Dear Bharti,

I am talking about ASA with Firepower. I mean if I direct the traffic that I want to inspect to the Firepower, Do I still need to control that traffic using normal access rules in the ASA or I will have to use access control rules in the Firepower.

What will happen if I configure contradicting rules access rules in the ASA and Access Control Rules in Firepower.

Regards

Hi Tonyk,

actually both are working separately. you can edit both of them as you want. firepower traffic applies only to the traffic which selected using service policy and enabled firepower inspection. all other traffic using ASA firewall rules. 

regards,

*** Pls rate all useful responses ***
Good Luck

Tony

This is a very common question, so lets start from basics.

A Firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules, lets call them Access Lists.

So, using ACLs we can ONLY allow or deny traffic, and default action is implicit deny.

An Intrusion Prevention System (IPS) is a network security/threat prevention technology that examines network traffic flows at Application layer, it also can detect and prevent exploits.

ASA is a Firewall while Firepower is an IPS. How does ASA and Firepower work together?

Suppose in your network, you are allowing the following traffic

Inside Network 192.168.0.0/16 can talk to DMZ Network 172.16.0.0/16

Inside Network 192.168.0.0/16 can access Internet.

Generally speaking, what traffic would you inspect for malware, viruses etc, Inside to DMZ? No. You would want to inspect traffic coming from, or destined to Internet (outside).

Using a special access list on ASA (*1), a certain traffic (in this case, Inside to Outside) will be redirected to Firepower for inspection (remember, nothing to do with allowing or denying that traffic on the network)

So, what is Access Control Policy? Traffic from from Inside to Outside has reached Firepower for inspection, ACP kicks in.

While an Access Control List can only allow or deny traffic, Access Control Policy can

Rule 1 : Deny subnet 192.168.0.0/16 from accessing any SSH connection AND log it

Rule 2 : Allow Subnet 192.168.1.0/24 (*2) to access government URLs AND send it Malware inspection

Rule 3 : Interactively Block (*3) Subnet 192.168.1.0/24 (*2) from accessing Shopping URLs and sent for Malware inspection policy 1

Rule 4 : Deny Subnet 192.168.2.0/24 (*2) from accessing any FTP server and send traffic to Malware inspection policy 2

Rule 5 : Allow Outlook Traffic (192.168.4.0/24) (*2) and send it to 'File Policy' for inspection

File Policy could be : If Office files are detected, Block Upload. MP3 files, block. Exe files block AND send for inspection etc

Rule 6 : Default Action : Block, Network Discovery, Trust or IPS (MOSTLY, you would NEVER want to use "Block" as default action in an ACP )

**Important** While an ACL on a Firewall can only allow or deny traffic, ACP's actions are: Allow, Trust (No more inspection), Monitor (logging only), Block, Block with Reset (sent an RST packet), Interactive Block or Interactive Block with Reset

(*1) You can find it using sh run class-map sfr

(*2) These subnets can only be a part of subset that is being redirected to Firepower, in this case, 192.168.0.0/24, anything else you try, will never be inspected, because the traffic won't even come to FP.

(*3) Interactive Block works as 'Allow'. but gives a warning page before a site is allowed. Warning page "Hello, the website you are accessing is classified as "Shopping", connections to this site are monitored"

Hi  @InTheJuniverse

That was really helpful. 

Thanks a lot.

Regards