cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1989
Views
5
Helpful
6
Replies

Firepower access control rule for TCP session

Hello all,

 

We have started implementing Firepower with FMC.

But every allow rule, we have to create reply incoming traffic rule for opposite direction. On older ASA, if we create one rule reply for that session is automatically allowed.

But now on Firepower our rule number is doubled. 

Am i missing something, some configuration or proper way of doing things?

6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

That should not be necessary.

Firepower Threat Defense Access Control Policy Rules are the same as ASA Access Control List entries in that respect - both are for a stateful firewall which keeps a connection table of allowed traffic and will automatically allow the return half of the connection or flow.

Hi Marvin,

  We using transparent inline mode and using security zone on the interface Outside and Inside, and return packets are blocked when reaching to other security zone and TCP restrict is not enabled, any specific configuration required or do we need to create a TAC for this

Hi,
For transparent inline deployment, return rule is required as it is just inspecting(SNORT) the traffic which you are permitting to pass-through the firewall with source & destination security zones.

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200924-configuring-firepower-threat-defense-int.html

 

Hope This Helps
Abheesh

Hi Abheesh,

   Thanks for answer, so as traditional FW connection it will check "Existing connection" and pass the L3/L4 rule but still would be blocked on SNORT's L7 rules? and that SNORT Rule is IPS? because we enabled both File Policy(Malware) and IPS, so every connection would be checked on FirePower? this Prefilter Fast-Path rule is also required new rules to bypass SNORT? or possible to align/tie o current rules? 

 

2019-05-27_1547.png

Hi,

To bypass a traffic for inspection (SNORT, AMP) you can create a pre-filter rule and set action as fast-path. Pre-filter rules are same as like ASA access list there is no L7 inspection.

If the default action on prefilter policy is Analyse, it will send all the traffic to snort for further inspection.

 

Hope This Helps

Abheesh

Hi Abheesh,

  Thanks, but we looking for possibility of return traffic can be bypassed, but seems that is not possible

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: