This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I do not believe you have that option, you need to make some of the requirement manually and test it.
Since its only feature available ASA to FTD.
if that does not add an inspection policy just like any other ACP (in aka ACL).
here is traffic flow ( in case if you did not come across)
I believe the old tool which required using an intermediate FMC instance had the option to select a prefilter policy. The current FMT does not.
Generally we use prefilter for traffic which is either a. explicitly trusted or b. does not lend itself to IPS inspection (e.g. encrypted traffic flowing through the appliance that does not require even the basic Security Intelligence (SI) scrub). I tend to put only things in the first category in prefilter since the SI action adds value even if you aren't able to inspect the unencrypted traffic.
FYI 6.7 will allow us to copy (or cut and paste) rules from an ACP into a prefilter policy.
I have migrated the rules manually now. Have some more basic questions.
1. In ASA lower security level traffic is automatically denied to higher security level and higher to lower is allowed. How can i replicate this after migrating to firepower ?
2. All my access policies are migrated with source zone and without any destination zone. Is destination zone necessary or optional? what happen to traffic without a destination zone ?
3. Have we any dates for 6.7 ? There are many rules that can reside in prefilter policy. If i set them as "trust" instead of allow will it help ?
4. How can i estimate that would there be any performance issued with the number of rules i have configured ? running FTD 4115 in HA with 6.6. Five contexts were migrated from ASA with total approx 3000 rules.