Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1270
Views
10
Helpful
6
Replies

ASA FTD Migration Prefilter Policy or Access Control Policy

Go to solution
brettp
Level 1
Level 1

‎04-06-2022 08:05 AM

Hello,

 

I am having a hard time finding Cisco's recommended or best-practice for this and so, maybe someone can help!

 

We currently use an ASA with the Firepower service module. All traffic that is allowed on the ASA proceeds to be inspected by IPS. We will now be migrating to FTD.

 

I would like to migrate the objects / rules from the ASA to the new FTD with the Migration Tool. As I understand it, this tool places the ASA rules into a Prefilter Policy as opposed to an Access Control Policy. I don't fully understand why this is beyond the fact the ASA rule really is L3/4 inspection only... but considering we pass all allowed traffic to Firepower module for deeper inspection, we are inspecting all traffic up to L7 anyway. To me the Prefilter Policy is not the best way to go in this case. Am I correct in thinking that? I haven't looked at the migration tool yet, but it is possible to migrate the ASA rules to the Access Control Policy instead? To me, it seems a bit clunky to keep the ASA rules in the Prefilter Policy, then have no rules in the Access Control Policy, save for the default option of inspect. This is essentially "any any allow" for the ACP, which psychologically is a bit disconcerting.

 

Does anyone have any insight?

 

Thanks,

Chris

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-06-2022 08:47 AM

You can choose to put all of your source ASA ACL entries into a destination Access Control Policy (vs. prefilter). That's what I do in almost every migration for just the reasons you mentioned.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-06-2022 08:47 AM

You can choose to put all of your source ASA ACL entries into a destination Access Control Policy (vs. prefilter). That's what I do in almost every migration for just the reasons you mentioned.

0 Helpful

Go to solution
brettp
Level 1
Level 1
In response to Marvin Rhoads

‎04-07-2022 09:00 AM

Great, thank you for your insight!

0 Helpful

Go to solution
jmeetze
Level 1
Level 1

‎01-26-2023 05:25 AM

I'm a little confused by what you mean with putting all of your source ASA entries into a desintation ACP.  We migrated our rules using the migration tool into an ACP and it just looks similar to our ASA rules.  I'm sort of in the same boat trying to ensure that all of my traffic gets inspected without having to actually enable inspection on each individual rule.  We have over 400 rules so that would be a management nightmare to have to individually enable based on traffic criteria.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to jmeetze

‎01-26-2023 05:28 AM

You can multi-select all of your rules and edit common attributes in a single action, including the inspection policy. Or filter the desired ones (e.g. all rules with Action = permit) and do the same.

Go to solution
jmeetze
Level 1
Level 1
In response to Marvin Rhoads

‎01-26-2023 05:53 AM

Thanks Marvin.  That's a good idea for inspection.  Do you have a recommendation for how best to handle rules to apply File Policy to?  I know I tried the bulk edit option before and got errors when trying to apply a File Policy to rules that contain certain protocols.  

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to jmeetze

‎01-26-2023 09:00 AM

I apply file policies more selectively, choosing only ACP entries that include unencrypted ports/applications or those that allow "any".

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card