topic I think i would actually do in Network Security

Blocking via the firewall vs Blocking via Access control policy firesight and Firepower

babiojd01 — Sun, 10 Mar 2019 13:32:50 GMT

What would the benefit of blocking a destination port in the firepower access control policy over an access control list on the ASA firewall? I think it would process faster if its an ACL vs something needing further processing in order to be blocked anyway.

The ASA can do IP/block

Philip D'Ath — Thu, 21 Jan 2016 04:13:25 GMT

The ASA can do IP/block blocking on a much large scale.

I always do ip/port blocking in the ASA, and use Firepower to block things the ASA can not block easily.

In my mind it doesn't make

Massimo Baschieri — Thu, 21 Jan 2016 05:16:26 GMT

In my mind it doesn't make sense to filter at both levels since you can do all the filtering you need at sourcefire level, however if you opt for fail-open mode it may be advisable to do some basic filtering in order to limit access to internal resources at asa level also.

Maybe be there are other cases like that, but that's the only one I've seen so far.

I think i would actually do

babiojd01 — Fri, 22 Jan 2016 02:57:02 GMT

I think i would actually do the dual approach. To me, forcing everything to be processed by the module would be a little much unless you have way more processing power than is required. If you have a 5585 and a smaller user base it might not matter. To me it seems like a waste of processing power if you want the packet dropped anyway. Also if you want intelligence into where traffic is going and you aren't sending logs to a SIEM then you might want it sent to the module(geo location, reputation, etc).