cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

5437
Views
40
Helpful
2
Replies
Highlighted

Cisco FTD Prefilter Policies vs Access Control Policies ?

Hello,

I am trying to understand the difference between Pre Filter policy and Access control policy.

I have tried to understand through Cisco FMC guide, but not able to understand below points.

here are my questions:  

1. Why we use pre filter policy ?

2. pre filter vs access control policy ?

3. what is tunnel rule vs pre filter rule ?

4. why we use tunnel zone and what is tunnel rezoning and why its required? 

5. need explanations about Pre filter policy its actions are (analyze,block,fastpath), then in Default action: Analyze all tunnel traffic & Block all tunnel traffic ?

6. How pass through tunnel works with access control policy and encapsulation and inner and outer header?

Thanks

Shubham

2 REPLIES 2
Highlighted
VIP Advisor

1. Why we use pre filter policy ?

The main reason for using prefilter is to exclude traffic that does not require deep inspection thereby freeing up processing power that would otherwise be used on inspection.

2. pre filter vs access control policy ?

Prefilter is part of access control policy.  Infact it is the first phase of access control policy.  As mentioned earlier prefilter skips many of the more indepth inspections that occur in regular access control policy or even bypass inspection all together.

3. what is tunnel rule vs pre filter rule ?

Tunnel rule matches on a specific tunnel.  That is plain text packets that are encapsulated with an outer header.  I specify plain text because if the inner packet Prefilter rules match traffic that is not classified as tunneled (encapsulated).  Something to keep in mind is that tunneled rules are bidirection while prefilter rules are unidirectional.

4. why we use tunnel zone and what is tunnel rezoning and why its required? 

Tunnel zones are used to prefilter encapsulated packets.  That is, when a plain text encapsulated packet arrives inspection is done on the outer header.  Then you need to rezone the tunnel so the FTD device understands that encapsulated packets are part of the same connection.  This also gives you the option to perform custom inspections on the encapsulated connections.

5. need explanations about Pre filter policy its actions are (analyze,block,fastpath), then in Default action: Analyze all tunnel traffic & Block all tunnel traffic ?

Not entirely sure what you are looking for here.  It is fairly self explanitory with regard to the actions you can take.  But I will explane them anyway.

Analyze -  Analyze traffic with access control policy using the inner header of the encapsulated connection

Block - Block all encapsulated connections

Fastpath - No action is taken on the packet and it is just forwarded

6. How pass through tunnel works with access control policy and encapsulation and inner and outer header?

First, of course, the outer header is handled by prefilter.  At this stage you can block, fastpath, or analyze the encapsulated connection.

If you rezone the encapsulated connection (tunnel) the FTD will then  handle the inner header.

If the tunnel is encrypted then only the outer header is considered when it is being inspected as the FTD can not see into the encrypted packet.  That is unless the FTD is the termination point of the VPN, unecrypts and inspects the traffic, then re-encrypts and sends it.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
Highlighted

Thanks a lot for explaining....

I have one query about tunnel zone and tunnel rezoning. 

as per My understanding FTD has two rule under prefilter:

1. tunnel rule

2. Prefilter rule 

Tunnel rule: in this rule with only analyze action we add tunnel zone because we want to inspect inside sessions of tunnel. with further inspection through access control policy because we add prefilter policy in Access control.

when we assign tunnel zone, its only name and description.this name is VPN tunnel name or what? because we assign this tunnel zone in Access control policy as source zone.

tunnel rezoning means when first phase of access-control means prefilter identify outer header and plaintext passthrough tunnel. and we create tunnel zone and assign tunnel zone in tunnel rule that means tunnel rezoning. 

but I am still not getting why tunnel rezoning is required ?

as per the documentation "Tunnel zones allow you to tailor subsequent inspection to prefiltered,
encapsulated traffic.

whats the meaning of above sentence. ?

would be helpful if you provide Real world examples...

Thanks

Content for Community-Ad