Hi Guys,
i am relatively new to firewalls (both ASA and FTD) and having few queries related to this migration.
i am migrating from ASA 8.2 to FTD 2130 (via FMC). Since there is no automatic migration path, so i am doing all my migration manually.
1: is that right practice to convert all ASA 8.2 policies to Pre-filter policies?? would that be sufficient for stable migration of existing policies?
2: i deployed one policy to FTD via FMC and noticed that FTD does not take interface security level value is this normal for FTD?
3: in existing ASA 8.2, the outside policy takes public IP address (pre-NAT). below is the one such policy.
"access-list OUTSIDE extended permit tcp any host 203.25.149.14 object-group TCP_1"
Not sure, but i read somewhere that 8.3 or above you have to mention real ip of the server?? does this apply to FTD as well?? am i right to convert the above policy to FTD as below.
Src zone: OUTSIDE Src network: any dest network: 172.16.2.15 (real ip of server) Dest port: TCP_1
TCP_1 = is port object group
4: i am correct to convert the 8.2 ACL to FTD pre-filter policy as below.
ASA 8.2 ACL: "access-list INSIDE extended permit object-group SERVICE_17 object-group NETWORK_15 object-group NETWORK_50 object-group SERVICE_10
"
FTD policy: source zone: INSIDE src network: NETWORK_15 dest network: NETWORK_50 src port: SERVICE_17 dest port: SERVICE_10
object definition:
SERVICE_17 = port object group (includes different TCP and UDP ports)
SERVICE_10 = port object group (includes different TCP and UDP ports)
NETWORK_15 = Network object group (include different internal IPs)
NETWORK_50 = Network object group (include different internal IPs)
Regards