Re: Traffic Best Practices

Phil Bradley · ‎08-20-2018

Hello. I am evaluating the firepower services and have a question regarding traffic to send to the module. I currently have rules (ACL's) on the ASA that restrict things such as which clients can perform dns and also ports that they can access. I know I can accomplish this in the firepower module as well, but to my understanding the ASA will process the rules first and then send it to the firepower module. Does it makes sense to perform denies first at the ASA for items above and then do the deep level inspections on the firepower module? I would think that this would help keep CPU cycles down.

Also, I need to specify in the service policy rules what traffic to send to the firepower. I currently have the default SP and use it for DNS inspection only or I assume I do. I perform DNS rewrites in NAT for internal clients on my guest network for hosted internal web servers. Will this break that functionality if i delete the default inspection rule and send all permit traffic to the firepower module?

Raghunath Kulkarni · ‎08-20-2018

Hi Phil,

A couple of things:

1. Always use the service policy to determine which traffic needs inspection with firepower module. If there is any known trusted traffic you can bypass inspection for that. If there is something known bad or configurable rule to block traffic based on layer 3/4 block it on the ASA itself.

2. If DNS rewrites are being done, you can have the service policy for traffic redirection to avoid anything on port 53 to be excluded from firepower.