We have started implementing Firepower with FMC.
But every allow rule, we have to create reply incoming traffic rule for opposite direction. On older ASA, if we create one rule reply for that session is automatically allowed.
But now on Firepower our rule number is doubled.
Am i missing something, some configuration or proper way of doing things?
That should not be necessary.
Firepower Threat Defense Access Control Policy Rules are the same as ASA Access Control List entries in that respect - both are for a stateful firewall which keeps a connection table of allowed traffic and will automatically allow the return half of the connection or flow.
We using transparent inline mode and using security zone on the interface Outside and Inside, and return packets are blocked when reaching to other security zone and TCP restrict is not enabled, any specific configuration required or do we need to create a TAC for this
For transparent inline deployment, return rule is required as it is just inspecting(SNORT) the traffic which you are permitting to pass-through the firewall with source & destination security zones.
Hope This Helps
Thanks for answer, so as traditional FW connection it will check "Existing connection" and pass the L3/L4 rule but still would be blocked on SNORT's L7 rules? and that SNORT Rule is IPS? because we enabled both File Policy(Malware) and IPS, so every connection would be checked on FirePower? this Prefilter Fast-Path rule is also required new rules to bypass SNORT? or possible to align/tie o current rules?
To bypass a traffic for inspection (SNORT, AMP) you can create a pre-filter rule and set action as fast-path. Pre-filter rules are same as like ASA access list there is no L7 inspection.
If the default action on prefilter policy is Analyse, it will send all the traffic to snort for further inspection.
Hope This Helps
Thanks, but we looking for possibility of return traffic can be bypassed, but seems that is not possible