Cisco Cisco Firepower Management Center 4000

Page of 1844
 
5-37
FireSIGHT System User Guide
 
Chapter 5      Managing Reusable Objects
  Working with Security Zones
Working with Security Zones
License: 
Any
Supported Devices: 
Any
security zone is a grouping of one or more inline, passive, switched, routed, or ASA interfaces that 
you can use to manage and classify traffic flow in various policies and configurations. The interfaces in 
a single zone may span multiple devices; you can also configure multiple zones on a single device. This 
allows you to divide the network into segments where you can apply various policies. You must assign 
each interface you configure to a security zone before it can handle traffic, and each interface can belong 
to only one zone.
In addition to using security zones to group interfaces, you can use zones in various places in the 
system’s web interface, including access control policies, network discovery rules, and event searches. 
For example, you could write an access control rule that applies only to a specific source or destination 
zone, or restrict network discovery to traffic to or from a specific zone.
When you update a security zone object, the system saves a new revision of the object. As a result, if 
you have managed devices in the same security zone that have different revisions of the security zone 
object, you may log what appear to be duplicate connections. If you notice duplicate connection 
reporting, you can update all managed devices to use the same revision of the object. In the object 
manager, edit the security zone, remove all managed devices, save the object, re-add the managed 
devices, and save the object again. Then, reapply all affected device policies. For more information on 
applying device policies, see 
You create security zones in one of the following ways:
  •
The system creates security zones upon device registration, depending on the detection mode you 
selected for the device during its initial configuration. For example, the system creates a Passive 
zone in passive deployments, while in inline deployments the system creates External and Internal 
zones. The system does not create default zones for ASA interfaces.
  •
You can create security zones on the fly while configuring interfaces on a managed device.
  •
You can create security zones using the object manager (
Objects > Object Management
).
The Security Zones page of the object manager lists the zones configured on your managed devices. The 
page also displays the type of interfaces in each zone, and you can expand each zone to view which 
interfaces on which devices belong to each zone.
Note
All interfaces in a security zone must be of the same type, that is, all inline, passive, switched, routed, 
or ASA. Further, after you create a security zone, you cannot change the type of interfaces it contains.
You cannot delete a security zone that is in use. After you add or remove interfaces from a zone, you 
must reapply the device configuration to the devices where the interfaces reside. You must also reapply 
the access control and network discovery policies that use the zone.
To add a security zone:
Access: 
Admin/Access Admin/Network Admin
Step 1
Select 
Objects > Object Management
.
The Object Management page appears.
Step 2
Select 
Security Zones
.