How to bypass server-to-server communication from NGFW?

I'm working on a solution as a vendor over deployment model for CISCO NGFW with following interest:-

•      east-west traffic inside server farm for stopping malware lateral movement
•      user (access layer) to server farm for policy control e.g AV, IPS etc

Constraints / Concerns:
•      Currently there is no l4 policy control or firewall in place , network topology is flat.
•      don't want to buy layer 3 switch for inter-vlan routing
•      internet traffic is managed by another segment not to be passed through proposed ngfw.

Concerns from vendor integrator perspective

•      between application 2 application or App to DB server such traffic can be best addressed with a acl defined at ACL, no botnet, malware exploits or spread from server-server per say. The use of ips and av inspection will be counter-effective.
•      Further, connection between app to DB is heavy traffic , firewall will be kept looking for those connection for long time holding down mem, cpu and effecting throughput as well
•      terminate access to server farm ONLY to layer 3 device (ngfw) for policy control, ngfw compliance features (ips, av)

I'm looking your assistance if there exists an CISCO validated design either for or against the above solution. Thanks.
asad aliAsked:
Who is Participating?
Joseph HornseyPresident and JanitorCommented:
It seems like your requirements are mutually exclusive.  You have the NGFW, but you can't use IPS/AV Inspection because of performance issues.

As far as terminating access on the NGFW, that's doable via a remote access VPN.  Keep in mind, though, the tunnel terminates on the inside interface.  Since it's considered internal traffic - you have to configure NAT exclusions, etc. - I don't know if the ASA is going to inspect that.

Out of curiosity, do the servers have AV software installed on them?
Joseph HornseyPresident and JanitorCommented:
Question answered as stated... double VPN, etc.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.