Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
971
Views
0
Helpful
5
Replies

Rules in ASA or Firepower?

hoffa2000
Level 3
Level 3

‎07-04-2019 11:09 PM - edited ‎02-21-2020 09:16 AM

Greetings

I've been running ASAs with Firepower services 5508 up to 5525s for some six years now and would like to know if there is some consensus out there on where the majority of ACL should be implemented. I've always had an idea of keeping the basic deny rules in the ASAs and use Firepower for higher level investigation and blocking, the NGFW stuff but with the default policy "allow" at the end. However for various reasons this approach is beginning to get unmanageable for the crew and I'm looking for options. To add to this I'm doing a hardware upgrade this fall and need to decide if I move to Firepower Threat Defence or not.

So in short: Majority of ACLs in ASA or in Firepower?

 

Regards

Fredrik

Labels:
0 Helpful
5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-06-2019 08:29 PM

A lot of practitioners (and Cisco) advocate doing your "deny" in the LINA (ASA code, more or less) when running FTD. That matches what we do anyway when running an ASA with Firepower service module. We also add "trust" as an option there for know trusted flows that we don't want to bother trying to inspect. Think inter-site backup for example. Anything where the Snort engine can add value (say for protocol, URL or file inspection) should be inspected there.

I don't advocate a default "allow" policy at the end. The default should be block. If anything hits that rule inadvertently then a proper rule for the traffic should be inserted as needed. 

0 Helpful

hoffa2000
Level 3
Level 3
In response to Marvin Rhoads

‎07-07-2019 10:16 PM

Hi Marvin and thank you for the input. I'm curious though. If, in an ASA-SFR scenario, you choose to implement an ASA ruleset along with a Firepower ruleset how do you manage the ASA ruleset at scale? We've been using Cisco Security Manager since I migrated to Firepower and CSM product seems to be a niche product at best. As today my team gets confused by two different rulesets.

 

Regards

/Fredrik

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to hoffa2000

‎07-08-2019 02:12 AM

Cisco Defense Orchestrator (CDO) allows management of both ASAs and FTD appliances.

They don't currently support Firepower service modules though - I'm not sure the APIs are in place to allow that in the future.

For more details see https://docs.defenseorchestrator.com/

0 Helpful

InTheJuniverse
Level 1
Level 1
In response to Marvin Rhoads

‎07-07-2019 11:14 PM

Marvin

 

Should the default not be inspect than block?

 

Case in point, I allow 'Shopping' URLs and I access something for the first time, the system would never know it's category unless it gets past the HTTP GET?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to InTheJuniverse

‎07-08-2019 02:13 AM

@InTheJuniverse URL rules will allow a few packets through in order to get to the point of being able to do categorization.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card