Deploying a Threat Defense Between Layer 3 Networks – Cisco Firewall Deployment in Transparent Mode
Deploying a Threat Defense Between Layer 3 Networks
After configuring the physical and virtual interfaces, you can communicate with any hosts, through a threat defense, within the same subnet. However, if you want to communicate with hosts that are in different subnets, a routing protocol is necessary.
When you configure a dynamic routing protocol across the network, the threat defense blocks the underlying routing traffic until you allow it in an access control policy. You can choose one of following options:
- Select a nonblocking policy as the default action (fewer steps to set up).
- Add an access control rule to allow desired traffic (more steps to set up).
Figure 5-15 shows a threat defense deployed between an inside router and an outside router. Both routers use loopback interfaces to simulate a host and the Internet. The loopback and routing interfaces are on different subnets, and all of them are included in OSPF area 1.
Figure 5-15 Deployment of a Threat Defense (in Transparent Mode) Between Two Routers
Selecting a Default Action
The default action in an access control policy determines how a threat defense handles traffic when no matching access control rule is available in the current ruleset. To define the default action, first you need to go to Policies > Access Control. Here, you can choose to create a new policy or edit an existing one, as shown in Figure 5-16.
Figure 5-16 Options to Create and Modify an Access Control Policy
When you are on the policy editor page, use the Default Action drop-down to select one of the system-provided policies that can allow the hosts in your lab. From a security standpoint, you can consider selecting a policy that allows traffic upon inspection. If you are unsure about choosing an appropriate policy, select the Intrusion Prevention: Balanced Security and Connectivity policy, as shown in Figure 5-17. It allows the unmatched traffic to go through the threat defense only if the traffic passes a deep packet inspection.
Figure 5-17 Selecting a System-Provided Policy as the Default Action
A new access control policy does not come with any access control rule, by default. When there is no access control in the policy, your selections in the Default Action section can impact all traffic that goes through a threat defense. For example, in an empty access control policy, if you enable logging in the default action, following the steps shown in Figure 5-18, it enables a threat defense to trigger events for any connection attempts. The management center displays those connection events at Policies > Connections > Events. Remember, to activate any new settings on an access control policy, you must save the policy and then deploy it to the threat defense by navigating to Deploy > Deployment and making selections there.
Figure 5-18 Enabling Logging for Traffic Matching Default Action