11-11-2024 02:58 AM
Hey guys,
New to this area, would like to ask a question about configuration converting between ASA and Firepower 1120.
I used the migration tool to convert the configuration from ASA 5516-X into FTD with FMC (Firepower 1120), there is an ACL in ASA that I felt confused about the migration result in FTD.
ACL in ASA:
access-list firepower extended permit ip any any
access-list firepower extended deny ip host X.X.X.X host X.X.X.X
class-map firpower_class_map
match access-list firepower
policy-map global_policy
class firpower_class_map
sfr fail-open
Only with this ACL the server can synchronize before. Didn't find related policy in FMC after migration. Anyone knows how to configure this in FMC? Thank you so much!
Neil
Solved! Go to Solution.
11-11-2024 03:03 AM - edited 11-11-2024 03:04 AM
11-11-2024 03:32 AM
Don't worry about that rule. The traffic processing in the ASA with FirePOWER services is handled in a different way than in FTD. With the ASA with FirePOWER services on we need to allow the ASA to forward the traffic for further inspection (application inspection) by the FirePOWER services. To do so, we have to allow the traffic that should be further inspected, this is why you have that "firepower" access list and "firpower_class_map" class map bind to the global policy map on the ASA. On FTD this is not needed anymore, hence there is no need to migrate that config snippet. Take a look at this link please that explains how the ASA with FirePOWER services on deal with traffic inspection:
11-11-2024 03:03 AM - edited 11-11-2024 03:04 AM
(FPR) FTD dont have SFR that why the acl and SFR config missing
MHM
11-11-2024 03:06 AM
Hi,
Thx a lot! Still wants to know the influence if this policy missing in FTD, should I need to config it and how? Looking forward to your reply.
Best Regards,
Neil
11-11-2024 03:32 AM
Don't worry about that rule. The traffic processing in the ASA with FirePOWER services is handled in a different way than in FTD. With the ASA with FirePOWER services on we need to allow the ASA to forward the traffic for further inspection (application inspection) by the FirePOWER services. To do so, we have to allow the traffic that should be further inspected, this is why you have that "firepower" access list and "firpower_class_map" class map bind to the global policy map on the ASA. On FTD this is not needed anymore, hence there is no need to migrate that config snippet. Take a look at this link please that explains how the ASA with FirePOWER services on deal with traffic inspection:
11-11-2024 03:41 AM
Hi Aref,
Thank you so much with your reply! I will study the link more.
Best Regards,
Neil
11-11-2024 03:45 AM
You're very welcome, Neil.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide