Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1172
Views
10
Helpful
3
Replies

Blocking via the firewall vs Blocking via Access control policy firesight and Firepower

babiojd01
Level 1
Level 1

‎01-20-2016 11:24 AM - edited ‎03-10-2019 06:32 AM

What would the benefit of blocking a destination port in the firepower access control policy over an access control list on the ASA firewall? I think it would process faster if its an ACL vs something needing further processing in order to be blocked anyway.

Labels:
0 Helpful
3 Replies 3

Philip D'Ath
VIP Alumni
VIP Alumni

‎01-20-2016 08:13 PM

The ASA can do IP/block blocking on a much large scale.

I always do ip/port blocking in the ASA, and use Firepower to block things the ASA can not block easily.

babiojd01
Level 1
Level 1
In response to Philip D'Ath

‎01-21-2016 06:57 PM

I think i would actually do the dual approach. To me, forcing everything to be processed by the module would be a little much unless you have way more processing power than is required. If you have a 5585 and a smaller user base it might not matter. To me it seems like a waste of processing power if you want the packet dropped anyway. Also if you want intelligence into where traffic is going and you aren't sending logs to a SIEM then you might want it sent to the module(geo location, reputation, etc).

0 Helpful

Massimo Baschieri
Level 3
Level 3

‎01-20-2016 09:16 PM

In my mind it doesn't make sense to filter at both levels since you can do all the filtering you need at sourcefire level, however if you opt for fail-open mode it may be advisable to do some basic filtering in order to limit access to internal resources at asa level also.

Maybe be there are other cases like that, but that's the only one I've seen so far.

Review Cisco Networking for a $25 gift card
Top