Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3020
Views
0
Helpful
3
Replies

Firepower Access Rule order of Operations and whitelists/blacklists

mark30fla
Level 1
Level 1

‎12-29-2016 02:45 AM - edited ‎03-12-2019 06:14 AM

All,

I am newish to FirePOWER. I am currently working on FMC version 5.4.1.5 and I am configuring Access Rules.

It is my understanding that the rules are applied from the top down with the first exact match being applied. Hence the reason why you would apply allow rules to allow various source and destination IP addresses and even URLs, with more restrictive blocking rules at the bottom.

My question is if you can use the allow rule on the access control policy to filter benign traffic out. What is the purpose of whitelisting or blacklisting ? 

Where are whitelists, blacklists and security applied in the order of operations ?

Are the whitelisting/blacklisting and security intelligence applied at the end after IPS rule ?

Thanks and have a great day :)

Mark 

Labels:
0 Helpful
3 Replies 3

Claudiu Cismaru
Cisco Employee
Cisco Employee

‎01-02-2017 10:39 AM

The IPS is the last in the chain.

In a nutshell (depending on the platform), the order is:

- Fast Path in internal switch (8000 series)

- Fast Path(Trust) in network card (series 3 devices) / in hardware or in ASA (pre redirect on Elektra).

- Security Intelligence/Whitelist/Blacklist

- Preprocessors (Security Intelligence/software firewall is a preprocessor anyway) and other stuff

- IPS

0 Helpful

Dennis Perto
Level 5
Level 5
In response to Claudiu Cismaru

‎01-26-2017 05:39 AM

Hi ccismaru  

What about FTD devices? 

Is the Lina core handling the Prefilter - Fast Path rules, and Snort handling Acces Control - Trust rules?

0 Helpful

Farhan Mohamed
Cisco Employee
Cisco Employee

‎01-31-2017 10:58 AM

1.)Please find your first answer in :

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/AC-Secint-Blacklisting.html

2) Order is:-- Fast Path in internal switch (8000 series)

- Fast Path(Trust) in network card (series 3 devices) / in hardware or in ASA (pre redirect on Elektra).

- Security Intelligence/Whitelist/Blacklist

- Preprocessors (Security Intelligence/software firewall is a preprocessor anyway) and other stuff

- IPS

3) Yes.

Security Intelligence is a first line of defense against malicious Internet content. This feature allows you to immediately blacklist (block) connections based on the latest reputation intelligence. To ensure continual access to vital resources, you can override blacklists with custom whitelists. This traffic filtering takes place before any other policy-based inspection, analysis, or traffic handling, including rules and the default action. For more information, see Blacklisting Using Security Intelligence IP Address Reputation.

#Please rate the answer as 5 stars if you found it useful

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card