11-15-2018 12:10 PM - edited 02-21-2020 08:28 AM
I have inherited an Edge ASA with SFR sourcefire and I am trying to make sense of the "redirect" ACL within the ACL.
I have a feeling its like WCCP was when that was the cool thing to do, where you actually "permit" what networks you want to redirect to the wccp endpoint. Is it the same for SFR redirect?
Also if I am tunneling my Anyconnect VPN traffic, how do I filter that traffic? Same method? redirect that subnet to SFR and build policy for it?
Solved! Go to Solution.
11-15-2018 04:10 PM
Hello Steven,
Let me answer all of your questions,
What is mandatory vs default?
These are 2 categories created, but they worked the same, now what they do is to organize your rules properly, for example:
Mandatory:
- Company policies: restrict the access to porn/sport/social media and so on.
Default:
- This is most likely where all of the rest rules are created, for example access from a VLAN to another VLAN and if you want to inspect that with IPS and also inspect files through file inspection with AMP.
What are the different actions, I mean get allow and and block, but I see some rules that are "trust" but they are the same networks for source and destination so what does that mean?
Allow is basically allowing the traffic in the rule to be inspected by IPS, normalization, AMP, NAS and so on.
Block this would just block the traffic inmediately with no further inspection and so on.
Trust this rule would bypass inspection of any sort and will just allow the traffic inmediately.
Why would there be a rule from the same source networks to the same destination networks, they shouldn't cross a firewall at all being the same layer 2 domain.
You are right, if you have devices within the same L2 domain it wont go the FW, unless you have 2 DCs and you have an extended VLAN, but in this scenario that wont work.
Keep me posted,
Please rate all helpful posts, and mark as correct if this answered your question,
Thanks,
David Castro,
11-15-2018 01:20 PM
Hi,
Traffic redirection to SFR via service policy only not through wccp.
Create an ACL for which traffic you need to filter via SFR module and map to the service policy. You can filter anyconnect traffic also via the redirection ACL. below link will help you for filter Anyconnect VPN traffic via SFR module
HTH
Abheesh
11-15-2018 03:34 PM
Hello Steven,
How I would recommend you to do it is to first off:
1. Make the SFR only monitor and logg traffic, so you can create on access policies rules for the different zones to only monitor and the IPS policy uncheck the "would drop" check, so It can also provide you with feedback if it would drop traffic for some reason.
2. Regarding the redirect, as stated before it is configured through MPF feature:
access-list redirect.....
class-map SFR-Redirect
match access-list redirect
policy-map SFR
class map SFR-redirect
And then you can apply it under the global service policy,
Now with regards the AnyConnect, you dont need to allow it to go there inmediately, on the ACL dont add it, and after you get the requirement make sure to add it, and the traffic will be inspected but of course add rules to make that happen as you stated before.
Keep us posted,
Please rate all helpful answers, and mark as correct the answer that answered this,
Thanks,
David Castro,
11-15-2018 03:51 PM
There are already policies in place and I am trying to wrap my head around them.
What is mandatory vs default?
What are the different actions, I mean get allow and and block, but I see some rules that are "trust" but they are the same networks for source and destination so what does that mean? Why would there be a rule from the same source networks to the same destination networks, they shouldn't cross a firewall at all being the same layer 2 domain.
11-15-2018 04:10 PM
Hello Steven,
Let me answer all of your questions,
What is mandatory vs default?
These are 2 categories created, but they worked the same, now what they do is to organize your rules properly, for example:
Mandatory:
- Company policies: restrict the access to porn/sport/social media and so on.
Default:
- This is most likely where all of the rest rules are created, for example access from a VLAN to another VLAN and if you want to inspect that with IPS and also inspect files through file inspection with AMP.
What are the different actions, I mean get allow and and block, but I see some rules that are "trust" but they are the same networks for source and destination so what does that mean?
Allow is basically allowing the traffic in the rule to be inspected by IPS, normalization, AMP, NAS and so on.
