cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
18015
Views
35
Helpful
10
Replies

Firepower Access Control Rules: mandatory vs. default

catanner19
Level 1
Level 1

What is the difference between the Mandatory and Default rule sections in 6.x Firepower. I read this and it makes no sense to me. Thanks in advance!

http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Access_Control_Rules.html

10 Replies 10

Marvin Rhoads
Hall of Fame
Hall of Fame

I think of them this way:

Mandatory: Do this first. Work through these top down to enforce corporate security policy. Often contains specific elements that may be exceptions to the overall policy (for example, allow Marketing to access social media but restrict it for general users) as well.

Default: Do this last. May contain more general rules that apply to all traffic. This section is only used after evaluation of the mandatory rules (which have been evaluated in top down, first match ends the processing, order) found no matches.

If there is a match in 'mandatory' does the firewall stop going thru the list or does it move on to 'default'. Does it make sense to put Intrusion and Malware and File policies in 'mandatory' and access control (access-list) rules migrated over from ASA in 'default'?

The matching flow is as this.

  • Mandatory rules - Global Policy
    • Mandatory rules - Subdomain Policy
    • Default rules - Subdomain Policy
  • Default rules - Global Policy
  • Default action - Subdomain Policy

Once a match is found search will stop unless the rule action is monitor then it will resume lookup.

Hi Guys,

When we migrate from ASA to FTD,do we need to import policies under mandatory or default field ?

Also, default clean-up rule ( deny ip any any ) at the bottom should be the part of default rule ? If so then what is the meaning of default action field ? I mean if there is any special use case for default action rule.

Requirements :

1- Import existing rules from ASA to FMC , for allowed traffic perform IPS lookup.

what if I set default action as Intrusion Prevention , then will it be doing inspection for all the traffic that has been allowed in specific access control rules as a part of mandatory or default rule ?

Probably late to the game, but for anyone who comes across this.

 

Those default rules are not blocking unless you put in a default rule, or use the access control block all traffic.  However if you're going to put in a deny ip any any, just set it to access control block all traffic.

 

This means if traffic did not match a specific policy and it's set to intrusion detection, it will allow the traffic wherever it can go without matching the other rules.

Just getting into creating these policies now, we moved to URL filtering from just a base IPS/IDS license so now I am reworking policies. 

 

So to confirm "Mandatory" are rules that are enforced first and should be used for override rules if needed. So in the mandatory section I could have a rule to Block facebook for network "Clients" and then a following rule that says Allow facebook for network "Marketing" I think the issue I have at the moment is I am not using User ID feature for the policy. I need to configure that to get more granular. 

 

Then a default policy would be something like block all category that contains "Adult" since I want this no matter what the top policies say. 

I'm completely lost :D

AbteenZ
Level 1
Level 1

Guys I think Default rules override mandatory rules!

I set a deny all from outside zone and the FTD neglected all the rules above in Mandatory section.

Then if rules are checked top to bottom inclusive of default category anyway what is the point of the mandatory category? makes no sense, can someone from Cisco please bring some clarity?

I believe that the main purpose of the mandatory and default rule sections is to create a hierarchy of access control policies.
In a multi-tenancy deployment with many FTD devices spread across multiple locations, it could makes sense to create a base policy with mandatory rules that will be affecting all locations, say for example an "allow icmp any any" rule. Then all FTD devices can inherit that mandatory rule from the base policies. Then you can use another category that will only affect a specific FTD. At least that how we use different sections and gives some structure.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: