12-06-2022 01:48 PM
We have a DMZ security zone on FTD and it has multiple VLANs / sub-interfaces, I found out every ACP created actually are duplicated to all VLANs / sub-interfaces, for example, my intention is:
Source -> DMZ -> VLAN-A/Sub-Interface-A -> App-A
Source -> DMZ -> VLAN-B/Sub-Interface-B -> App-B
Source -> DMZ -> VLAN-C/Sub-Interface-C -> App-C
But the show access-list CLI reveals it actually like this
Source -> DMZ -> VLAN-A/Sub-Interface-A + VLAN-B/Sub-Interface-B + VLAN-C/Sub-Interface-C -> App-A
Source -> DMZ -> VLAN-A/Sub-Interface-A + VLAN-B/Sub-Interface-B + VLAN-C/Sub-Interface-C -> App-B
Source -> DMZ -> VLAN-A/Sub-Interface-A + VLAN-B/Sub-Interface-B + VLAN-C/Sub-Interface-C -> App-C
As a result of this multiplication, the number of ACL is quite large. Is this the expected behavior or something I can adjust to avoid this? Thanks.
Leo
Solved! Go to Solution.
12-06-2022 07:19 PM
A Security Zone is used to create the rules for the Access Control Policy, so this behavior is expected. Regardless of which interfaces are included in the security zone, the ACL will be expanded accordingly.
In order to prevent unwanted ACL expansion, you should create separate security zones for each interface and reference them in an ACL rule.
12-06-2022 07:19 PM
A Security Zone is used to create the rules for the Access Control Policy, so this behavior is expected. Regardless of which interfaces are included in the security zone, the ACL will be expanded accordingly.
In order to prevent unwanted ACL expansion, you should create separate security zones for each interface and reference them in an ACL rule.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide