cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

589
Views
5
Helpful
6
Replies

Firepower access control rule for TCP session

Hello all,

 

We have started implementing Firepower with FMC.

But every allow rule, we have to create reply incoming traffic rule for opposite direction. On older ASA, if we create one rule reply for that session is automatically allowed.

But now on Firepower our rule number is doubled. 

Am i missing something, some configuration or proper way of doing things?

Everyone's tags (1)
6 REPLIES 6
Hall of Fame Master

Re: Firepower access control rule for TCP session

That should not be necessary.

Firepower Threat Defense Access Control Policy Rules are the same as ASA Access Control List entries in that respect - both are for a stateful firewall which keeps a connection table of allowed traffic and will automatically allow the return half of the connection or flow.

Beginner

Re: Firepower access control rule for TCP session

Hi Marvin,

  We using transparent inline mode and using security zone on the interface Outside and Inside, and return packets are blocked when reaching to other security zone and TCP restrict is not enabled, any specific configuration required or do we need to create a TAC for this

Enthusiast

Re: Firepower access control rule for TCP session

Hi,
For transparent inline deployment, return rule is required as it is just inspecting(SNORT) the traffic which you are permitting to pass-through the firewall with source & destination security zones.

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200924-configuring-firepower-threat-defense-int.html

 

Hope This Helps
Abheesh

Beginner

Re: Firepower access control rule for TCP session

Hi Abheesh,

   Thanks for answer, so as traditional FW connection it will check "Existing connection" and pass the L3/L4 rule but still would be blocked on SNORT's L7 rules? and that SNORT Rule is IPS? because we enabled both File Policy(Malware) and IPS, so every connection would be checked on FirePower? this Prefilter Fast-Path rule is also required new rules to bypass SNORT? or possible to align/tie o current rules? 

 

2019-05-27_1547.png

Highlighted
Enthusiast

Re: Firepower access control rule for TCP session

Hi,

To bypass a traffic for inspection (SNORT, AMP) you can create a pre-filter rule and set action as fast-path. Pre-filter rules are same as like ASA access list there is no L7 inspection.

If the default action on prefilter policy is Analyse, it will send all the traffic to snort for further inspection.

 

Hope This Helps

Abheesh

Beginner

Re: Firepower access control rule for TCP session

Hi Abheesh,

  Thanks, but we looking for possibility of return traffic can be bypassed, but seems that is not possible