Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1060
Views
0
Helpful
6
Replies

The Security Level of two direct connected interfaces of two firewalls

Go to solution
Tang-Suan Tan
Level 1
Level 1

‎06-19-2012 06:41 AM - edited ‎03-11-2019 04:21 PM

Hi all :

I have one doubt needs to be clerify :

If one interface for example with name of edgeA of firewall A directly connects to another interface of firewall B with the name edgeB, does these two interfaces of two firewalls need to be at the same security level?

For example the security level of edgeA is 50 at firewall A, is it necessary to set the security level of edgeB to 50 at firewall B?

thanks and best regards,

tangsuan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hobbe
Level 7
Level 7
In response to Tang-Suan Tan

‎06-19-2012 09:54 PM

Hi Tangsuan

Since the firewalls are different units the security level does not have to be the same.

Security level is an INTERNAL firewall calculation on how traffic to/from interfaces should behave towards eachother, it is not something that is shared between firewalls.

There is no way for firewall A to know the security level of interface B in firewall B.

so there is no impact whatsoever in what security level firewall A is using towards firewall B or vice verse.

So to clarify Firewall A can have any security level in interface A and firewall B can have any security level in interface B

You handle the traffic just the same as you would any traffic on any interface. fx with Access-lists.

Good luck

HTH

View solution in original post

0 Helpful
6 Replies 6

Go to solution
varrao
Level 10
Level 10

‎06-19-2012 06:47 AM

Hi Tang,

No it is not necessary to keep them on the same security level, you can assign them different. But if you assign diff levels, then for lower security interface to access users in higher security interface, you would need to allow the traffic in the ACL. If you keep them same security, then you don't need any acl, just the command "same-security-traffic permit inter-interafce", and this would allow the traffic.

Hope this helps.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao
0 Helpful

Go to solution
Tang-Suan Tan
Level 1
Level 1
In response to varrao

‎06-19-2012 08:42 AM

Hi Varun :

Thanks to your answer.

One thing still not clear is these two interfaces are in the same subnet since they are in the same LAN line. They are in two different interfaces due to two different firewalls.

If setting to different security level, how to set the access rule because :

1. They are in the same subnet.Firewall access rule normally is set to work in different subnet in router mode.These two firewalls are in router mode now.

2. They are in different firewall. How to set the access rule since one IP of the interface in firewall A and another in firewall B? Both firewall have to set the rule or only one of them has to set the rule?

As such, it seems like to set in different security level is impossible. Can you clarify? Thanks!

best regards,

tangsuan

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to Tang-Suan Tan

‎06-19-2012 12:02 PM

Hi,

I am not sure about your topology, can you shatre it with me. If the subnets are behind two different firewalls then it really doesn't matter what security level you assign them. They would communicate irrespective of the security level assigned to them. Maybe it can be more clear if you can explain with the help of a topology.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao
0 Helpful

Go to solution
Tang-Suan Tan
Level 1
Level 1
In response to varrao

‎06-19-2012 06:19 PM

Hi Varun and all :

The topology is as below simple diagram. Please help to clarify the same security is needed and if in the event of different security level, how to set the access rules and other configurations. Many thanks!

Thanks and best regards,

tangsuan

0 Helpful

Go to solution
hobbe
Level 7
Level 7
In response to Tang-Suan Tan

‎06-19-2012 09:54 PM

Hi Tangsuan

Since the firewalls are different units the security level does not have to be the same.

Security level is an INTERNAL firewall calculation on how traffic to/from interfaces should behave towards eachother, it is not something that is shared between firewalls.

There is no way for firewall A to know the security level of interface B in firewall B.

so there is no impact whatsoever in what security level firewall A is using towards firewall B or vice verse.

So to clarify Firewall A can have any security level in interface A and firewall B can have any security level in interface B

You handle the traffic just the same as you would any traffic on any interface. fx with Access-lists.

Good luck

HTH

0 Helpful

Go to solution
Tang-Suan Tan
Level 1
Level 1
In response to hobbe

‎06-19-2012 11:00 PM

Hi Hobbe / Varun  :

Thanks to all your replies!

I am glad to have the good answer from Hobbe. It has cleared my doubt.

regards,

tangsuan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card