https://community.cisco.com/t5/network-security/can-not-browse-after-applied-sfr-service-policy-in-outside-and/m-p/3752371#M984668 <P>No, Its permiting all traffic to go via SFR for insoection. You can create block rules in SFR as well . All your other deny rules will work as per the ASA accesslist.</P> <P>&nbsp;</P> <P>HTH</P> <P>Abheesh</P> Sun, 25 Nov 2018 14:33:43 GMT Abheesh Kumar 2018-11-25T14:33:43Z https://community.cisco.com/t5/network-security/can-not-browse-after-applied-sfr-service-policy-in-outside-and/m-p/3752296#M984602 <P>ASA only can browse</P> <P>&nbsp;</P> <P>but After applied sfr , can not browse</P> <P>&nbsp;</P> <P>if it is state firewall , do I need to allow&nbsp;</P> <P>from outside port 443 to inside private network or NAT address?</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 12 Mar 2019 14:07:03 GMT https://community.cisco.com/t5/network-security/can-not-browse-after-applied-sfr-service-policy-in-outside-and/m-p/3752296#M984602 Maivoko 2019-03-12T14:07:03Z https://community.cisco.com/t5/network-security/can-not-browse-after-applied-sfr-service-policy-in-outside-and/m-p/3752305#M984624 <P>Hi,</P> <P>Please create the redirection policy like below and try.</P> <P><FONT face="courier new,courier">!</FONT></P> <P><FONT face="courier new,courier">access-list sfr_redirect extended permit ip any any</FONT><BR /><FONT face="courier new,courier">!</FONT><BR /><FONT face="courier new,courier">class-map sfr</FONT><BR /><FONT face="courier new,courier">match access-list sfr_redirect</FONT><BR /><FONT face="courier new,courier">!</FONT><BR /><FONT face="courier new,courier">policy-map global_policy</FONT><BR /><FONT face="courier new,courier">class sfr</FONT><BR /><FONT face="courier new,courier">sfr fail-open</FONT><BR /><FONT face="courier new,courier">!</FONT></P> <P><FONT face="courier new,courier">service-policy global_policy global</FONT></P> <P>&nbsp;</P> <P><FONT face="arial,helvetica,sans-serif"><SPAN>HTH</SPAN></FONT></P> <P><FONT face="arial,helvetica,sans-serif"><SPAN>Abheesh</SPAN></FONT></P> Sun, 25 Nov 2018 06:37:55 GMT https://community.cisco.com/t5/network-security/can-not-browse-after-applied-sfr-service-policy-in-outside-and/m-p/3752305#M984624 Abheesh Kumar 2018-11-25T06:37:55Z https://community.cisco.com/t5/network-security/can-not-browse-after-applied-sfr-service-policy-in-outside-and/m-p/3752357#M984641 <P>This is permit all , will it have security risk ?</P> <P>&nbsp;</P> <P>because sfr is applying outside too</P> Sun, 25 Nov 2018 12:12:47 GMT https://community.cisco.com/t5/network-security/can-not-browse-after-applied-sfr-service-policy-in-outside-and/m-p/3752357#M984641 Maivoko 2018-11-25T12:12:47Z https://community.cisco.com/t5/network-security/can-not-browse-after-applied-sfr-service-policy-in-outside-and/m-p/3752371#M984668 <P>No, Its permiting all traffic to go via SFR for insoection. You can create block rules in SFR as well . All your other deny rules will work as per the ASA accesslist.</P> <P>&nbsp;</P> <P>HTH</P> <P>Abheesh</P> Sun, 25 Nov 2018 14:33:43 GMT https://community.cisco.com/t5/network-security/can-not-browse-after-applied-sfr-service-policy-in-outside-and/m-p/3752371#M984668 Abheesh Kumar 2018-11-25T14:33:43Z https://community.cisco.com/t5/network-security/can-not-browse-after-applied-sfr-service-policy-in-outside-and/m-p/3752607#M984676 <P>You have some very restrictive Deny statements in your Access Control Policy. It's very likely they are blocking the traffic.</P> Mon, 26 Nov 2018 09:11:32 GMT https://community.cisco.com/t5/network-security/can-not-browse-after-applied-sfr-service-policy-in-outside-and/m-p/3752607#M984676 Marvin Rhoads 2018-11-26T09:11:32Z https://community.cisco.com/t5/network-security/can-not-browse-after-applied-sfr-service-policy-in-outside-and/m-p/3752715#M984699 <P>Can not apply access list in real practice</P> <P>attached screen capture</P> <P>&nbsp;</P> <P>what should do next?