Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
20036
Views
35
Helpful
10
Replies

Firepower Access Control Rules: mandatory vs. default

catanner19
Level 1
Level 1

‎05-04-2017 06:24 AM - edited ‎03-12-2019 02:19 AM

What is the difference between the Mandatory and Default rule sections in 6.x Firepower. I read this and it makes no sense to me. Thanks in advance!

http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Access_Control_Rules.html

Labels:
Preview file
24 KB
0 Helpful
10 Replies 10

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-04-2017 07:34 AM

I think of them this way:

Mandatory: Do this first. Work through these top down to enforce corporate security policy. Often contains specific elements that may be exceptions to the overall policy (for example, allow Marketing to access social media but restrict it for general users) as well.

Default: Do this last. May contain more general rules that apply to all traffic. This section is only used after evaluation of the mandatory rules (which have been evaluated in top down, first match ends the processing, order) found no matches.

catanner19
Level 1
Level 1
In response to Marvin Rhoads

‎05-04-2017 07:52 AM

If there is a match in 'mandatory' does the firewall stop going thru the list or does it move on to 'default'. Does it make sense to put Intrusion and Malware and File policies in 'mandatory' and access control (access-list) rules migrated over from ASA in 'default'?

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to catanner19

‎05-04-2017 09:15 AM

The matching flow is as this.

  • Mandatory rules - Global Policy
    • Mandatory rules - Subdomain Policy
    • Default rules - Subdomain Policy
  • Default rules - Global Policy
  • Default action - Subdomain Policy

Once a match is found search will stop unless the rule action is monitor then it will resume lookup.

prashant dwivedi
Level 1
Level 1
In response to Mohammed al Baqari

‎08-17-2017 01:20 AM

Hi Guys,

When we migrate from ASA to FTD,do we need to import policies under mandatory or default field ?

Also, default clean-up rule ( deny ip any any ) at the bottom should be the part of default rule ? If so then what is the meaning of default action field ? I mean if there is any special use case for default action rule.

Requirements :

1- Import existing rules from ASA to FMC , for allowed traffic perform IPS lookup.

what if I set default action as Intrusion Prevention , then will it be doing inspection for all the traffic that has been allowed in specific access control rules as a part of mandatory or default rule ?

0 Helpful

coreytouchet
Level 1
Level 1
In response to prashant dwivedi

‎03-26-2018 02:32 PM

Probably late to the game, but for anyone who comes across this.

 

Those default rules are not blocking unless you put in a default rule, or use the access control block all traffic.  However if you're going to put in a deny ip any any, just set it to access control block all traffic.

 

This means if traffic did not match a specific policy and it's set to intrusion detection, it will allow the traffic wherever it can go without matching the other rules.

0 Helpful

Steven Williams
Level 4
Level 4
In response to coreytouchet

‎11-12-2018 10:43 AM

Just getting into creating these policies now, we moved to URL filtering from just a base IPS/IDS license so now I am reworking policies. 

 

So to confirm "Mandatory" are rules that are enforced first and should be used for override rules if needed. So in the mandatory section I could have a rule to Block facebook for network "Clients" and then a following rule that says Allow facebook for network "Marketing" I think the issue I have at the moment is I am not using User ID feature for the policy. I need to configure that to get more granular. 

 

Then a default policy would be something like block all category that contains "Adult" since I want this no matter what the top policies say. 

0 Helpful

Dusan Vuckovic
Level 1
Level 1
In response to Steven Williams

‎01-04-2019 12:25 AM

I'm completely lost :D

0 Helpful

AbteenZ
Level 1
Level 1

‎02-07-2019 11:47 PM

Guys I think Default rules override mandatory rules!

I set a deny all from outside zone and the FTD neglected all the rules above in Mandatory section.

0 Helpful

borman.bravo
Level 1
Level 1
In response to AbteenZ

‎05-31-2019 02:09 PM

Then if rules are checked top to bottom inclusive of default category anyway what is the point of the mandatory category? makes no sense, can someone from Cisco please bring some clarity?

0 Helpful

Chess Norris
Level 4
Level 4
In response to borman.bravo

‎10-23-2019 05:22 AM

I believe that the main purpose of the mandatory and default rule sections is to create a hierarchy of access control policies.
In a multi-tenancy deployment with many FTD devices spread across multiple locations, it could makes sense to create a base policy with mandatory rules that will be affecting all locations, say for example an "allow icmp any any" rule. Then all FTD devices can inherit that mandatory rule from the base policies. Then you can use another category that will only affect a specific FTD. At least that how we use different sections and gives some structure.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card