Configuration strategy:
Zones:
Tags:
Two zone protection profiles - one for external interfaces and one for all others.
Create address group of firewall interface IP addresses to make a simple rule that allows the firewal interfaces to ping/traceroute/icmp anywhere.
Enable interface management profile with ping, ssh, https, user-id and snmp on loopback or firewall's interface to mgmt network. Use this for SNMP polling, User-ID redistribution (and use service route to use this to get User-ID from other firewalls) and managing the 'active' firewall. Enable ping, https, ssh and snmp on actually managment interfaces. Use this for backup access/troubleshooting. Consider doing RADIUS/LDAP/TACACS queries from loopback via service route. Would have to use a local account to get access to passive.
10x Managment
Firewall, switch, access point mgmt. VMware mgmt and other 'all IT can access' mgmt. UPS mgmt. Other mgmt functions (e.g. wall board control)
11x Server
Windows servers Linux servers Network servers (e.g. Infoblox DNS/DHCP)
12x Voice
14x NetworkDevices
Printers
10x Users Wired
Up to 10 Wired VLANs. Can represent different buildings/floors/departments/etc.
10x Users WiFi
Up to 10 WiFi VLANs for users. Could represent different SSID/etc.
15x Security
CCTV Building Alarm Door Control
16x Guest
Guest WLAN Guest Wired
17x Lab
Staging Lab Demo environment Internal Lab Training VLANs
18x DMZ
Up to 10 DMZ subnets