Security Zones and Interface Groups

Each interface can be assigned to a security zone and/or interface group. You then apply your security policy based on zones or groups. For example, you can assign the "inside" interface on one or more devices to the "inside" zone; and the "outside" interfaces to the "outside" zone. You can then configure your access control policy to enable traffic to go from the inside zone to the outside zone for every device using the same zones.

To view the interfaces that belong to each object, choose Objects > Object Management and click Interface. This page lists the security zones and interface groups configured on your managed devices. You can expand each interface object to view the type of interfaces in each interface object.

Note

Policies that apply to any zone (a global policy) apply to interfaces in zones as well as any interfaces that are not assigned to a zone.

Note

The Management interface does not belong to a zone or interface group.

Security Zones Vs. Interface Groups

There are two types of interface objects:

  • Security zones—An interface can belong to only one security zone.

  • Interface groups—An interface can belong to multiple interface groups (and to one security zone).

    You can use interface groups in NAT policies, prefilter policies, and QoS policies, as well as features that let you specify the interface name directly, such as Syslog servers or DNS servers.

Some policies only support security zones, while other policies support zones and groups. Unless you need the functionality an interface group provides, you should default to using security zones because security zones are supported for all features.

You cannot change an existing security zone to an interface group or vice-versa; instead you must create a new interface object.

Note

Although tunnel zones are not interface objects, you can use them in place of security zones in certain configurations; see Tunnel Zones and Prefiltering.

Interface Object Types

See the following interface object types:

  • Passive—For IPS-only passive or ERSPAN interfaces.

  • Inline—For IPS-only inline set interfaces.

  • Switched—For regular firewall bridge group interfaces.

  • Routed—For regular firewall routed interfaces.

  • ASA—(Security zones only) For legacy ASA FirePOWER device interfaces.

  • Management—(Interface groups only) For management-only interfaces.

  • Loopback—(Interface groups only) For loopback interfaces.

All interfaces in an interface object must be of the same type. After you create an interface object, you cannot change the type of interfaces it contains.

Interface Names

Note that the interface (or zone name) itself does not provide any default behavior in regards to the security policy. We recommend using names that are self-describing to avoid mistakes in future configuration. A good name signifies a logical segment or traffic specification, for example:

  • Names of internal interfaces—InsideV110, InsideV160, InsideV195

  • Names of DMZ interfaces—DMZV11, DMZV12, DMZV-TEST

  • Names of external interfaces—Outside-ASN78, Outside-ASN91