09-24-2023 03:50 AM
Hi to All,
i wonder if anyone can help me understand what is the Network Discovery Only option an the bottom of the ACP.
I understand that FTDs can do network discovery by going to another menu in the FMC that is POLICIES --> Network Discovery where you can choose what networks you want to have Discovery on e.t.c.
But i do not understand the role of existence of the drop down list that is at the bottom of the ACP menu.
There are also some other choices in the same drop down list , for example Access Control:Block all traffic or Access Control:Permit all traffic which also do not make any sense for me, just because one can put the according ACLs in the ACP that just what this drop down list contails.
Any help understanding the usefulness of this drop down list is greatly appreciated.
Thanks,
Ditter.
09-24-2023 08:02 AM
This is all about flexibility. You are right that a "typical" firewall has a "deny any any" at the end. But there are some use cases where this is not the best option. Here is an example:
The actual network consists of many VLANs on the L3 switch. This is fast, but you don't have any security between these VLANs. Now you want to segment the network with the help of a fast FTD device. You move the VLANs to the firewall and have to chose the right default action for your ACP. Now two of the options could come to mind:
09-25-2023 06:01 AM
Thanks for your reply ,
So if someone chooses Access Control:Block all traffic it will block everything regardless of any rules above or the rules you probably have set are still valid and it will be the default action in the end like deny any any?
09-25-2023 06:08 AM
The default rule is always processed after all configured explicit rules. If traffic matches any of them, The firewall will do what the action is. But if none of your rules match, then the action of the default rule is taken.
09-25-2023 11:02 AM
Thanks Karsten, one last thing suppose that an administrator of the FTD hasn't created any discovery policy , if a FTD admin has not configured any discovery policies under Policies --> Network Discovery , when there is the Access Control: Network Discovery Only under the ACP , it will do the job , but it will try to discover everything the FTD sees. Then the only way to get "personalized" discovery information for specific subnets, vlans e.t.c. is to create this specific Network Discovery policy.
Am i correct?
Thanks,
Ditter
09-25-2023 12:51 PM
There is a default discovery policy that lets you get started, but you should configure it for your environment.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide