105(FTD image) interfaces to isolate the unwanted access from other vlans from Core Switch.
As we don't have exact communication required between servers configured on these 2 server vlans, can we create 2 different interface for the routing & keep them assigned under same security zone as "SRV". Will this enable these subnets to talk with each other without dropping any traffic between them?
Solved! Go to Solution.
12-06-2024 12:06 AM
Providing network diagrams of how the network is now and what you are trying to achieve will help us understand the situation better.
That being said, You can add the VLAN 130 and 140 to sub-interfaces on the FTD3105 and both of these can be members of the same security zone. you would still need to allow the traffic between these two VLANs in access rules, this is not allowed by default even though they are in the same security zone.
To identify what ports are required between the server zones and from client to server zone for that matter, you can implement a firewall analyzer software such as AlgoSec and send firewall connection syslogs to it. It will analyze the connections and provide information on how to start tightening up access rules that are too general.
12-06-2024 01:23 AM
Then the solution I provided in my previous post is correct. The interfaces on the FTD can be in the same security zone but you still need to allow communication between the networks in access rules.
12-06-2024 12:06 AM
Providing network diagrams of how the network is now and what you are trying to achieve will help us understand the situation better.
That being said, You can add the VLAN 130 and 140 to sub-interfaces on the FTD3105 and both of these can be members of the same security zone. you would still need to allow the traffic between these two VLANs in access rules, this is not allowed by default even though they are in the same security zone.
To identify what ports are required between the server zones and from client to server zone for that matter, you can implement a firewall analyzer software such as AlgoSec and send firewall connection syslogs to it. It will analyze the connections and provide information on how to start tightening up access rules that are too general.
12-06-2024 01:04 AM
12-06-2024 01:05 AM
FIND DIAGRAM
12-06-2024 01:23 AM
Then the solution I provided in my previous post is correct. The interfaces on the FTD can be in the same security zone but you still need to allow communication between the networks in access rules.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide