What is the difference between the Mandatory and Default rule sections in 6.x Firepower. I read this and it makes no sense to me. Thanks in advance!
I think of them this way:
Mandatory: Do this first. Work through these top down to enforce corporate security policy. Often contains specific elements that may be exceptions to the overall policy (for example, allow Marketing to access social media but restrict it for general users) as well.
Default: Do this last. May contain more general rules that apply to all traffic. This section is only used after evaluation of the mandatory rules (which have been evaluated in top down, first match ends the processing, order) found no matches.
If there is a match in 'mandatory' does the firewall stop going thru the list or does it move on to 'default'. Does it make sense to put Intrusion and Malware and File policies in 'mandatory' and access control (access-list) rules migrated over from ASA in 'default'?
The matching flow is as this.
Once a match is found search will stop unless the rule action is monitor then it will resume lookup.
When we migrate from ASA to FTD,do we need to import policies under mandatory or default field ?
Also, default clean-up rule ( deny ip any any ) at the bottom should be the part of default rule ? If so then what is the meaning of default action field ? I mean if there is any special use case for default action rule.
1- Import existing rules from ASA to FMC , for allowed traffic perform IPS lookup.
what if I set default action as Intrusion Prevention , then will it be doing inspection for all the traffic that has been allowed in specific access control rules as a part of mandatory or default rule ?
Probably late to the game, but for anyone who comes across this.
Those default rules are not blocking unless you put in a default rule, or use the access control block all traffic. However if you're going to put in a deny ip any any, just set it to access control block all traffic.
This means if traffic did not match a specific policy and it's set to intrusion detection, it will allow the traffic wherever it can go without matching the other rules.
Just getting into creating these policies now, we moved to URL filtering from just a base IPS/IDS license so now I am reworking policies.
So to confirm "Mandatory" are rules that are enforced first and should be used for override rules if needed. So in the mandatory section I could have a rule to Block facebook for network "Clients" and then a following rule that says Allow facebook for network "Marketing" I think the issue I have at the moment is I am not using User ID feature for the policy. I need to configure that to get more granular.
Then a default policy would be something like block all category that contains "Adult" since I want this no matter what the top policies say.
Then if rules are checked top to bottom inclusive of default category anyway what is the point of the mandatory category? makes no sense, can someone from Cisco please bring some clarity?