Solved: Firepower Access Control Rule Inspection

ChristopherCraddock66504 · ‎12-14-2020

Dear Community,

I am wondering if there are any best practices when it to enabling the intrusion/file inspection on the Access Control Rules. Is it a good idea to enable the inspection on all rules or just certain ones? What are some guidelines/best practices I can follow to make sure Im enable the inspection on the right rules or rule types.

Thank you.

Marvin Rhoads · ‎12-15-2020

Regular access controls with Allow action I usually include the IPS policy.

Prefilter will fast path the traffic and avoid all of the Snort/Firepower rules as well as the classic LINA (ASA) ALGs (service-policy inspections that you may recall from ASAs).

FTD Order of Operations

View solution in original post

Marvin Rhoads · ‎12-14-2020

Obviously it's not needed on rules with Deny action.

Also, if you have some rules specific to trusted flows (like site-site backup) then put them in prefilter and don't inspect at all.

Remember we can't do file inspection on encrypted traffic (without SSL decrypt anyway) so if you can separate that into its own rules then you don't need file inspection there.

ChristopherCraddock66504 · ‎12-14-2020

Marvin,

Thank you for the insights. What about regular access control rules with the Allow action? Are there any recommendation for deciding whether or not to turn on the Intrusion Inspection for those rules? Also, what is the Pref-Filter policy? Does that run all traffic through inspection before it gets to the Access Control Rules decisions tree?

Thank you.

Marvin Rhoads · ‎12-15-2020

Regular access controls with Allow action I usually include the IPS policy.

Prefilter will fast path the traffic and avoid all of the Snort/Firepower rules as well as the classic LINA (ASA) ALGs (service-policy inspections that you may recall from ASAs).

FTD Order of Operations

ChristopherCraddock66504 · ‎12-15-2020

Thank you Marvin. This was very helpful.