ā02-07-2024 09:50 PM
Hi,
what are the common/global/prerequisite ACLs should apply in greenfield project for DC network? where FTD is perimeter device for DC.
ā02-07-2024 10:49 PM
If you are introducing a new perimeter at the DC without a rule set given, so probably i would enable permit any-any all protocols between the zones that you creating and use performance over security. And create a ruleset from the logs, and/or as requested per the client. Note: This will take a lots of time, depending on how chatty the server farm is locally (inter-zone) and to outside of the DC.
ā02-07-2024 11:28 PM
The FW in DC can have role depend on direction of traffic is it from east to west or from north to south.
It can be in router mode or transparent mode.
So we can not know excatly what ypu should allow.
MHM
ā02-08-2024 07:48 AM
Traffic is north south
Firewall is in router mode
ā02-08-2024 08:37 AM - edited ā02-08-2024 08:38 AM
My take on this would be none : - D
ā02-08-2024 11:33 AM
I agree with @Aref Alsouqi and @Ruben Cocheno .
Start with none and then analyze logs (firewall logs or, even better, something like Secure Network Analytics or Secure Workload). Present the high level analysis to the respective system owners and have them validate the traffic seen is what is expected and then lock down the rules to allow only observed and validated traffic.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide