Is the FW zone that includes all of the Router interfaces IP addresses (even for interfaces not attached to any specific zone).
You must think of the self-zone as the router itself so when we configure a policy including the Self-zone is related to:
-Traffic to the router
-Traffic from the router
So when someone asks the following
What Traffic Should I Consider When I Deal With The Self-Zone?
You should answer:
-Managment plane traffic (SSH,Telnet,etc)
-Control plane traffic(Routing Protocols)
Another common question is:
Why would you even consider to use the Self-Zone?
Well, if you want to protect your network from any kind of attack you configure a FW to prevent attacks from reaching your network but if you leave your router without the Self-Zone anyone could get into the router and change the configuration, open backdoors,etc.
In order to avoid this vulnerabilities using the Self-Zone is a MUST.
By default there is no policies for the Self-Zone so traffic from and to the router will be allowed
You do not have to manually create the Self-Zone. By default it's created, you just need to call it.
As soon as you configure one zone-pair that involves the Self-Zone traffic from any zone to the Self or from the Self to any zone will be filtered
Traffic from a host behind a router interface that does not belong to any ZBFW zone will be allowed to reach the Router IP addresses (Self-Zone)
We cannot Inspect a class-map that we matched via a layer 7 protocol/application (We can only inspect layer 4 class-map matches)
Before version 15.1 OSPF and EIGRP neighbor relationships were allowed without the need of a policy if using the self-zone but after 15.1 we now must PASS this protocols (RIP and BGP as depend of UDP and TCP respectively will always need a policy allowing the traffic if using the self-zone)
For IPSec VPN sessions we only need to PASS the control channel negotiations (Isakmp) so UDP 500 and UDP 4500 if NAT-T is required (As you can see ESP/AH is not required to configure in order to bring the tunnel up.
Dear. My office existing running FrotiGate201E with SSL VPN, I will setup Cisco FPR1140 w/transparent mode for two tier firewall protect solution, I want to verity Froti SSL VPN traffic can pass to firepower transparent mode ? Many Thanks.&...
Hi All, Can we copy & paste rules from one policy to another in FMC ? I am in middle of a migration where we are using FMT tool to migrate rules however we are facing lot of issues. Every time we run FMC, it creates a new policy however we want t...
Hi,How to find and uncommit changes made in dictionaries on Cisco ironports ?The changes I made are correct but the comment I entered, while commiting those changes are to be changed.How can I change that ?Can someone please help here.
Anyone already experienced the new self-registration form with the "phone number as username option" ?
- Before the upgrade to 2.7 (2.6FCS_P2) : in the required phone number self-registration form, the user enters his phone n...
Good morning,so if I have a switch configured with the following ip on differnet vlans: example:vlan 1 - 10.10.1.5vlan 10 - 10.10.2.5 Switch was added in ise using ip 10.10.2.5 . And so far all devices in the switch is using the 10.10.2.5 as the...