Create intra-data-center application allow rules
to protect data center servers from other data center servers that
may be compromised.
A common application architecture consists of three server
tiers: web servers, application servers, and database servers. Apply best
practice Security profiles to most traffic between server tiers
to prevent threats. Don’t apply Security profiles to low-value,
high-volume traffic such as mailbox replication and backup flows—the
firewall already inspected the original flows, so spending CPU cycles
on them provides no extra value. Do create allow rules for these
applications to prevent misuse. For each rule, configure
at Session End
and set up Log Forwarding to track and analyze rule violations.
example configures rules that allow traffic between application
server tiers for two proprietary internal finance applications for which
we created custom applications:
Allow finance application
traffic between the web server tier and the application server tier.
Allow finance application traffic between the application
server tier and the database server tier.
Create intra-data-center Decryption
policy rules to decrypt the traffic allowed in the preceding Security
The data center is a perfect place for attackers to hide
because many people think the data center is safe and don’t look
for intruders. But the same basic tenet that’s true in the rest
of the network holds true in the data center: you can’t protect
yourself against what you can’t see. Decrypt encrypted data center
traffic so that the firewall can inspect traffic, control access,
make threats visible, and protect your valuable assets.
all data center traffic is encrypted. Don’t spend resources to decrypt
unencrypted (cleartext) traffic.
This rule decrypts traffic flowing between the
web server tier and the application server tier for the Finance department’s
This rule decrypts the traffic flowing between the application
server tier and the database server tier for the Finance department’s