topic Firepower 1010 Stateful Firewall in Network Security

Firepower 1010 Stateful Firewall

brandonbittinger — Tue, 10 Sep 2019 12:30:18 GMT

I recently purchased 3 of the new Firepower 1010. I an using the device up using the on box management, Firepower Device Manager (FDM), to configure the firewalls. I currently don't have enough FMC licenses to connect the firewalls to FMC at this time. With a Cisco ASA I would simply be able to set security levels on each interface to create a stateful firewall. I would like to accomplish the same thing on the Firepower 1010. Does the Firepower 1010 have a feature that would allow me to configure a stateful firewall using FDM? Honestly FDM seems pretty bare bones and I'm not super impressed with it...

Any help is appreciated!

Re: Firepower 1010 Stateful Firewall

balaji.bandi — Tue, 10 Sep 2019 13:24:27 GMT

yes you can use FDM to configure, below guide help you.

https://www.cisco.com/c/en/us/td/docs/security/firepower/640/fdm/fptd-fdm-config-guide-640/fptd-fdm-interfaces.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fp1010/firepower-1010-gsg.pdf

Re: Firepower 1010 Stateful Firewall

brandonbittinger — Wed, 11 Sep 2019 14:57:08 GMT

So if I create an inside and an outside security zone and apply them to the appropriate interfaces all I should need to do is create an Access Control rule to allow inside to outside and it the 1010 should perform state tracking?

I factory reset the device and it looks like that is all it did by default.

Re: Firepower 1010 Stateful Firewall

GRANT3779 — Wed, 11 Sep 2019 15:12:32 GMT

If you are using Zones like you describe then your ACP rule entry would be based on Zones via Zones tab.
From Inside Zone to Outside Zone "Allow".
It is stateful and return traffic will be allowed back.

Re: Firepower 1010 Stateful Firewall

johnlloyd_13 — Thu, 12 Sep 2019 03:35:10 GMT

hi,

there's already a default NAT and access control rules configured in FTD for initial traffic to flow.

you'll also need to further tweak the device via FDM.

see helpful link:

http://ccnpsecuritywannabe.blogspot.com/2019/09/configuring-ftd-623-via-firepower.html

Re: Firepower 1010 Stateful Firewall

brandonbittinger — Thu, 12 Sep 2019 20:12:37 GMT

In this case there is no NAT being used. This Firewall terminates isolated PVLANs and there is no NAT.

I realized that I actually have a miconfiguration on the downstream switch that was the issue. The stateful firewall was working as it was supposed to after I resolved the downstream issue. I had the switchport setup to be a trunk with a list of allowed VLANs, evidently I forgot the switchport mode trunk command... I appreciate all of the help however!