Solved: Re: Inspections and Handling of Returning Traffic

Ben Lau · ‎08-28-2019

Hi Experts,

After using Firepower for a while, I found myself having this question about how IPS and AMP are handling "returning" traffic (i.e. allowed connections)?

Let's use a simple example. I am allowing "inside" zone to connect to "internet" zone, using a single and simple ACP rule which also has an IPS and File poilcy enabled. And the default ACP action is "Block all". Let's just say that I'm using the system provided IPS policies (Balanced security and connectivity). And I am ok to surf the Internet without any issue. I do see some Intrusion and File events so the protections seem to be working.

The question I suddenly have is.... is IPS and AMP looking at the traffic that is coming "back" from the Internet?

I always have the assumption that, whatever is "allowed" in an ACP rule, the returning traffic will also be subjected to the same IPS and AMP policies, if they are enabled.

Do I have the correct assumption?

Thanks for your help in advance!

Marvin Rhoads · ‎01-04-2024

The traffic is evaluated consistent with the ACP rule that allowed the initiating direction in the first place. There is not a "separate" rule for incoming vs. outgoing traffic in a given flow or connection.

View solution in original post

Ben Lau · ‎09-08-2019

Anyone could give me a hint about this question? Thanks in advance!

Ben

Marvin Rhoads · ‎09-08-2019

Yes- return traffic is also subject to inspection.

As shown in the graphic below, existence of an existing connection (tcp connection or udp flow) bypasses prefilter and L3/L4 ACL rules but is otherwise subject to the full suite of other NGFW inspections.

Source:

https://www.cisco.com/c/dam/en/us/td/docs/security/firepower/Self-Help/NGFW_Policy_Order_of_Operations.pdf

Ben Lau · ‎09-10-2019

Thanks Marvin! I will start reading the PDF :)

If you don't mind, could you please elaborate a little bit about what you said "..otherwise subject to the full suite of other NGFW inspections."? I would like to know if I can use a different IPS and AMP (File) policies for existing connections?

Thanks again for your attention and help!

muthumohan · ‎01-04-2024

Hello Ben, I have exactly the same question. Did you get any convincing answer? None of the Cisco documents explain how the return traffic is treated. If it is simple ASA, then it is easy to understand the return traffic is automatically allowed through. But in case of FTD, what ACP rule will apply to them?

Thanks.

Marvin Rhoads · ‎01-04-2024

The traffic is evaluated consistent with the ACP rule that allowed the initiating direction in the first place. There is not a "separate" rule for incoming vs. outgoing traffic in a given flow or connection.

muthumohan · ‎01-06-2024

Thank you, Marvin. There is no Cisco document that tells how exactly the return traffic is handled by FTD.

Please also confirm that my below understanding is correct:

Though the LINA engine is from ASA, on FTD platform, there is no concept of security-levels. All interfaces are at the same security-level. For the traffic to be passed from one interface (or zone) to another, explicit ACP rules (or default action) must be in place, but this is only for connection initiation direction. The returning traffic is allowed (stateful firewall) based on the connection table on LINA engine (no explicit ACP rule is needed), but will still be subject to the same ACP rule on SNORT engine, for example, file and intrusion policies. Right?

Thank you so much!!!

Mohan