topic Re: FTD: Prefilter Rule in both directions required in Network Access Control

FTD: Prefilter Rule in both directions required

mario.jost — Tue, 11 Jul 2023 12:18:48 GMT

I want to prefilter Teams media traffic on the Cisco Firepower FTD and i create a corresponing rule that prefilters the affected traffic. But i wonder, what happens to the return traffic from the Microsoft Datacenter to our network? Do i have to create a mirrored rule that prefilters the return traffic as well, or does the FTD work statefull and automatically does fastpath this traffic, too?

Re: FTD: Prefilter Rule in both directions required

Rob Ingram — Tue, 11 Jul 2023 12:22:23 GMT

@mario.jost it is stateful, so the return traffic is automatically permitted.

Re: FTD: Prefilter Rule in both directions required

MHM Cisco World — Tue, 11 Jul 2023 12:47:27 GMT

Zone-A Zone-B
you config policy from Zone-A as source Zone-B as destination
if the traffic initiate from Zone-A toward Zone-B then policy above allow this traffic and return back traffic
if the traffic initiate from Zone-B toward Zone-A then policy above not work and you need additional policy to allow traffic from Zone-B to Zone-A

Re: FTD: Prefilter Rule in both directions required

mario.jost — Tue, 11 Jul 2023 13:32:59 GMT

I know that the traffic is "allowed". My question is: Is the return traffic prefiltered/fastpathed as well? Or do i have to create a seperate rule for that.

Re: FTD: Prefilter Rule in both directions required

MHM Cisco World — Tue, 11 Jul 2023 13:38:18 GMT

Return not initiate traffic can pass.

If it initiate not return you need policy.

Re: FTD: Prefilter Rule in both directions required

mario.jost — Tue, 11 Jul 2023 13:48:35 GMT

i need a translator for this. Again: I am not talking about PASSING traffic, i know it passes. The question has been, if it the return traffic gets prefiltered/fastpathed as well. Please do not post anything if you do not have to contribute to the answer of the question. People just try to hunt for forum points here in the cisco community, thats why usually you find 1-2 quick answers that totally miss the topic.

Re: FTD: Prefilter Rule in both directions required

MHM Cisco World — Tue, 11 Jul 2023 13:55:22 GMT

First respect we try to help you here

Second if you dont find my answer help you bypass it.

Re: FTD: Prefilter Rule in both directions required

Marvin Rhoads — Tue, 11 Jul 2023 17:10:47 GMT

As noted by @Rob Ingram the "stateful" nature of a firewall means that it checks all incoming traffic to see if it is part of an existing tcp connection or udp flow (i.e., does it know something about the "state" of the traffic already). If it is found to be a reply to an already-allowed traffic flow, the return traffic is allowed automatically. That is why we don't need to make a given rule for two directions - one suffices.

Re: FTD: Prefilter Rule in both directions required

mario.jost — Tue, 11 Jul 2023 20:06:20 GMT

@MHM Cisco World i know you probably mean well and you dont see harm if your answer is not the right one. But i tell you why i am not a fan of wrong answers. Some time in the evening some guy who might now the right answer scrolls past new posts and sees the headline of this one. He sees, that this question has already 4 answers and thinks to himself: probably someone already posted the correct answer and does not open the discussion to read the details in it. If the post would have 0 answers, he probably would open it and answer. I hope you understand.

Re: FTD: Prefilter Rule in both directions required

mario.jost — Tue, 11 Jul 2023 20:17:08 GMT

I think i finally found the answer in the cisco documentation here: Firepower Management Center Configuration Guide

Under Prefilter Rules it says:
Unidirectional only (nonconfigurable). Prefilter rules match source-to-destination traffic only.

And further below it says:
Prefilter rules are always unidirectional.

So i think you have to creat a seperate rule in order to prefiltered/fastpath the traffic in the other direction (WAN2LAN) as well. By fastpathing i mean circumvent the DAQ part where lots of things like IP reputation, Domain blocking, URL filtering, decrypting, snort and other stuff takes place that could delay the traffic. So im leaving this anwer if someone in the future is looking for the same question and does not find this in the cisco documentation right away.

Re: FTD: Prefilter Rule in both directions required

MHM Cisco World — Tue, 11 Jul 2023 20:36:40 GMT

Dont worry friend be Cool Man,
NOW regarding your Q,
cisco have two FastPath, one bypass the Snort other is bypass the prefilter
first one NO need Conn second one need Conn generate in FPR.
but here is the other Q appear how FTD know that this Conn need to go to Snort or bypass Snort. here come the flag FTD use for Conn if Conn have flag N1/2 then this traffic need to go to Snort if NOT then this traffic will inspect by Snort.
you config prefilter with fastpath, traffic initiate and Conn generate and return traffic will use this Conn to bypass prefilter and bypass Snort (since you config prefilter with fastpath).