topic Re: Firepower Prefilter or Access Control Policy in Network Security

Firepower Prefilter or Access Control Policy

S891 — Fri, 21 Feb 2020 17:00:50 GMT

I am converting ASA configuration to FTD. I have both 2100 and 4100 series platforms. My requirement is simple, converting all ACLs and NATs etc. I do not have any upper layer inspection enabled on ASA IPS etc. The FTD is on Base license. I have three questions:

1. Is there any benefit of configuring the rules in Acces Control Policy versus the Prefilter policy since I have only base license?

2. What additional fetaure other than layer 3/4 port blocking I can get out of the base license?

3. Is there any additional consideration I should keep in mind for future in case if I get additional licences for IPS and Malware etc while doing this configuraiton to make it easy for future license enabling?

Thanks,

Re: Firepower Prefilter or Access Control Policy

S891 — Mon, 08 Apr 2019 13:46:16 GMT

Any comment on this?

Re: Firepower Prefilter or Access Control Policy

Marvin Rhoads — Mon, 08 Apr 2019 14:53:13 GMT

1. Not a whole lot security wise. Mostly some application visibility and reporting / analysis capabilities. So you can filter based on application as determined by inspection vs. just by 5-tuple. I prefer ACP unless I know I want to fastpath the flow and never analyze it any further.

2. See #1.

3. By putting your rules in as ACP entries it is easier to add the IPS, URL and/or File (Malware) policy elements later.

Re: Firepower Prefilter or Access Control Policy

jmeetze80 — Tue, 09 Apr 2019 12:42:54 GMT

I converted my ACL from ASA to FTD. Just know that all rules imported from ASA will be put into the pre-filter policy. My best explanation is that pre-filter is more like traditional ASA policy where as Access Control Policy allows you to apply layer 7 inspection for file, applications, URL, etc. Just remember to add your implicit drop to the bottom of the pre-filter policy should you use one.

One other note is that should you have any traffic you do not wish to inspect, then you can use pre-filter rules with the fast path option or drop option. If you select Analyze in your pre-filter rule, then it will pass the packet onto the Access Control Policy for further inspection.

Re: Firepower Prefilter or Access Control Policy

prashant dwivedi — Thu, 11 Apr 2019 01:53:36 GMT

with new Cisco migration tool you can't migrate policy to the prefilter container, it has to be ACP.

you need to use FMC as a migration tool.

another issue, if you migrate them to ACP, you need to edit policies individually to apply IPS/IDS or AMP policies if you need to.

Also , logging should be enabled on all rules.

Unfortunately, the migration tool is not much helpful, you need to do bit of manual work as well.

I would recommend:

1- Migrate ASAs to Prefilter container

2-Select action as Analyze

3-At ACP , configure a policy (permit any any) , enable logging and attach IPS/IDS and AMP policies

Re: Firepower Prefilter or Access Control Policy

S891 — Wed, 17 Apr 2019 11:41:12 GMT

The new conversion tool only has option for Access Control Policy, so in order to do pre-filter I would either have to do it manual or use the older migration tool (both options are not attractive). It leaves me with only one option of Access Control Policy.

Although I would have preferred to use the pre-filter and only Analyze the traffic that I needed to send for further treatment.

On the other hand only ACP would give me User Control, Application Rules, SSL decryption, and Network discovery with the Base license.

So I would go for Access Control Policy. Is it the right approach in this case?

Re: Firepower Prefilter or Access Control Policy

Jack G — Mon, 09 Aug 2021 21:23:51 GMT

Latest tool will convert ASA rules to prefilter rules.