05-08-2019 06:30 PM - edited 02-21-2020 09:07 AM
Hello all,
We have started implementing Firepower with FMC.
But every allow rule, we have to create reply incoming traffic rule for opposite direction. On older ASA, if we create one rule reply for that session is automatically allowed.
But now on Firepower our rule number is doubled.
Am i missing something, some configuration or proper way of doing things?
05-08-2019 09:50 PM
That should not be necessary.
Firepower Threat Defense Access Control Policy Rules are the same as ASA Access Control List entries in that respect - both are for a stateful firewall which keeps a connection table of allowed traffic and will automatically allow the return half of the connection or flow.
05-23-2019 08:55 PM
Hi Marvin,
We using transparent inline mode and using security zone on the interface Outside and Inside, and return packets are blocked when reaching to other security zone and TCP restrict is not enabled, any specific configuration required or do we need to create a TAC for this
05-25-2019 12:59 PM - edited 05-25-2019 01:16 PM
Hi,
For transparent inline deployment, return rule is required as it is just inspecting(SNORT) the traffic which you are permitting to pass-through the firewall with source & destination security zones.
Hope This Helps
Abheesh
05-27-2019 12:53 AM
Hi Abheesh,
Thanks for answer, so as traditional FW connection it will check "Existing connection" and pass the L3/L4 rule but still would be blocked on SNORT's L7 rules? and that SNORT Rule is IPS? because we enabled both File Policy(Malware) and IPS, so every connection would be checked on FirePower? this Prefilter Fast-Path rule is also required new rules to bypass SNORT? or possible to align/tie o current rules?
05-27-2019 01:04 AM
Hi,
To bypass a traffic for inspection (SNORT, AMP) you can create a pre-filter rule and set action as fast-path. Pre-filter rules are same as like ASA access list there is no L7 inspection.
If the default action on prefilter policy is Analyse, it will send all the traffic to snort for further inspection.
Hope This Helps
Abheesh
05-27-2019 01:57 AM
Hi Abheesh,
Thanks, but we looking for possibility of return traffic can be bypassed, but seems that is not possible
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide