While I working on Cisco Firepower Threat Defense (FTD) I came across “Rezoning” and felt that I need to clear this to myself. So I read the relative documents and got a good understanding of its application. Here is the example I used it in my lab.
The scenario states that we should forward IP-in-IP and GRE traffic traversing between two interfaces (vlan510-zone & vlan511-zone) to the access control policies for further investigation. But we also was told that the Bittorent application should be allowed on IP-in-IP traffic, but not on GRE.
At the first place we need to create a tunnel rule inside a prefilter policy on FTD. As seen below, IPv6-in-IP and Teredo tunnels are configured to bypass the access control policies without any kind of investigation. Rules number 2 and 3 are what we have created to accomplish the dictated goals. Rule number 2 “tags” IP-in-IP traffic with “TUNNEL-ZONE-1” and rule number 3 “tags” GRE traffic with “TUNNEL-ZONE-2”. Yes! you read “tagging”. Actually the naming of this feature is somehow misleading. Rezoning doesn’t have anything to do with Security zones. If you want to understand the functionality of it, consider it as assigning a special tag to some tunneled traffic, so we could use that tag while configuring normal access control policies.
Returning to access control policies, we have created two different rules, one for traffic “from TUNNEL-ZONE-1” destined everywhere (read: traffic tagged with TUNNEL-ZONE-1) and another rule matched traffic sourcing “from TUNNEL-ZONE-2” (again read this as traffic tagged with TUNNEL-ZONE-1).
As you see above, first rule allows Bittorent traffic and second one blocks it. Just remember that both of these rules affect some tunneled traffic between two interfaces (vlan510-zone & vlan511-zone). Also the relation of these rules to each other (their order) is not important at all, because each of them matches separate traffic without any overlap.
And last but not least, this feature cannot be used with any other rule other than Access Control Policy. For example you cannot use it with configuring QoS policy.