https://community.cisco.com/t5/network-access-control/fortigate-like-session-tracking-acl/m-p/4309355#M566240 <P>Hello All,</P><P>&nbsp;</P><P>I've been using FortiGate for my firewall choice and would recently like to switch to cisco ASA.</P><P>&nbsp;</P><P>one thing that I noticed from the FortiGate, is that it does not have ACLs, instead, it has something called Policy to filter the IPv4/IPv6 packets.</P><P>&nbsp;</P><P>Now, ACLs are straight forward in terms of packet filtering. You specify the condition, bind it towards a certain direction of an interface. it's works like a filter.</P><P>&nbsp;</P><P>But when digging deeper into understanding the difference between Fortigate Policy and Cisco ACLs (actually ACLs in general, I only see policy on Fortigate). There's a feature called session tracking which I found pretty useful.</P><P>&nbsp;</P><P>In short, when applying an allow policy, not only does Fortigate allow the packet to pass from the source interface to destination interface (you have to specify 2 interfaces), it also tracks the session so that the reply packet in reverse direction gets allowed as well.</P><P>&nbsp;</P><P>In user friendly terms, this becomes useful since I can simply put an allow policy from host A (connected to interface A) to host B (connected to interface B), so that host A can initiate network session talks such as SSH, ICMP, etc while host B cannot do the samething backwards.</P><P>&nbsp;</P><P>Now that I'm trying to replace the Fortigate with Cisco ASA, is there a similar feature of which I can utilize and achieve the same effect?</P><P>&nbsp;</P><P>Thank you</P><DIV class="ms-editor-squiggler">&nbsp;</DIV><DIV class="ms-editor-squiggler">&nbsp;</DIV><DIV class="ms-editor-squiggler">&nbsp;</DIV><DIV class="ms-editor-squiggler">&nbsp;</DIV><DIV class="ms-editor-squiggler">&nbsp;</DIV><DIV class="ms-editor-squiggler">&nbsp;</DIV> Thu, 18 Mar 2021 02:33:46 GMT shengkangjin 2021-03-18T02:33:46Z https://community.cisco.com/t5/network-access-control/fortigate-like-session-tracking-acl/m-p/4309355#M566240 <P>Hello All,</P><P>&nbsp;</P><P>I've been using FortiGate for my firewall choice and would recently like to switch to cisco ASA.</P><P>&nbsp;</P><P>one thing that I noticed from the FortiGate, is that it does not have ACLs, instead, it has something called Policy to filter the IPv4/IPv6 packets.</P><P>&nbsp;</P><P>Now, ACLs are straight forward in terms of packet filtering. You specify the condition, bind it towards a certain direction of an interface. it's works like a filter.</P><P>&nbsp;</P><P>But when digging deeper into understanding the difference between Fortigate Policy and Cisco ACLs (actually ACLs in general, I only see policy on Fortigate). There's a feature called session tracking which I found pretty useful.</P><P>&nbsp;</P><P>In short, when applying an allow policy, not only does Fortigate allow the packet to pass from the source interface to destination interface (you have to specify 2 interfaces), it also tracks the session so that the reply packet in reverse direction gets allowed as well.</P><P>&nbsp;</P><P>In user friendly terms, this becomes useful since I can simply put an allow policy from host A (connected to interface A) to host B (connected to interface B), so that host A can initiate network session talks such as SSH, ICMP, etc while host B cannot do the samething backwards.</P><P>&nbsp;</P><P>Now that I'm trying to replace the Fortigate with Cisco ASA, is there a similar feature of which I can utilize and achieve the same effect?</P><P>&nbsp;</P><P>Thank you</P><DIV class="ms-editor-squiggler">&nbsp;</DIV><DIV class="ms-editor-squiggler">&nbsp;</DIV><DIV class="ms-editor-squiggler">&nbsp;</DIV><DIV class="ms-editor-squiggler">&nbsp;</DIV><DIV class="ms-editor-squiggler">&nbsp;</DIV><DIV class="ms-editor-squiggler">&nbsp;</DIV> Thu, 18 Mar 2021 02:33:46 GMT https://community.cisco.com/t5/network-access-control/fortigate-like-session-tracking-acl/m-p/4309355#M566240 shengkangjin 2021-03-18T02:33:46Z https://community.cisco.com/t5/network-access-control/fortigate-like-session-tracking-acl/m-p/4309446#M566244 <PRE>n user friendly terms, this becomes useful since I can simply put an allow policy from host A (connected to interface A) to host B (connected to interface B), so that host A can initiate network session talks such as SSH, ICMP, etc while host B cannot do the samething backwards.</PRE> <P>if i understand correctly same thing works with ASA its stateful firewall,&nbsp; when you enable stateful inspection&nbsp; - it automatically tracks the connection from inside to destination and maintains a state table.(not other way around.)</P> <P>&nbsp;</P> <P>for reference : (hope this what you looking ?)</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/inspect-overview.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/inspect-overview.html</A></P> Thu, 18 Mar 2021 07:54:17 GMT https://community.cisco.com/t5/network-access-control/fortigate-like-session-tracking-acl/m-p/4309446#M566244 balaji.bandi 2021-03-18T07:54:17Z