I have a ASA 5515-x FTD 6.2.2 and FMC. I created an access control policy based on a parent policy on which, I trusted a traffic to/from my mgmt PC on parent policy and then I added some rules to child policy. I saved and deployed to my FTD device but despite FMC says the Parent Policy (which includes a child policy) is up-to-date on all targeted devices, but while inspecting through ASA FTD CLI, I cannot see any child rules; there is just Parent Policy listed in the running-configuration.
and here is the CLI output on TFPD device:
access-list CSM_FW_ACL_ remark rule-id 9998: PREFILTER POLICY: Default Tunnel and Priority Policy
access-list CSM_FW_ACL_ remark rule-id 9998: RULE: DEFAULT TUNNEL ACTION RULE
access-list CSM_FW_ACL_ advanced permit ipinip any any rule-id 9998
access-list CSM_FW_ACL_ advanced permit 41 any any rule-id 9998
access-list CSM_FW_ACL_ advanced permit gre any any rule-id 9998
access-list CSM_FW_ACL_ advanced permit udp any eq 3544 any range 1025 65535 rule-id 9998
access-list CSM_FW_ACL_ advanced permit udp any range 1025 65535 any eq 3544 rule-id 9998
access-list CSM_FW_ACL_ remark rule-id 268435460: ACCESS POLICY: TPARENT-POLICY - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268435460: L7 RULE: Timaz-PC-Anywhere-Rule
access-list CSM_FW_ACL_ advanced permit ip object TIMAZ-PC any rule-id 268435460
access-list CSM_FW_ACL_ remark rule-id 268435459: ACCESS POLICY: TPARENT-POLICY - Default
access-list CSM_FW_ACL_ remark rule-id 268435459: L4 RULE: DEFAULT ACTION RULE
access-list CSM_FW_ACL_ advanced deny ip any any rule-id 268435459 event-log flow-start
as a result, the rules inside child policy don't run. Do I need to do something for the child policy to take effect?
I resolved the issue by myself! I assigned parent policy directly to the FTD device, thought that it should contain child policies too. But I was wrong; the opposite is true. The child policy should be assigned to FTD device which inherits parent policy too.
Yes, MSSPs can use Threat Response. In fact, there are more than 100 MSSPs actively using Threat Response in their investigations. Threat Response partially supports multi-tenancy, in that you can configure as many copies of a module as you need, one per...
With our browser plugins for Chrome and Firefox, you may immediately integrate with any web-based third-party products or intelligence web-based sources. Learn how to configure the plugins in this short video.
Besides, you may leverage Threat Response’s ...
Threat Response integrates with Threat Grid as a reference module. It allows investigators to pivot and get information for IP addresses, domains, URLs and file hashes from the Threat Grid repository. Conversely, Threat Grid leverages the Investigation a...
Threat Response integrates with SMA (Security Management Appliance) as an enrichment and enforcement module. The SMA module allows investigators to take actions such as searching email records for sender email and IP, email subject and message header, am...
With this integration, investigators can see intrusion events from Firepower devices correlated with enrichment from other Cisco Security products, adding greater context and helping the SOC investigate incidents with broader internal visibility.