Is the FW zone that includes all of the Router interfaces IP addresses (even for interfaces not attached to any specific zone).
You must think of the self-zone as the router itself so when we configure a policy including the Self-zone is related to:
-Traffic to the router
-Traffic from the router
So when someone asks the following
What Traffic Should I Consider When I Deal With The Self-Zone?
You should answer:
-Managment plane traffic (SSH,Telnet,etc)
-Control plane traffic(Routing Protocols)
Another common question is:
Why would you even consider to use the Self-Zone?
Well, if you want to protect your network from any kind of attack you configure a FW to prevent attacks from reaching your network but if you leave your router without the Self-Zone anyone could get into the router and change the configuration, open backdoors,etc.
In order to avoid this vulnerabilities using the Self-Zone is a MUST.
By default there is no policies for the Self-Zone so traffic from and to the router will be allowed
You do not have to manually create the Self-Zone. By default it's created, you just need to call it.
As soon as you configure one zone-pair that involves the Self-Zone traffic from any zone to the Self or from the Self to any zone will be filtered
Traffic from a host behind a router interface that does not belong to any ZBFW zone will be allowed to reach the Router IP addresses (Self-Zone)
We cannot Inspect a class-map that we matched via a layer 7 protocol/application (We can only inspect layer 4 class-map matches)
Before version 15.1 OSPF and EIGRP neighbor relationships were allowed without the need of a policy if using the self-zone but after 15.1 we now must PASS this protocols (RIP and BGP as depend of UDP and TCP respectively will always need a policy allowing the traffic if using the self-zone)
For IPSec VPN sessions we only need to PASS the control channel negotiations (Isakmp) so UDP 500 and UDP 4500 if NAT-T is required (As you can see ESP/AH is not required to configure in order to bring the tunnel up.
Hi Team,We have 2 ISP with our Firepower and we are looking into redundancy for our AnyConnect VPN and we found the Backup Server.Our request:We just want AnyConnect to automatically reconnect to the Backup Server in the list when a remote anyconnect user...
Hello, For whatever reason ISE 2.3 3495 is extremely slow when accessing context visibility. All other page works fine. Except for when we filtered a identity group endpoint. We tried chrome and firefox. We also downloaded the ...
When our AnyConnect clients connect remotely, they get a 172.a.b.c address from our ASA and register this address with our DNS server, so everything is good... until they get back into the office.... when the client later boots up onto the corporate LAN, ...
We are trying to get our ISE 2.6 to take radius accounting packets (from Aruba Clearpass) and convert them into Identities to then pass off to our FMC and FTD. We are seeing the endpoints show up in ISE and we see all the correct information however ...