11-24-2017 11:25 AM - edited 02-21-2020 06:49 AM
Hello,
I have experience from PaloAlto L7 filtering and I am trying to mimic the behavior on the FTD but looks like it maybe doesn't work like that. In essence I want to only allow specific apps and deny everything else. The issues that I have on TFD is there is limit of 50 apps per rule which leads me to conclusion since there are over 3000 apps this is not the way to do it. I can make rule by Categories and Groups but then I can't fine grain what exactly do I want to allow. Now since most of the web is on port 80 and 443 where does services come in play? I am confused how to best create rules based on the services, applications and web categories. I didn't find cisco documentation of much use here so maybe someone with 1st hand experience can share what's the best practice to achieve what I want? I for sure want to deny everything at the end since I don't want unknown stuff making connections from inside to outside if app is not recognized by TFD. I don't like the idea of deny what I don't want and allow everything else since some computer can get infected by something and then it might send some sensitive data outside.
11-28-2017 06:31 PM
Hi,
If your rule base includes the required applications you can use the default action rule to block. In this way any application that is not recognized will not hit your allowed applications rule and will be blocked. You can change the default rule action to either block, allow, enable IPS inspection.
Vaibhav
11-29-2017 09:52 AM
11-29-2017 12:44 PM
11-29-2017 12:52 PM
11-29-2017 12:58 PM
11-29-2017 01:25 PM
11-29-2017 01:51 PM
11-29-2017 02:37 PM
one challenge with the "AND" approach of service ports and applications is having multiple applications in the rule tied to service ports used by each application.
I have not tested the below scenario but looking forward to it.
Try to bind the multiple applications in a single rule on their standard service ports.
Rule 1 - Allow application HTTP, HTTPS, SSH & ports TCP-22, TCP-80 & TCP-443.
Firewall does allow having this rule but not sure will it automatically and rightly map the service ports with the applications. e.g. will it now only allow HTTP application on TCP port 80 and no other ports or HTTP application on any of the service ports listed in Rule 1?
OR
Create rules as below for error free control of applications with service ports.
Rule 1 - Allow application HTTP & service port TCP-80
Rule 2 - Allow application HTTPS & service port TCP-443
Rule 3 - Allow application SSH & service port TCP-22
Any guidance on the same would be great.
Vaibhav
11-29-2017 11:47 PM
11-30-2017 08:37 AM
12-04-2017 10:42 AM
12-04-2017 11:05 AM
12-04-2017 11:11 AM - edited 12-04-2017 11:13 AM
That was a bit hard on the poor little 5506.
The 5506 is documented by Cisco to give around 125Mbps with AVC and IPS, you are getting 150Mbps.
https://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733916.html
And it's stated somewhere by Cisco that you will have a 80% hit on traffic with SSL enabled.
So not that bad numbers anyways. ;)
br, Micke
08-30-2022 01:17 PM
I know this is an old topic but was wondering what the best practise approach would be for a simple SMTP rule.
On an ASA there would be an interface inbound ACL that permits traffic from specific sources to specific destinations with a destination TCP port of 25. The global policy would include 'inspect esmtp' with either the default settings or a custom esmtp inspect policy attached.
With FTD I can apply the same logic, however there are 'SMTP' and 'SMTPS' applications that can be selected. Would the ideal policy include the source & destination addresses, the destination TCP port=25 AND the SMTP/SMTPS applications or is that not how to do it? Or should it just be an any any rule with the applications enabled?
Cheers
Andy
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: