Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1269
Views
2
Helpful
5
Replies

FTD

KayaaKashyap
Level 1
Level 1

‎02-07-2024 09:50 PM

Hi,

what are the common/global/prerequisite ACLs should apply in greenfield project for DC network? where FTD is perimeter device for DC.

 

1 person had this problem
0 Helpful
5 Replies 5

Ruben Cocheno
Spotlight
Spotlight

‎02-07-2024 10:49 PM

@KayaaKashyap 

If you are introducing a new perimeter at the DC without a rule set given, so probably i would enable permit any-any all protocols between the zones that you creating and use performance over security. And create a ruleset from the logs, and/or as requested per the client. Note: This will take a lots of time, depending on how chatty the server farm is locally (inter-zone) and to outside of the DC.

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

MHM Cisco World
VIP
VIP

‎02-07-2024 11:28 PM

The FW in DC can have role depend on direction of traffic is it from east to west or from north to south.

It can be in router  mode or transparent mode.

So we can not know excatly what ypu should allow.

MHM

0 Helpful

KayaaKashyap
Level 1
Level 1
In response to MHM Cisco World

‎02-08-2024 07:48 AM

Traffic is north south

Firewall is in router mode

0 Helpful

Aref Alsouqi
VIP
VIP

‎02-08-2024 08:37 AM - edited ‎02-08-2024 08:38 AM

My take on this would be none : - D in the sense that before we get to the implementation and configuration stage we would have gone through all the workshops and generated an LLD for that piece of work. Deploying edge or core firewalls in a DC implies a lot of works that need to be though about in advance, because the DC will have corporate services, will most likely be connected to other sites for data replication, it would have site-to-site VPN tunnels, remote access VPN, would be connected to an MPLS circuit and so on. Same applies to a greenfield site or a brownfield site, the concept and design behind it won't change much. In addition to that, you might have the inter-VLAN routing configured on those firewalls, in that case you would also need to design ahead of time how the inter-VLAN traffic should be dealt with.

Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-08-2024 11:33 AM

I agree with @Aref Alsouqi and @Ruben Cocheno .

Start with none and then analyze logs (firewall logs or, even better, something like Secure Network Analytics or Secure Workload). Present the high level analysis to the respective system owners and have them validate the traffic seen is what is expected and then lock down the rules to allow only observed and validated traffic.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card