Re: Cisco FTD and FMC

Steven Williams · ‎03-21-2019

As I begin to work more with the FTD/Sourcefire and FMC combination I really being to miss the ability to tie rules to just an interface and not have to think about order of operation when placing rules. I have mandatory and default, I always put my corporate IPS and Malware rules in the default followed with a Permit Any because my default action is block all. This is for an edge firewall. My issue is I have to be very careful in the order I put things otherwise something can and will get blocked. How are others going about organizing their policies?

Abheesh Kumar · ‎03-23-2019

Hi,
If you are creating a rule with permit any then the block all rule will not come into picture. All your traffic will be hit with the permit any rule.

HTH
Abheesh

Steven Williams · ‎03-25-2019

Sorry I should have been more clear. My last line is a permit ip any to RFC1918 since my Edge firewall is connected to my MPLS. Im more concerned about the Rule order...I am use to rules for a certain interface and those rules apply to those interfaces. So Now i assume i need to starting thinking and looking at "zones"

Rahul Govindan · ‎03-25-2019

My general process for configuring Firepower rules is usually starting with Pre-filter. My last rule in Pre-filter is usually a deny all. On top of that, depending on the use case, it is either block, allow or trust. Allow is usually the rule that i want to add Application,IPS or File control to, while Trust is for traffic that I don't want to apply these additional policies to. The Default policy on the Access Policy is usually just an IPS enabled rule as the block should be taken care of Pre-filter. This especially helps me when moving from ASA to Firepower world rules.