03 - Zone Security, Security and NAT Policies
03 - Zone Security, Security and NAT Policies
03 - Zone Security, Security and NAT Policies
Policies
• An interface on the firewall must be assigned to a security zone before the interface can process traffic.
• A zone can have multiple interfaces of the same type assigned to it (for example, tap, Layer 2, or Layer 3
interfaces), but an interface can belong to only one zone.
1. Tap - A Tap interface monitors traffic that is connected to a network switch's MIRROR/SPAN port. This
mirrored traffic is forwarded by a switch port to a firewall’s Tap interface and is analyzed for App-ID, User-
ID, Content-ID, and other traffic.
2. Virtual Wire - A Virtual Wire interface is used to pass traffic through a firewall by binding two Ethernet
interfaces and allowing traffic to pass between them.
3. Layer 2 - Layer 2 interfaces are used to switch traffic between other Layer 2 interfaces.
4. Layer 3 - Layer 3 zone is used when routing between two or more networks.
5. Tunnel - A Tunnel interface is a logical (virtual) interface used with VPN tunnels to deliver encrypted traffic
between two endpoints.
Network Interfaces
All firewall models include in-band interfaces that are used to control network traffic flowing across an enterprise.
• Physical Interfaces - The firewall supports two types of media; copper and fiber-optic. You can configure Ethernet
interfaces as various types: Tap, High Availability (HA), Virtual Wire (interface and subinterface), Layer 2 (interface
and subinterface), Layer 3 (interface and subinterface), SDWAN and Aggregate Ethernet (AE). The available
interface types and transmission speeds vary according to the hardware model.
• Logical Interfaces - These include VLAN interfaces, loopback interfaces, and tunnel interfaces. You must set up
the physical interface before defining a VLAN or a tunnel interface.
Deployment Options
Tap Mode requires no changes to The firewall can be inserted into an With Layer 3 interfaces, the
the existing network design. In this existing topology without firewall can replace any current
mode, the firewall cannot block requiring any re-allocation of enterprise firewall deployment.
any traffic. network addresses or redesign on
the network topology.
Tap Interface Configuration
• The firewall can use a tap interface to connect to a switch’s SPAN or mirror
port.
• A tap interface passively collects and logs monitored traffic to the firewall’s
Traffic log.
• If a traffic can match two rules, the first rule that matches is said to shadow the rule below it.
Finding Unused Security Policy Rules
• Administrators periodically should remove unused rules in their Security policy rulebase.
• Removal of unused rules increases firewall operational efficiency and simplifies rule management.
• The firewall tracks rules unused since the last time the data plane restarted.
• You can perform cleanup quickly and easily by using the Highlight Unused Rules option.
• To find unused rules, navigate to Policies > Security.
Rule Usage Filter
• Firewall administrators need to periodically check for rules that are out of date or unused.
• To filter the rules displayed, navigate to Policies > Security > Policy Optimizer > Rule Usage.
Tags
Add Tag Assign Tags Filter for Tag Require Tag on Policies
Objects > Tags > Add Assign your Security policy Filter security policy using Device > Setup > Management
to a tag group tag and select the Require Tag on
policies
Test Policy Functionality
• You can test policy rules and managed device configurations to ensure that candidate configurations appropriately secure your
network and maintain connectivity to important network resources.
• The Test Security Policy Match window enables you to enter a set of criteria directly from the web interface rather than from the
CLI.
• Device > Troubleshooting
NAT Types
• Source NAT
• to translate the address of outbound traffic, that
is, traffic originating on a private network and
being forwarded out toward the internet.
• Destination NAT
• to translate the address of inbound traffic, that
is, traffic coming from the internet into the
local private network.
Source NAT
• Source NAT is commonly used to allow host devices configured with a private IP address to send and receive traffic on the internet.
• Source NAT Types
• Static IP
• 1-to-1 fixed translations
• Changes the source IP address while leaving the source port unchanged
• Supports the implicit bidirectional rule feature
• Dynamic IP
• 1-to-1 translations of a source IP address only (no port number)
• The private source address translates to the next available address in the range
• By default, if the source address pool is larger than the translated address pool, new IP addresses seeking translation are blocked while the translated address pool is fully
used
• Dynamic IP and Port
• Allows multiple clients to use the same public IP addresses with different source port numbers
• The assigned address can be set to the interface address or to a translated address .
Source NAT and Security Policies
• To configure source NAT, first create a NAT policy rule. Then create a security policy rule to allow the traffic.
• Policies > NAT
• A NAT policy rule matches the packet based on the original pre-NAT source and destination addresses and the pre-NAT destination zone.
• Destination NAT is commonly used to make a server within a private network reachable from the public internet.
• Destination NAT Types
• Static IP
• 1-to-1 translation of inbound traffic
• Changes the destination IP address while leaving the destination port unchanged
• Dynamic IP (with session distribution)
• Translate the original destination address to a destination host or server that has a dynamic IP address, meaning an address object that uses an FQDN, which can return
multiple addresses from DNS
• If the translated destination address resolves to more than one address, the firewall distributes incoming NAT sessions among the multiple addresses to provide improved
session distribution.
• Distribution is based on one of several methods: round-robin (the default method), source IP hash, IP modulo, IP hash, or least sessions.
• To configure destination NAT, first create a NAT policy rule. Then create a security policy rule to allow the traffic.
• Policies > NAT
• A NAT policy rule matches the packet based on the original pre-NAT source and destination addresses and the pre-NAT destination zone. Use
the Translated Packet tab to specify the desired translation of packets that meet the Original Packet criteria.