Installing a pair of 850s and a pair of 3260s this weekend - interface speed

L0 Member

Installing a pair of 850s and a pair of 3260s this weekend - interface speed

We have had some requirements change since ordering this equipment and may change direction on where these new firewalls get installed.

 

Initially we ordered the 3260s for our hosted data center since most of the servers are located there and vendor provided backup solution is there. The concern was the amount of traffic that we would be pushing through the firewall during backup times. All of the server VLANs are terminated on the firewalls. That direction is changing now. We are looking to move the servers back to our corporate location where we had planned on the 850s to be installed.

 

A long term direction was proposed today to bring these servers back in-house by the end of the year which changes where I potentially place these firewalls. I'm now looking at installing the 850s at the hosted data center and the 3260s at our corporate location (data center).

 

Am I able to write a policy to allow hosts to talk to other hosts through the firewall but to disable the APP-ID and threat prevention policies to allow traffic to flow at the 10G speeds? This would be related to backup traffic in particular.

 

Thank you in advance. This should be an interesting weekend installing these since I've been a Cisco engineer for the past 20 years.

L7 Applicator

Re: Installing a pair of 850s and a pair of 3260s this weekend - interface speed

@campbech1,

You could through the use of application override policies and simply disabling all profiles assigned to the appropriate security policies. The real question would be if the backups really need to happen at line speed or if you could still leave at least app-id enabled so you can verify that it's at least backup traffic. 

The issue with what you are proposing is that the application override policy stops app-id and then if you are disabling threat identification on this traffic you essentially say that anything from/to your backup server from/to your servers is perfectly fine. I would only think of doing this if your backup system is completely offline and managed through an offline computer. If that backup system becomes infected you are giving it a very easy path to spread throughout your environment. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!