Firepower ACP Recommendations

dm2020 · ‎11-23-2018

Hi All,

I'm after a recommendation regarding ACP rules for a new firepower deployment

We have 2 datacentres, each with a separate internet connections that use different IP addresses and have different inbound/outbound security policy requirements. The only access-list policies that we maintain between the two sites is a rule of public IP addresses that we need to block on all incoming outgoing connections. At present, we have to manually update this list on all firewalls.

To translate this to a firepower deployment with Access Control Policies, my thinking is that I have a separate ACP for each data centre, which covers the localised rules, and then a global policy which is applied to both sites where we maintain our central list of general rules such as the blocked public addresses, Does this sound like the correct approach?

thanks

Abheesh Kumar · ‎11-23-2018

Hi,

You would like to block a set of IP's both datacenters with a single rule, thats what you are trying to do and you can achive this by prefilter policy and SI-Blacklist.

Prefilter Policy

You can create a prefilter policy with the IP's you want to block and bind that prefilter to both ACP's. So with a single change in prefilter policy will block in both DC's.

Security Intelligence Blacklist

Security Intelligence uses reputation intelligence to quickly block connections to or from IP addresses, URLs, and domain names. This is called Security Intelligence blacklisting.

Security Intelligence is an early phase of access control, before the system performs more resource-intensive evaluation. Blacklisting improves performance by quickly excluding traffic that does not require inspection.

Add the IP's in SI-Blacklist to block the connections to and from the IP's.

HTH

Abheesh