Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1569
Views
10
Helpful
3
Replies

FTD 6.2.3- Changing action of internet access policy from "Trust" to "Allow"

Go to solution
NeerajS
Level 1
Level 1

‎11-23-2018 09:18 AM - edited ‎02-21-2020 08:30 AM

Hi, We have an ASA running FTD 6.2.3 and managed currently via FDM Web UI. By default, there is one access control policy created during setup which allows inside network/interface to connect to "outside" interface for internet. The default action on this policy is set to "Trust".    Would there be any issues if i change this action to "Allow" so that i enable Intrusion inspection on this policy ?   In order to enable Intrusion, the action type needs to be Allow as it doesn't support "Trust" or "Block".


Wouldn't it be a good practice to allow "intrusion inspection" on all the outgoing internet traffic to internet anyways? 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Abheesh Kumar
VIP Alumni
VIP Alumni

‎11-24-2018 05:42 AM - edited ‎11-24-2018 05:48 AM

Hi,

Different actions that FTD can take once a packet has matched the access rule, being

Action Description
Allow This traffic
Trust Trust this traffic and do not send it to Snort for inspection.
Monitor Monitor this traffic, apply inspection, but do not discard packets (drop)
Block Block this packet. Be aware, if used on a TCP connection,  the client will do retries
Block with reset Block this packet and send TCP resets to client and server to reset this packet
Interactive Block This is similar as the block action, but FTD will respond back with a web page that provides feedback to the block
Interactive Block with Reset This is similar as the block with reset action, but FTD will respond back with a web page that provides feedback to the block

 

Its OK to enable inspection from traffic from INSIDE ZONE to OUTSIDE ZONE.

Inspection policy cannot be enabled on TRUST & BLOCK action because that will not send the packets to SNORT engine. Below diagram will help you to know the packet flow in FTD

 

HTH

Abheesh

View solution in original post

3 Replies 3

Go to solution
Abheesh Kumar
VIP Alumni
VIP Alumni

‎11-24-2018 05:42 AM - edited ‎11-24-2018 05:48 AM

Hi,

Different actions that FTD can take once a packet has matched the access rule, being

Action Description
Allow This traffic
Trust Trust this traffic and do not send it to Snort for inspection.
Monitor Monitor this traffic, apply inspection, but do not discard packets (drop)
Block Block this packet. Be aware, if used on a TCP connection,  the client will do retries
Block with reset Block this packet and send TCP resets to client and server to reset this packet
Interactive Block This is similar as the block action, but FTD will respond back with a web page that provides feedback to the block
Interactive Block with Reset This is similar as the block with reset action, but FTD will respond back with a web page that provides feedback to the block

 

Its OK to enable inspection from traffic from INSIDE ZONE to OUTSIDE ZONE.

Inspection policy cannot be enabled on TRUST & BLOCK action because that will not send the packets to SNORT engine. Below diagram will help you to know the packet flow in FTD

 

HTH

Abheesh

Go to solution
NeerajS
Level 1
Level 1
In response to Abheesh Kumar

‎11-24-2018 09:53 AM - edited ‎11-24-2018 09:53 AM

Abheesh, Thanks for the detailed explanation. How do you guys do this in general ? Do you just change the action type of the default internet access policy to perform snort inspection OR do you create a separate policy/rule for inspecting outgoing internet traffic ?

If i create a separate rule ( access control policy) very similar to this default rule and enable inspection on it, will it even be invoked as it will be #2 in the order list ?

0 Helpful

Go to solution
Abheesh Kumar
VIP Alumni
VIP Alumni
In response to NeerajS

‎11-24-2018 10:05 AM

Hi Neeraj,
FTD cannot bind to multiple ACP's. You can bind to a single ACP with multiple rules..
I usually create IPS policy and bind to the rules which created for INSIDE >> OUTSIDE & OUTSIDE >> INSIDE. Initially will not enable the drop when inline option, Once the FMC learns the traffic pattern as per the variable set which we created then generate the recommendations of IPS policy and enable drop when inline.

 

HTH

Abheesh

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card