I've been running ASAs with Firepower services 5508 up to 5525s for some six years now and would like to know if there is some consensus out there on where the majority of ACL should be implemented. I've always had an idea of keeping the basic deny rules in the ASAs and use Firepower for higher level investigation and blocking, the NGFW stuff but with the default policy "allow" at the end. However for various reasons this approach is beginning to get unmanageable for the crew and I'm looking for options. To add to this I'm doing a hardware upgrade this fall and need to decide if I move to Firepower Threat Defence or not.
So in short: Majority of ACLs in ASA or in Firepower?
A lot of practitioners (and Cisco) advocate doing your "deny" in the LINA (ASA code, more or less) when running FTD. That matches what we do anyway when running an ASA with Firepower service module. We also add "trust" as an option there for know trusted flows that we don't want to bother trying to inspect. Think inter-site backup for example. Anything where the Snort engine can add value (say for protocol, URL or file inspection) should be inspected there.
I don't advocate a default "allow" policy at the end. The default should be block. If anything hits that rule inadvertently then a proper rule for the traffic should be inserted as needed.
Hi Marvin and thank you for the input. I'm curious though. If, in an ASA-SFR scenario, you choose to implement an ASA ruleset along with a Firepower ruleset how do you manage the ASA ruleset at scale? We've been using Cisco Security Manager since I migrated to Firepower and CSM product seems to be a niche product at best. As today my team gets confused by two different rulesets.
Cisco Defense Orchestrator (CDO) allows management of both ASAs and FTD appliances.
They don't currently support Firepower service modules though - I'm not sure the APIs are in place to allow that in the future.
For more details see https://docs.defenseorchestrator.com/
Should the default not be inspect than block?
Case in point, I allow 'Shopping' URLs and I access something for the first time, the system would never know it's category unless it gets past the HTTP GET?
@InTheJuniverse URL rules will allow a few packets through in order to get to the point of being able to do categorization.