Is the FW zone that includes all of the Router interfaces IP addresses (even for interfaces not attached to any specific zone).
You must think of the self-zone as the router itself so when we configure a policy including the Self-zone is related to:
-Traffic to the router
-Traffic from the router
So when someone asks the following
What Traffic Should I Consider When I Deal With The Self-Zone?
You should answer:
-Managment plane traffic (SSH,Telnet,etc)
-Control plane traffic(Routing Protocols)
Another common question is:
Why would you even consider to use the Self-Zone?
Well, if you want to protect your network from any kind of attack you configure a FW to prevent attacks from reaching your network but if you leave your router without the Self-Zone anyone could get into the router and change the configuration, open backdoors,etc.
In order to avoid this vulnerabilities using the Self-Zone is a MUST.
By default there is no policies for the Self-Zone so traffic from and to the router will be allowed
You do not have to manually create the Self-Zone. By default it's created, you just need to call it.
As soon as you configure one zone-pair that involves the Self-Zone traffic from any zone to the Self or from the Self to any zone will be filtered
Traffic from a host behind a router interface that does not belong to any ZBFW zone will be allowed to reach the Router IP addresses (Self-Zone)
We cannot Inspect a class-map that we matched via a layer 7 protocol/application (We can only inspect layer 4 class-map matches)
Before version 15.1 OSPF and EIGRP neighbor relationships were allowed without the need of a policy if using the self-zone but after 15.1 we now must PASS this protocols (RIP and BGP as depend of UDP and TCP respectively will always need a policy allowing the traffic if using the self-zone)
For IPSec VPN sessions we only need to PASS the control channel negotiations (Isakmp) so UDP 500 and UDP 4500 if NAT-T is required (As you can see ESP/AH is not required to configure in order to bring the tunnel up.
Hi all,We’ve deployed FTD HA managed by FMC. Last week the primary unit had failed and we are running with only secondary FTD.And we are now planning to replace the primary unit with new FTD. Are there any ways to replace the unit without breaking the HA ...
Hello, can someone please help me with a configuration guide with requirements for integration of AD with FTD (FMC) using ISE as Identity source for captive portal authentication. Regards,Juan Carlos Arias
Hi All I want to ask a thing related this ? we have FTD/FMC and along with treat/malware license and we want to block files according to SHA-256 , SHA1 and MD5 signatures. There is no problem with SHA-256 because we can add custom fi...
I have configured my access switch interfaces with DOT1X authentication from Radius server. And my end host connected with these interfaces are getting their IP from DHCP server. But since my end host clients are not able to authenticate successfully, hen...
I have a HA cluster of FTD (Active/Standby). On FMC, the monitoring is complaining failures in screenshot below for the Standby FTD. Everything is healthy on the Active primary FTD and FMC... I do not see any blockings or DNS issues...Any suggestions? The...