Showing results for 
Search instead for 
Did you mean: 


Firepower Prefilter or Access Control Policy

I am converting ASA configuration to FTD. I have both 2100 and 4100 series platforms. My requirement is simple, converting all ACLs and NATs etc. I  do not have any upper layer inspection enabled on ASA IPS etc. The FTD is on Base license. I have three questions:


1. Is there any benefit of configuring the rules in Acces Control Policy versus the Prefilter policy since I have only base license?

2. What additional fetaure other than layer 3/4 port blocking I can get out of the base license?

3. Is there any additional consideration I should keep in mind for future in case if I get additional licences for IPS and Malware etc while doing this configuraiton to make it easy for future license enabling?





Re: Firepower Prefilter or Access Control Policy

Any comment on this?

Hall of Fame Master

Re: Firepower Prefilter or Access Control Policy

1. Not a whole lot security wise. Mostly some application visibility and reporting / analysis capabilities. So you can filter based on application as determined by inspection vs. just by 5-tuple. I prefer ACP unless I know I want to fastpath the flow and never analyze it any further.

2. See #1.

3. By putting your rules in as ACP entries it is easier to add the IPS, URL and/or File (Malware) policy elements later. 


Re: Firepower Prefilter or Access Control Policy

I converted my ACL from ASA to FTD.  Just know that all rules imported from ASA will be put into the pre-filter policy. My best explanation is that pre-filter is more like traditional ASA policy where as Access Control Policy allows you to apply layer 7 inspection for file, applications, URL, etc. Just remember to add your implicit drop to the bottom of the pre-filter policy should you use one.


One other note is that should you have any traffic you do not wish to inspect, then you can use pre-filter rules with the fast path option or drop option. If you select Analyze in your pre-filter rule, then it will pass the packet onto the Access Control Policy for further inspection.


Re: Firepower Prefilter or Access Control Policy

with new Cisco migration tool you can't migrate policy to the prefilter container, it has to be ACP.

you need to use FMC as a migration tool.

another issue, if you migrate them to ACP, you need to edit policies individually to apply IPS/IDS or AMP policies if you need to.

Also , logging should be enabled on all rules.


Unfortunately, the migration tool is not much helpful, you need to do bit of manual work as well.


I would recommend:


1- Migrate ASAs to Prefilter container

2-Select action as Analyze 

3-At ACP , configure a policy (permit any any) , enable logging and attach IPS/IDS and AMP policies




Re: Firepower Prefilter or Access Control Policy

The new conversion tool only has option for Access Control Policy, so in order to do pre-filter I would either have to do it manual or use the older migration tool (both options are not attractive). It leaves me with only one option of Access Control Policy. 


Although I would have preferred to use the pre-filter and only Analyze the traffic that I needed to send for further treatment. 


On the other hand only ACP would give me User Control, Application Rules, SSL decryption, and Network discovery with the Base license. 


So I would go for Access Control Policy. Is it the right approach in this case?