Best Practices for Handling Packets That Pass Before Traffic Identification

ChristopherCraddock66504 · ‎05-26-2021

Dear Community,

I want to implement IPS on some ACP rules but had a few questions before doing so:

1) The documentation states the following regarding the Network Analysis Policy: "By default, the system-provided Balanced Security and Connectivity network analysis policy applies to all traffic handled by an access control policy." However, when I go to Policies->Access Control->Intrusion-> Network Analysis Policy I do not see any policies defined. I do see the system provided base Network Analysis Policies when creating my own custom policy. Is that what this is referring to?

2) I am a little confused by what it means "applies to all traffic handled by an access control policy". Does this mean that all traffic is being inspected by the default Balanced Security and Connectivity network analysis policy even if Inspection is NOT enabled on the ACP rule? Or does the Network Analysis policy only get invoked if Inspection is enabled on the ACP rule?

3) Please let me know if I am understanding the inspection order of operations correctly: Default Intrusion Policy (First few packets allowed through to decide which ACP rule to match them against are inspected) -> ACP Rule (Permit or Deny) -> Intrusion Policy defined in the ACP Rule.

Thanks so much for any feedback you can provide.

Marvin Rhoads · ‎05-26-2021

1-3: Yes.

4. Pretty much so. See the following guidance from Cisco:

Best Practices for Handling Packets That Pass Before Traffic Identification

The default action specified for an access control policy is NOT applied to these packets.
Instead, use the following guidelines to choose a value for the Intrusion Policy used before Access Control rule is determined setting in the Advanced settings of the access control policy.
- You can choose a system-created or custom intrusion policy. For example, you can choose Balanced Security and Connectivity.
- For performance reasons, unless you have good reason to do otherwise, this setting should match the default action set for your access control policy.
- If your system does not perform intrusion inspection (for example, in a discovery-only deployment), select No Rules Active. The system will not inspect these initial packets, and they will be allowed to pass.
- By default, this setting uses the default variable set. Ensure that this is suitable for your purposes.
- The network analysis policy associated with the first matching network analysis rule preprocesses traffic for the policy you select. If there are no network analysis rules, or none match, the default network analysis policy is used.

View solution in original post

Marvin Rhoads · ‎05-26-2021

1. If you haven't created and assigned any custom NAP then the system will use the default one. You can see it in your ACP under the Advanced tab.

2-3. The NAP with associated IPS policy happens before hitting the ACP rule (referred to as "L7 ACL" in the diagram below).

Please see the following reference for order-of-operations:

FTD OOO

ChristopherCraddock66504 · ‎05-26-2021

Thanks so much Marvin. I am still a little confused, if you could help me clear up a few things I would be greatly appreciative.

1) Regarding the "Pre-proc" diamond above, is this referring to the "Default Network Analysis Policy" In the Advanced tab of the ACP?

2) Regarding the "Intrusion Policy (NAP)" diamond above, is this referring to the "Intrusion Policy used before Access Control rule is determined" In the Advanced tab of the ACP?

3) Regarding the "Intrusion Policy" diamond at the very end, is this referring to the Intrusion Policy defined in the "Inspection" setting of the ACP Rule?

4) Regarding the default NAP, does this mean that even if a custom NAP is not defined, that the system will always pre-process all traffic against the Balanced Security and Connectivity NAP before sending the traffic to the ACP for its permit/deny/monitor decision?

Thanks so much for your assistance.

Marvin Rhoads · ‎05-26-2021

1-3: Yes.

4. Pretty much so. See the following guidance from Cisco:

Best Practices for Handling Packets That Pass Before Traffic Identification

The default action specified for an access control policy is NOT applied to these packets.
Instead, use the following guidelines to choose a value for the Intrusion Policy used before Access Control rule is determined setting in the Advanced settings of the access control policy.
- You can choose a system-created or custom intrusion policy. For example, you can choose Balanced Security and Connectivity.
- For performance reasons, unless you have good reason to do otherwise, this setting should match the default action set for your access control policy.
- If your system does not perform intrusion inspection (for example, in a discovery-only deployment), select No Rules Active. The system will not inspect these initial packets, and they will be allowed to pass.
- By default, this setting uses the default variable set. Ensure that this is suitable for your purposes.
- The network analysis policy associated with the first matching network analysis rule preprocesses traffic for the policy you select. If there are no network analysis rules, or none match, the default network analysis policy is used.

ChristopherCraddock66504 · ‎05-26-2021

Marvin,

Thank you so much for the expert assistance! It really helps!

Firepower Network Analysis and Intrusion Prevention Policy Questions.

Best Practices for Handling Packets That Pass Before Traffic Identification

Best Practices for Handling Packets That Pass Before Traffic Identification