Block this would just block the traffic inmediately with no further inspection and so on.
Trust this rule would bypass inspection of any sort and will just allow the traffic inmediately.
Why would there be a rule from the same source networks to the same destination networks, they shouldn't cross a firewall at all being the same layer 2 domain.
You are right, if you have devices within the same L2 domain it wont go the FW, unless you have 2 DCs and you have an extended VLAN, but in this scenario that wont work.
Keep me posted,
Please rate all helpful posts, and mark as correct if this answered your question,
Thanks,
David Castro,
11-19-2018 07:53 AM
11-19-2018 08:06 AM
Hello Steven,
I hope you are doing great, thanks for marking the answer as answered.
Seems the last engineer set this up so the same source and destination networks were setup with a trust because the ASA was the gateway for those networks, but I am not sure you should group the networks together?
- If this a SFR module, not all traffic is mandatory to get into the SFR module, you can bypass that by adding denies at first lines of the ACL of the redirect, why I am telling this because when you set up an access control as trust there is not inspection at all, so it is unnecessary that the traffic get to the SFR module. Now the access control rules are the same as the ACLs, you allow or deny what you need to deny, if you are doing monitoring for all the zones then grouping is fine, but if you want only 2 hosts to talk to each other then do it individually per rule and not grouping them.
but I assume most default rules are a deny any any as a clean up rule.
At the end of the rule there is a drop down with some options whether a deny as a clean up rule or to pass the traffic through an IPS policy:
This example is blocking all of the traffic as a clean up rule.
Keep me posted Steven,
Please dont forget to rate all of the helpful posts!
Regards,
David Castro,
11-19-2018 08:23 AM
11-19-2018 08:35 AM
Hello Steven,
Your comment below:
There is the SFR redirect ACL that sits in the ASA OS, this is what tells the ASA to push that traffic to the SFR.
- Yes, The ACL has a permit action allowing the traffic to be redirected from the ASA to the SFR module, now if you want to bypass the SFR module you could add ACL entries at the beggining stating that traffic from network A to network B is denied and the other way around, this is stating that the traffic wont go through the SFR for further inspection.
access-list SFR extended line 1 deny ip obj-networkA obj-networkB
access-list SFR extended line 2 deny ip obj-networkB obj-networkA
Below I will explain why I am explaining the above information.
Then there is the SFR software itself that has its own ACLs which I will NOT see in the ASA CLI. So the engineer setup a rule in the SFR software that says NetworkA and NetworkB has access to NetworkA and NetworksB and the action is "trust"
The SFR has NGFW Rules which is referred as Access control policies, and the rule you explain above is grouped and it is fine. Now what is not fine for me is that is "trusting", this means that the traffic is not being inspected at all, and just bypassing inspection. Thats why I recommended the above, if you are not supposed to inspect the traffic from network A to Network B and viceberza, then proceed to bypass the traffic from the ASA with the denies, so you dont get your traffic going through the SFR module unnecesarily and provoking possible throughput issues in the future. Now it is not a requirement to trust the traffic and take advantage of the SFR module, then you would want to change the action from trust to allow and add IPS inspection to it.
Let me know if you have any other questions on this,
Thanks,
David Castro,
11-19-2018 10:37 AM
11-19-2018 10:43 AM
Hey Steven,
Exactly, this trust is most likely used with the FTD (Firepower Threat Defense) where this is the firewall and there is not ASA, so you can bypass the inspection for certain flows that you think that dont require. Monitor is fine for at least 15 days, set up a some reports so you can see the data and start creating some rules, to limit some traffic, and with IPS there are "Firepower recommendations" which it applies IPS policies with the devices that the FMC with the network discovery policy has discovered.
I hope this was helpful Steven, keep me posted man!
Please rate all helpful posts!
David Castro,
11-19-2018 10:50 AM
11-19-2018 10:54 AM
It actually works alike, it has some limitations, but many new features, and also with 6.3... coming with instances similar to contexts.
Hopefully the migration will be smooth.
11-19-2018 10:57 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: