Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1343
Views
0
Helpful
5
Replies

Adding rules to access control policy - Sourcefire/ASA

Go to solution
tolinrome tolinrome
Level 1
Level 1

‎05-25-2017 08:56 PM - edited ‎03-12-2019 02:25 AM

Hello,

Attached is a screenshot of a few rules I added in the access control policy of my sourcefire config. Please take a look to see if it makes sense as to where I placed and configured the rules. Its a basic setup, inside and outside zone interface, and private network object.

I have rules that:

block geolocation (blocked countries) from any source to destination and from any destination to source.

allow zone inside to zone outside and source private network to any

allow zone outside to zone inside and destination private network from any

allow (default rule) all any

I also have these rules labeled under the Administrator Rules section and nothing under the "Standard" or "Root" section if that matters.

Thank you!

Labels:
Preview file
77 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to tolinrome tolinrome

‎05-26-2017 08:58 AM

Just making sure it wasn't for FTD - in which case it would open up your firewall. For inspection purposes it's fine though.

Have you customized the $HOME_NET and $EXTERNAL_NET variables for your network discovery? That allows you to use any-any with more confidence and let FirePOWER use the intelligence embedded in the Snort rules to decide in which cases protection needs to be applied. 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-25-2017 10:30 PM

Is this for and FTD device or a FirePOWER module on an ASA?

The geolocation rule should be two rules: 1) Block incoming from blocked countries to any. 2) Block outgoing from any to blocked countries. Otherwise traffic would have to be from a blocked country to another blocked country to match it.

It would seem very unusual to allow external traffic inbound for everything. We would normally expect an ACL to restrict the extrernally initiated traffic to accessing only a few specific servicers and services.

It looks like you have no file (AMP) policy specified. Do you have the Malware license?

0 Helpful

Go to solution
tolinrome tolinrome
Level 1
Level 1
In response to Marvin Rhoads

‎05-26-2017 05:47 AM

This is for FirePOWER module on the ASA. I thought the allowing of external traffic to internal would mean "inspect everything from external to internal"? after the traffic goes through the firewall ACL? Thats why I made the rule.

So, on the acess control policy I would remove that rule and leave the one for "from internal to external"?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to tolinrome tolinrome

‎05-26-2017 08:58 AM

Just making sure it wasn't for FTD - in which case it would open up your firewall. For inspection purposes it's fine though.

Have you customized the $HOME_NET and $EXTERNAL_NET variables for your network discovery? That allows you to use any-any with more confidence and let FirePOWER use the intelligence embedded in the Snort rules to decide in which cases protection needs to be applied. 

0 Helpful

Go to solution
tolinrome tolinrome
Level 1
Level 1
In response to Marvin Rhoads

‎05-26-2017 09:20 AM

$HOME_NET is my private networks and $EXTERNAL_NET is the default, which is any, which I left as is as I assume that would be "any" as in "outside."

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to tolinrome tolinrome

‎05-26-2017 09:24 AM

It's recommended to make $EXTERNAL_NET be !$HOME_NET ("not home net") 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card