cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2316
Views
0
Helpful
1
Replies

FortiGate like session tracking ACL

shengkangjin
Level 1
Level 1

Hello All,

 

I've been using FortiGate for my firewall choice and would recently like to switch to cisco ASA.

 

one thing that I noticed from the FortiGate, is that it does not have ACLs, instead, it has something called Policy to filter the IPv4/IPv6 packets.

 

Now, ACLs are straight forward in terms of packet filtering. You specify the condition, bind it towards a certain direction of an interface. it's works like a filter.

 

But when digging deeper into understanding the difference between Fortigate Policy and Cisco ACLs (actually ACLs in general, I only see policy on Fortigate). There's a feature called session tracking which I found pretty useful.

 

In short, when applying an allow policy, not only does Fortigate allow the packet to pass from the source interface to destination interface (you have to specify 2 interfaces), it also tracks the session so that the reply packet in reverse direction gets allowed as well.

 

In user friendly terms, this becomes useful since I can simply put an allow policy from host A (connected to interface A) to host B (connected to interface B), so that host A can initiate network session talks such as SSH, ICMP, etc while host B cannot do the samething backwards.

 

Now that I'm trying to replace the Fortigate with Cisco ASA, is there a similar feature of which I can utilize and achieve the same effect?

 

Thank you

 
 
 
 
 
 
1 Accepted Solution

Accepted Solutions

balaji.bandi
Hall of Fame
Hall of Fame
n user friendly terms, this becomes useful since I can simply put an allow policy from host A (connected to interface A) to host B (connected to interface B), so that host A can initiate network session talks such as SSH, ICMP, etc while host B cannot do the samething backwards.

if i understand correctly same thing works with ASA its stateful firewall,  when you enable stateful inspection  - it automatically tracks the connection from inside to destination and maintains a state table.(not other way around.)

 

for reference : (hope this what you looking ?)

 

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/inspect-overview.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

1 Reply 1

balaji.bandi
Hall of Fame
Hall of Fame
n user friendly terms, this becomes useful since I can simply put an allow policy from host A (connected to interface A) to host B (connected to interface B), so that host A can initiate network session talks such as SSH, ICMP, etc while host B cannot do the samething backwards.

if i understand correctly same thing works with ASA its stateful firewall,  when you enable stateful inspection  - it automatically tracks the connection from inside to destination and maintains a state table.(not other way around.)

 

for reference : (hope this what you looking ?)

 

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/inspect-overview.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help