04-06-2022 08:05 AM
Hello,
I am having a hard time finding Cisco's recommended or best-practice for this and so, maybe someone can help!
We currently use an ASA with the Firepower service module. All traffic that is allowed on the ASA proceeds to be inspected by IPS. We will now be migrating to FTD.
I would like to migrate the objects / rules from the ASA to the new FTD with the Migration Tool. As I understand it, this tool places the ASA rules into a Prefilter Policy as opposed to an Access Control Policy. I don't fully understand why this is beyond the fact the ASA rule really is L3/4 inspection only... but considering we pass all allowed traffic to Firepower module for deeper inspection, we are inspecting all traffic up to L7 anyway. To me the Prefilter Policy is not the best way to go in this case. Am I correct in thinking that? I haven't looked at the migration tool yet, but it is possible to migrate the ASA rules to the Access Control Policy instead? To me, it seems a bit clunky to keep the ASA rules in the Prefilter Policy, then have no rules in the Access Control Policy, save for the default option of inspect. This is essentially "any any allow" for the ACP, which psychologically is a bit disconcerting.
Does anyone have any insight?
Thanks,
Chris
Solved! Go to Solution.
04-06-2022 08:47 AM
You can choose to put all of your source ASA ACL entries into a destination Access Control Policy (vs. prefilter). That's what I do in almost every migration for just the reasons you mentioned.
04-06-2022 08:47 AM
You can choose to put all of your source ASA ACL entries into a destination Access Control Policy (vs. prefilter). That's what I do in almost every migration for just the reasons you mentioned.
04-07-2022 09:00 AM
Great, thank you for your insight!
01-26-2023 05:25 AM
I'm a little confused by what you mean with putting all of your source ASA entries into a desintation ACP. We migrated our rules using the migration tool into an ACP and it just looks similar to our ASA rules. I'm sort of in the same boat trying to ensure that all of my traffic gets inspected without having to actually enable inspection on each individual rule. We have over 400 rules so that would be a management nightmare to have to individually enable based on traffic criteria.
01-26-2023 05:28 AM
You can multi-select all of your rules and edit common attributes in a single action, including the inspection policy. Or filter the desired ones (e.g. all rules with Action = permit) and do the same.
01-26-2023 05:53 AM
Thanks Marvin. That's a good idea for inspection. Do you have a recommendation for how best to handle rules to apply File Policy to? I know I tried the bulk edit option before and got errors when trying to apply a File Policy to rules that contain certain protocols.
01-26-2023 09:00 AM
I apply file policies more selectively, choosing only ACP entries that include unencrypted ports/applications or those that allow "any".
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide