topic Hi Jack, in Network Security

Access Control Policies

jack samuel — Tue, 12 Mar 2019 12:58:20 GMT

Dears

Please find the attached

I have some question for the access control policies.

i am allowing all traffic to be redirected to firepower,

If the traffic is allowed by asa access-list but it is blocked by firepower rules it will drop the packet ??? please correct me if I am wrong

If the traffic is allowed by asa access-list but there is no match in the firepower policies for example traffic from inside to DMZ interface where there is no rule it will fall in default action rule which can be by default a intrusion policy, network discovery, etc etc

Please tell me the attached snapshot rule created are correct , users will be able to browse the internet and application filter will work by rule 2. ????

Hi Jack,

yogdhanu — Mon, 11 Apr 2016 14:12:36 GMT

Hi Jack,

You are correct. Once the traffic is allowed by ASA , it goes to firepower and action is decided on which rule it matches with. If the traffic doesn't match anything , than it will match the default action with which user should be able to access internet.

Dear yogdhanu,

jack samuel — Mon, 11 Apr 2016 15:37:07 GMT

Dear yogdhanu,

Thanks for the reply

If the traffic is allowed by asa access-list but it is blocked by firepower rules it will drop the packet ??? please correct me if I am wrong

By the attached snapshot of rule I want to achieve high risk url filter, bittorrent should be block and the http, https, ftp, dns should be only allowed does the attached snapshot configuration meet the rule

Regards

Jack

Hi Jack,

yogdhanu — Mon, 11 Apr 2016 16:58:17 GMT

Hi Jack,

Yes you are right , Firepower will drop the packet if its blocked by firepower rule.

You have created all block rule and allowed only http etc. , There are apps which use HTTP for torrent. I suggest to create another block rule on top of allow rule matching the app detector for torrent.

Dear yogdhanu,

jack samuel — Tue, 12 Apr 2016 04:28:53 GMT

Dear yogdhanu,

are you sure the rule which I have created are correct, What I think the rule 1 will match all traffic and it will block all users,???

OR the rule says

if a user A browse the internet url which is in high risk he will be blocked by RULE 1 and if the URL is not in high risk he will fall in RULE 3 Please correct me if I am wrong.

Thanks

If any user from your inside

pr3d4t0r_gr — Wed, 20 Apr 2016 15:12:59 GMT

If any user from your inside network access a url that matches the url category you have define in rule 1 it will be blocked.

If it doesn't it will be allowed as per your rule 3.

Dear Yogdhanu,

jack samuel — Fri, 06 May 2016 21:31:08 GMT

Dear Yogdhanu,

Many times I have issues that I don't see the traffic in the connection events neither in the allow or block action and its simply show me on user desk the webpage cannot be displayed.

is there any CLI traces to be seen or captured so that in which rule the traffic is falling we can come to know.

thanks

Hi

yogdhanu — Sat, 07 May 2016 05:42:06 GMT

There are 2 ways you can do that.

In the sensor CLI

>system support firewall-engine-debug

It will give you option to choose the inline sets where traffic needs to be captured.

Select that and then define the source IP or destination as filter (script will ask you that) leave all blank

This would show you the traffic as it matches the rules. You can probably use putty and save its logs so that you can analyze the traffic and see the traffic trying to match itself with all the rules and which rule it does match.

For regular pcap captures , use this article.

http://www.cisco.com/c/en/us/support/docs/security/sourcefire-firepower-8000-series-appliances/117778-technote-sourcefire-00.html

Rate if helps.

Yogesh

Dear Yogdhanu,

jack samuel — Sat, 07 May 2016 06:40:45 GMT

Dear Yogdhanu,

I m trying to access one of the FTP site and that is falling in the default action rules, just I want to confirm you that the url categories which are available in the system are only for http and https traffic or for other protocol as well such as ftp etc etc.

thanks

Yes the URL categories apply

yogdhanu — Sat, 07 May 2016 09:17:43 GMT

Yes the URL categories apply only to web traffic http and https but not FTP

Rate if helps.

Yogesh

Dear yogdhanu

jack samuel — Sat, 07 May 2016 10:19:22 GMT

Dear yogdhanu

So for the ftp protocol I shld create a separate rule on top to match the rule and also I will attached the file policy so if incase they are downloading any file If it contains malware they will be block.

thanks

Correct , or you can just

yogdhanu — Sat, 07 May 2016 15:26:58 GMT

Correct , or you can just have 1 last rule where all the traffic will match and have File policy and IPS policy in there.