Hello. I am evaluating the firepower services and have a question regarding traffic to send to the module. I currently have rules (ACL's) on the ASA that restrict things such as which clients can perform dns and also ports that they can access. I know I can accomplish this in the firepower module as well, but to my understanding the ASA will process the rules first and then send it to the firepower module. Does it makes sense to perform denies first at the ASA for items above and then do the deep level inspections on the firepower module? I would think that this would help keep CPU cycles down.
Also, I need to specify in the service policy rules what traffic to send to the firepower. I currently have the default SP and use it for DNS inspection only or I assume I do. I perform DNS rewrites in NAT for internal clients on my guest network for hosted internal web servers. Will this break that functionality if i delete the default inspection rule and send all permit traffic to the firepower module?