Configuring Designer to Support ANY-ANY Zones

Overview

When running Designer in Topology mode on zone-based firewalls (Palo Alto, Cisco FMC, and Fortinet FMG), the zone to zone mapping is determined by searching for the zones that are associated with the interfaces on the path. Some customers would rather use Any>Any zone to zone mapping to reduce the number of rules or when interfaces are not associated to zones.

To make Designer use Any>Any zone to zone mapping, you can set a flag in the StConf file.

This flag is global and will affect Designer behavior in all the cases where a rule is used, modified, or created on all zone-based devices.

Configure the Flag

By default, the flag is not in the StConf file, and since it is not configured, the behavior is as if the flag is set to false. Follow these steps to configure the flag and set it to true.

  1. Navigate to: https://<SecureTrack_IP>/securetrack/admin/stcgitest.htm

  2. Navigate to Edit StConf > Fetch StConf.

  3. At the end of the StConf file, add this line to set the <Designer_use_zone_any> flag. 

    4. <Designer_use_zone_any>true</Designer_use_zone_any>          
    <Designer_use_zone_any>true</Designer_use_zone_any>

  4. Click Submit New Conf.

Example