I think i would actually do

babiojd01 · ‎01-20-2016

What would the benefit of blocking a destination port in the firepower access control policy over an access control list on the ASA firewall? I think it would process faster if its an ACL vs something needing further processing in order to be blocked anyway.

Philip D'Ath · ‎01-20-2016

The ASA can do IP/block blocking on a much large scale.

I always do ip/port blocking in the ASA, and use Firepower to block things the ASA can not block easily.

babiojd01 · ‎01-21-2016

I think i would actually do the dual approach. To me, forcing everything to be processed by the module would be a little much unless you have way more processing power than is required. If you have a 5585 and a smaller user base it might not matter. To me it seems like a waste of processing power if you want the packet dropped anyway. Also if you want intelligence into where traffic is going and you aren't sending logs to a SIEM then you might want it sent to the module(geo location, reputation, etc).

Massimo Baschieri · ‎01-20-2016

In my mind it doesn't make sense to filter at both levels since you can do all the filtering you need at sourcefire level, however if you opt for fail-open mode it may be advisable to do some basic filtering in order to limit access to internal resources at asa level also.

Maybe be there are other cases like that, but that's the only one I've seen so far.

Blocking via the firewall vs Blocking via Access control policy firesight and Firepower