Re: Firepower Prefilter or Access Control Policy

S891 · ‎04-04-2019

I am converting ASA configuration to FTD. I have both 2100 and 4100 series platforms. My requirement is simple, converting all ACLs and NATs etc. I do not have any upper layer inspection enabled on ASA IPS etc. The FTD is on Base license. I have three questions:

1. Is there any benefit of configuring the rules in Acces Control Policy versus the Prefilter policy since I have only base license?

2. What additional fetaure other than layer 3/4 port blocking I can get out of the base license?

3. Is there any additional consideration I should keep in mind for future in case if I get additional licences for IPS and Malware etc while doing this configuraiton to make it easy for future license enabling?

Thanks,

S891 · ‎04-08-2019

Any comment on this?

Marvin Rhoads · ‎04-08-2019

1. Not a whole lot security wise. Mostly some application visibility and reporting / analysis capabilities. So you can filter based on application as determined by inspection vs. just by 5-tuple. I prefer ACP unless I know I want to fastpath the flow and never analyze it any further.

2. See #1.

3. By putting your rules in as ACP entries it is easier to add the IPS, URL and/or File (Malware) policy elements later.

jmeetze80 · ‎04-09-2019

I converted my ACL from ASA to FTD. Just know that all rules imported from ASA will be put into the pre-filter policy. My best explanation is that pre-filter is more like traditional ASA policy where as Access Control Policy allows you to apply layer 7 inspection for file, applications, URL, etc. Just remember to add your implicit drop to the bottom of the pre-filter policy should you use one.

One other note is that should you have any traffic you do not wish to inspect, then you can use pre-filter rules with the fast path option or drop option. If you select Analyze in your pre-filter rule, then it will pass the packet onto the Access Control Policy for further inspection.

prashant dwivedi · ‎04-10-2019

with new Cisco migration tool you can't migrate policy to the prefilter container, it has to be ACP.

you need to use FMC as a migration tool.

another issue, if you migrate them to ACP, you need to edit policies individually to apply IPS/IDS or AMP policies if you need to.

Also , logging should be enabled on all rules.

Unfortunately, the migration tool is not much helpful, you need to do bit of manual work as well.

I would recommend:

1- Migrate ASAs to Prefilter container

2-Select action as Analyze

3-At ACP , configure a policy (permit any any) , enable logging and attach IPS/IDS and AMP policies

S891 · ‎04-17-2019

The new conversion tool only has option for Access Control Policy, so in order to do pre-filter I would either have to do it manual or use the older migration tool (both options are not attractive). It leaves me with only one option of Access Control Policy.

Although I would have preferred to use the pre-filter and only Analyze the traffic that I needed to send for further treatment.

On the other hand only ACP would give me User Control, Application Rules, SSL decryption, and Network discovery with the Base license.

So I would go for Access Control Policy. Is it the right approach in this case?

Jack G · ‎08-09-2021

Latest tool will convert ASA rules to prefilter rules.