</P> Mon, 26 Nov 2018 12:59:58 GMT https://community.cisco.com/t5/network-security/can-not-browse-after-applied-sfr-service-policy-in-outside-and/m-p/3752715#M984699 Maivoko 2018-11-26T12:59:58Z https://community.cisco.com/t5/network-security/can-not-browse-after-applied-sfr-service-policy-in-outside-and/m-p/3752717#M984703 But first two rules allowed traffic first<BR />The default rule and deny will not apply Mon, 26 Nov 2018 13:01:12 GMT https://community.cisco.com/t5/network-security/can-not-browse-after-applied-sfr-service-policy-in-outside-and/m-p/3752717#M984703 Maivoko 2018-11-26T13:01:12Z https://community.cisco.com/t5/network-security/can-not-browse-after-applied-sfr-service-policy-in-outside-and/m-p/3769409#M984705 <P>I succeed to use firepower to browse web<BR />After remove ASA accesslist in console config<BR />Then only apply firepower’s own access list</P><P>&nbsp;</P><P>Country allow United States, United Kingdom , France, Germany, Canada , Japan , Singapore , Taiwan</P><P>&nbsp;</P><P>it seems fulfil requirement of content distribution network&nbsp;</P><P><BR />But I can not access amazon web and amazon console app in iPhone<BR /><BR /></P> Thu, 27 Dec 2018 09:19:23 GMT https://community.cisco.com/t5/network-security/can-not-browse-after-applied-sfr-service-policy-in-outside-and/m-p/3769409#M984705 Maivoko 2018-12-27T09:19:23Z https://community.cisco.com/t5/network-security/can-not-browse-after-applied-sfr-service-policy-in-outside-and/m-p/3769414#M984708 Did you configure any block application specific rule in ACP.<BR /> Thu, 27 Dec 2018 09:20:36 GMT https://community.cisco.com/t5/network-security/can-not-browse-after-applied-sfr-service-policy-in-outside-and/m-p/3769414#M984708 Abheesh Kumar 2018-12-27T09:20:36Z https://community.cisco.com/t5/network-security/can-not-browse-after-applied-sfr-service-policy-in-outside-and/m-p/3769430#M984711 <P>First allow rule is DNS</P><P>second allow rules is http and https</P><P>default IPS policy i use security over connectivity</P><P>&nbsp;</P><P>application allow in second rule are amazon and google&nbsp;</P><P>then the rest block</P><P>i did not block application deliberately.</P><P>i think they are allowed in second rules</P> Thu, 27 Dec 2018 10:44:41 GMT https://community.cisco.com/t5/network-security/can-not-browse-after-applied-sfr-service-policy-in-outside-and/m-p/3769430#M984711 Maivoko 2018-12-27T10:44:41Z https://community.cisco.com/t5/network-security/can-not-browse-after-applied-sfr-service-policy-in-outside-and/m-p/3769431#M984714 can you share a packet tracer output for amazon IP Thu, 27 Dec 2018 10:48:57 GMT https://community.cisco.com/t5/network-security/can-not-browse-after-applied-sfr-service-policy-in-outside-and/m-p/3769431#M984714 Abheesh Kumar 2018-12-27T10:48:57Z https://community.cisco.com/t5/network-security/can-not-browse-after-applied-sfr-service-policy-in-outside-and/m-p/3769456#M984718 <P>Amazon use content distribution network</P><P>i shutdowned firewall&nbsp;</P><P>may be I try it tomorrow</P><P>not easy to tune and fit the optimal setting</P><P>&nbsp;</P><P>is there any statistics commands that are for firepower, in ASA console?</P><P>&nbsp;</P><P>when I try to classify traffic into countries&nbsp;</P><P>i feel clumsy to create many same rule for just one country.</P><P>&nbsp;</P><P>where can set maximum connection in Firepower ?&nbsp;</P><P>I want to narrow the connection to my current using two applications, chrome and Mstsc Remote Desktop only</P><P>&nbsp;</P><P>where can Filter Java in Firepower and will it influence HSBC transaction in iPhone and notebook ?</P><P>&nbsp;</P><P>actually I still have not tested stock trading or transfer money with Firepower , I afraid of failure in part of transactions because application I only choose amazon and google , what should I choose application for banking application?</P> Thu, 27 Dec 2018 12:07:44 GMT https://community.cisco.com/t5/network-security/can-not-browse-after-applied-sfr-service-policy-in-outside-and/m-p/3769456#M984718 Maivoko 2018-12-27T12:07:44Z https://community.cisco.com/t5/network-security/can-not-browse-after-applied-sfr-service-policy-in-outside-and/m-p/3772807#M984721 <P>Today I tested again</P><P>i change to balanced security and connectivity</P><P>then I remove all amazon and google applications in access policy</P><P>&nbsp;</P><P>I succeed to use amazon console app in iPhone</P><P>but can not see the configuration page after login amazon cloud web in notebook</P><P>&nbsp;</P><P>Succed to remote control window of amazon cloud but have several times of connection cut before succeed</P><P>&nbsp;</P> Fri, 04 Jan 2019 11:03:01 GMT https://community.cisco.com/t5/network-security/can-not-browse-after-applied-sfr-service-policy-in-outside-and/m-p/3772807#M984721 Maivoko 2019-01-04T11:03:01Z