Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2312
Views
0
Helpful
1
Replies

FortiGate like session tracking ACL

Go to solution
shengkangjin
Level 1
Level 1

‎03-17-2021 07:33 PM

Hello All,

 

I've been using FortiGate for my firewall choice and would recently like to switch to cisco ASA.

 

one thing that I noticed from the FortiGate, is that it does not have ACLs, instead, it has something called Policy to filter the IPv4/IPv6 packets.

 

Now, ACLs are straight forward in terms of packet filtering. You specify the condition, bind it towards a certain direction of an interface. it's works like a filter.

 

But when digging deeper into understanding the difference between Fortigate Policy and Cisco ACLs (actually ACLs in general, I only see policy on Fortigate). There's a feature called session tracking which I found pretty useful.

 

In short, when applying an allow policy, not only does Fortigate allow the packet to pass from the source interface to destination interface (you have to specify 2 interfaces), it also tracks the session so that the reply packet in reverse direction gets allowed as well.

 

In user friendly terms, this becomes useful since I can simply put an allow policy from host A (connected to interface A) to host B (connected to interface B), so that host A can initiate network session talks such as SSH, ICMP, etc while host B cannot do the samething backwards.

 

Now that I'm trying to replace the Fortigate with Cisco ASA, is there a similar feature of which I can utilize and achieve the same effect?

 

Thank you

 
 
 
 
 
 
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-18-2021 12:54 AM 

n user friendly terms, this becomes useful since I can simply put an allow policy from host A (connected to interface A) to host B (connected to interface B), so that host A can initiate network session talks such as SSH, ICMP, etc while host B cannot do the samething backwards.

if i understand correctly same thing works with ASA its stateful firewall,  when you enable stateful inspection  - it automatically tracks the connection from inside to destination and maintains a state table.(not other way around.)

 

for reference : (hope this what you looking ?)

 

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/inspect-overview.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful
1 Reply 1

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-18-2021 12:54 AM 

n user friendly terms, this becomes useful since I can simply put an allow policy from host A (connected to interface A) to host B (connected to interface B), so that host A can initiate network session talks such as SSH, ICMP, etc while host B cannot do the samething backwards.

if i understand correctly same thing works with ASA its stateful firewall,  when you enable stateful inspection  - it automatically tracks the connection from inside to destination and maintains a state table.(not other way around.)

 

for reference : (hope this what you looking ?)

 

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/inspect-overview.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents