Solved: Number of ACL on FTD security zone with multiple interfaces

a12288 · ‎12-06-2022

We have a DMZ security zone on FTD and it has multiple VLANs / sub-interfaces, I found out every ACP created actually are duplicated to all VLANs / sub-interfaces, for example, my intention is:
Source -> DMZ -> VLAN-A/Sub-Interface-A -> App-A
Source -> DMZ -> VLAN-B/Sub-Interface-B -> App-B
Source -> DMZ -> VLAN-C/Sub-Interface-C -> App-C

But the show access-list CLI reveals it actually like this
Source -> DMZ -> VLAN-A/Sub-Interface-A + VLAN-B/Sub-Interface-B + VLAN-C/Sub-Interface-C -> App-A
Source -> DMZ -> VLAN-A/Sub-Interface-A + VLAN-B/Sub-Interface-B + VLAN-C/Sub-Interface-C -> App-B
Source -> DMZ -> VLAN-A/Sub-Interface-A + VLAN-B/Sub-Interface-B + VLAN-C/Sub-Interface-C -> App-C

As a result of this multiplication, the number of ACL is quite large. Is this the expected behavior or something I can adjust to avoid this? Thanks.

Leo

manabans · ‎12-06-2022

A Security Zone is used to create the rules for the Access Control Policy, so this behavior is expected. Regardless of which interfaces are included in the security zone, the ACL will be expanded accordingly.

In order to prevent unwanted ACL expansion, you should create separate security zones for each interface and reference them in an ACL rule.

View solution in original post

manabans · ‎12-06-2022

A Security Zone is used to create the rules for the Access Control Policy, so this behavior is expected. Regardless of which interfaces are included in the security zone, the ACL will be expanded accordingly.

In order to prevent unwanted ACL expansion, you should create separate security zones for each interface and reference them in an ACL rule.