cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
335
Views
1
Helpful
4
Replies

Adding an FTD to cdFMC (CDO) and prefilter policy questions

carl.townshend
Beginner
Beginner

Hi Guys

I have a couple of questions.

1.When adding an FMC to cdFMC (CDO), what are the minimum commands need to do on the firewall? how would I assign the IP to the firewall first?

2.The second question is around the prefilter, If I create a prefilter policy from say host A to host B and put fastpath, does this then not even touch the ACP?

What happens in the above if I click Analyze as an action, do I then have to create a duplicate of the rule in the ACP, i.e create an ACP rule with the same source and dest ?

Cheers

1 Accepted Solution

Accepted Solutions

urathod
Cisco Employee
Cisco Employee

Let me address each question:

 

1. Adding an FMC to CDO (CDO)

When adding a Firepower Management Center (FMC) to Cisco Defense Orchestrator (CDO), the minimum commands needed on the firewall may vary depending on your specific setup and requirements. However, here are some general steps:

  • Assigning IP to the Firewall:
    1. Connect to the firewall using the console or SSH.
    2. Access the command-line interface (CLI) and configure the management interface with an IP address.
    3. Ensure that the firewall has connectivity to the network where the CDO is located.

Here are the basic steps:

a. Connect to the firewall through the console port.

b. Login and enter enable mode (default username: cisco, password: cisco).

c. Use the "configure terminal" command to enter global configuration mode.

d. Then, use the "interface" command to select the interface you want to assign the IP to (for example: interface gigabitethernet0/0).

e. Use the "ip address" command to assign the IP address and subnet mask to the interface (for example: ip address 192.168.1.1 255.255.255.0).

f. Use the "no shutdown" command to enable the interface.

g. Exit the global configuration mode, and save the configuration.

h. Now, you can add the firewall to your FMC using the "configure manager add" command followed by the FMC's IP address and registration key.

These are basic steps, and you may need additional configurations based on your network environment and deployment.

2. Prefilter Policy and ACP (Access Control Policy)

  • Prefilter Policy:

    • When you create a prefilter policy from host A to host B and enable fastpath, the traffic matching this policy is processed using a fast path, bypassing the Access Control Policy (ACP). This means the firewall makes forwarding decisions based on the prefilter policy without inspecting the ACP.
  • Analyze Action:

    • If you choose to analyze the traffic in the prefilter policy, it means the firewall will evaluate the traffic based on the prefilter policy, but it won't take any enforcement actions. It helps you understand how the traffic matches the rules without impacting the actual traffic flow.
  • ACP Rule Duplication:

    • If you want to take action on the traffic in the Access Control Policy (ACP) based on the analysis in the prefilter policy, you may need to create a corresponding rule in the ACP. Duplicating the rule in the ACP ensures that the traffic is subject to the full inspection and enforcement capabilities defined in the ACP.

In summary, the prefilter policy with fastpath allows for faster processing of specific traffic, but if you want to enforce additional security policies, you may need to create corresponding rules in the ACP.

If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.

View solution in original post

4 Replies 4

urathod
Cisco Employee
Cisco Employee

Let me address each question:

 

1. Adding an FMC to CDO (CDO)

When adding a Firepower Management Center (FMC) to Cisco Defense Orchestrator (CDO), the minimum commands needed on the firewall may vary depending on your specific setup and requirements. However, here are some general steps:

  • Assigning IP to the Firewall:
    1. Connect to the firewall using the console or SSH.
    2. Access the command-line interface (CLI) and configure the management interface with an IP address.
    3. Ensure that the firewall has connectivity to the network where the CDO is located.

Here are the basic steps:

a. Connect to the firewall through the console port.

b. Login and enter enable mode (default username: cisco, password: cisco).

c. Use the "configure terminal" command to enter global configuration mode.

d. Then, use the "interface" command to select the interface you want to assign the IP to (for example: interface gigabitethernet0/0).

e. Use the "ip address" command to assign the IP address and subnet mask to the interface (for example: ip address 192.168.1.1 255.255.255.0).

f. Use the "no shutdown" command to enable the interface.

g. Exit the global configuration mode, and save the configuration.

h. Now, you can add the firewall to your FMC using the "configure manager add" command followed by the FMC's IP address and registration key.

These are basic steps, and you may need additional configurations based on your network environment and deployment.

2. Prefilter Policy and ACP (Access Control Policy)

  • Prefilter Policy:

    • When you create a prefilter policy from host A to host B and enable fastpath, the traffic matching this policy is processed using a fast path, bypassing the Access Control Policy (ACP). This means the firewall makes forwarding decisions based on the prefilter policy without inspecting the ACP.
  • Analyze Action:

    • If you choose to analyze the traffic in the prefilter policy, it means the firewall will evaluate the traffic based on the prefilter policy, but it won't take any enforcement actions. It helps you understand how the traffic matches the rules without impacting the actual traffic flow.
  • ACP Rule Duplication:

    • If you want to take action on the traffic in the Access Control Policy (ACP) based on the analysis in the prefilter policy, you may need to create a corresponding rule in the ACP. Duplicating the rule in the ACP ensures that the traffic is subject to the full inspection and enforcement capabilities defined in the ACP.

In summary, the prefilter policy with fastpath allows for faster processing of specific traffic, but if you want to enforce additional security policies, you may need to create corresponding rules in the ACP.

If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.

Hi Urathod

Just to clarify, if we make a policy in the prefilter that says analyze based on a subnet etc, we will then need to duplicate this rule in the ACP?

Cheers

There is typically no need to duplicate rules between the prefilter and Access Control Policy (ACP). The prefilter in Cisco FTD is an early stage in the packet processing pipeline, and its purpose is to quickly drop obviously unwanted traffic based on simple criteria. The ACP, on the other hand, provides more detailed and granular control over the traffic flow.

In Cisco FTD, the prefilter is applied before the ACP, and it helps in quickly discarding traffic that doesn't need to go through the more detailed inspection provided by the ACP. Prefilter rules are generally simpler and include criteria like source and destination IP addresses, as well as specific protocols.

When you define rules in the ACP, they are automatically considered after the prefilter analysis. If a packet does not match any prefilter rule or passes the prefilter rules, it then proceeds to the ACP for further evaluation.

Therefore, in most cases, there is no need to duplicate rules between the prefilter and ACP in FTD.

Hi, so if we denied traffic in the prefilter, are you saying there would just be an allow any any in the ACP then ?

Can you give me an example?

cheers

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: