topic Re: ASA to FTD migration in Network Access Control

ASA to FTD migration

mateens — Mon, 20 Jul 2020 00:27:35 GMT

I want to convert ASA configuration to Firepower as prefilter rules instead of ACEs. I do not see any option in the migration tool to do so.

Re: ASA to FTD migration

balaji.bandi — Mon, 20 Jul 2020 07:26:37 GMT

I do not believe you have that option, you need to make some of the requirement manually and test it.

Since its only feature available ASA to FTD.

Re: ASA to FTD migration

mateens — Sun, 26 Jul 2020 20:46:52 GMT

i think there was an option in older versions of FMT. btw, what kind of traffic should be in prefilter ? i understand that is traffic that do not need further inspection. e.g I have a few hundred rules that are from ANY source to VIPs of loadbalancer which hosts various services/appications. Where would you put that traffic ?

Re: ASA to FTD migration

balaji.bandi — Sun, 26 Jul 2020 23:03:22 GMT

if that does not add an inspection policy just like any other ACP (in aka ACL).

here is traffic flow ( in case if you did not come across)

Re: ASA to FTD migration

Marvin Rhoads — Mon, 27 Jul 2020 02:50:57 GMT

I believe the old tool which required using an intermediate FMC instance had the option to select a prefilter policy. The current FMT does not.

Generally we use prefilter for traffic which is either a. explicitly trusted or b. does not lend itself to IPS inspection (e.g. encrypted traffic flowing through the appliance that does not require even the basic Security Intelligence (SI) scrub). I tend to put only things in the first category in prefilter since the SI action adds value even if you aren't able to inspect the unencrypted traffic.

FYI 6.7 will allow us to copy (or cut and paste) rules from an ACP into a prefilter policy.

Re: ASA to FTD migration

mateens — Thu, 06 Aug 2020 08:30:36 GMT

I have migrated the rules manually now. Have some more basic questions.

1. In ASA lower security level traffic is automatically denied to higher security level and higher to lower is allowed. How can i replicate this after migrating to firepower ?

2. All my access policies are migrated with source zone and without any destination zone. Is destination zone necessary or optional? what happen to traffic without a destination zone ?

3. Have we any dates for 6.7 ? There are many rules that can reside in prefilter policy. If i set them as "trust" instead of allow will it help ?

4. How can i estimate that would there be any performance issued with the number of rules i have configured ? running FTD 4115 in HA with 6.6. Five contexts were migrated from ASA with total approx 3000 rules.

Re: ASA to FTD migration

Mohammed al Baqari — Thu, 06 Aug 2020 09:31:05 GMT

Hi,

Q1. You can't replicate that in FTD. All interfaces have the same security
level which can't be changed. The concept of FTD is to use zones and
explicit rules to allow/deny. All interfaces within the same zone are
implicitly allowed to communicate. For different zones, the default action
is as per you ACP.

Q2. The need of the destination zone is subject to your policy. Just check
the use case if it's needed or not.

Q3. No idea about dates you can check that with your cisco AM. Trust and
allow are different. In prefilter trust will be processed by LINA (ASA
engine) without snort. Allow will pass the traffic to be examined against
ACP, snort, SI, etc.

Q4. 3000 rules are very low. I have used FPR1140 with 52k rules without
issues. The number of rules impacts the memory and can be verified using *show
memory detail*. Check the system free memory from the 1st section. The cpu
can be verified from *show cpu* and is impacted by connection per second.

**** please remember to rate useful posts