topic Just making sure it wasn't in Network Security

Adding rules to access control policy - Sourcefire/ASA

tolinrome tolinrome — Tue, 12 Mar 2019 09:25:27 GMT

Hello,

Attached is a screenshot of a few rules I added in the access control policy of my sourcefire config. Please take a look to see if it makes sense as to where I placed and configured the rules. Its a basic setup, inside and outside zone interface, and private network object.

I have rules that:

block geolocation (blocked countries) from any source to destination and from any destination to source.

allow zone inside to zone outside and source private network to any

allow zone outside to zone inside and destination private network from any

allow (default rule) all any

I also have these rules labeled under the Administrator Rules section and nothing under the "Standard" or "Root" section if that matters.

Thank you!

Is this for and FTD device or

Marvin Rhoads — Fri, 26 May 2017 05:30:59 GMT

Is this for and FTD device or a FirePOWER module on an ASA?

The geolocation rule should be two rules: 1) Block incoming from blocked countries to any. 2) Block outgoing from any to blocked countries. Otherwise traffic would have to be from a blocked country to another blocked country to match it.

It would seem very unusual to allow external traffic inbound for everything. We would normally expect an ACL to restrict the extrernally initiated traffic to accessing only a few specific servicers and services.

It looks like you have no file (AMP) policy specified. Do you have the Malware license?

This is for FirePOWER module

tolinrome tolinrome — Fri, 26 May 2017 12:47:19 GMT

This is for FirePOWER module on the ASA. I thought the allowing of external traffic to internal would mean "inspect everything from external to internal"? after the traffic goes through the firewall ACL? Thats why I made the rule.

So, on the acess control policy I would remove that rule and leave the one for "from internal to external"?

Just making sure it wasn't

Marvin Rhoads — Fri, 26 May 2017 15:58:43 GMT

Just making sure it wasn't for FTD - in which case it would open up your firewall. For inspection purposes it's fine though.

Have you customized the $HOME_NET and $EXTERNAL_NET variables for your network discovery? That allows you to use any-any with more confidence and let FirePOWER use the intelligence embedded in the Snort rules to decide in which cases protection needs to be applied.

$HOME_NET is my private

tolinrome tolinrome — Fri, 26 May 2017 16:20:03 GMT

$HOME_NET is my private networks and $EXTERNAL_NET is the default, which is any, which I left as is as I assume that would be "any" as in "outside."

It's recommended to make

Marvin Rhoads — Fri, 26 May 2017 16:24:54 GMT

It's recommended to make $EXTERNAL_NET be !$HOME_NET ("not home net")