Showing results for 
Search instead for 
Did you mean: 

Firepower Prefilter or Access Control Policy


I am converting ASA configuration to FTD. I have both 2100 and 4100 series platforms. My requirement is simple, converting all ACLs and NATs etc. I  do not have any upper layer inspection enabled on ASA IPS etc. The FTD is on Base license. I have three questions:


1. Is there any benefit of configuring the rules in Acces Control Policy versus the Prefilter policy since I have only base license?

2. What additional fetaure other than layer 3/4 port blocking I can get out of the base license?

3. Is there any additional consideration I should keep in mind for future in case if I get additional licences for IPS and Malware etc while doing this configuraiton to make it easy for future license enabling?




6 Replies 6


Any comment on this?

Marvin Rhoads
Hall of Fame Community Legend Hall of Fame Community Legend
Hall of Fame Community Legend

1. Not a whole lot security wise. Mostly some application visibility and reporting / analysis capabilities. So you can filter based on application as determined by inspection vs. just by 5-tuple. I prefer ACP unless I know I want to fastpath the flow and never analyze it any further.

2. See #1.

3. By putting your rules in as ACP entries it is easier to add the IPS, URL and/or File (Malware) policy elements later. 


I converted my ACL from ASA to FTD.  Just know that all rules imported from ASA will be put into the pre-filter policy. My best explanation is that pre-filter is more like traditional ASA policy where as Access Control Policy allows you to apply layer 7 inspection for file, applications, URL, etc. Just remember to add your implicit drop to the bottom of the pre-filter policy should you use one.


One other note is that should you have any traffic you do not wish to inspect, then you can use pre-filter rules with the fast path option or drop option. If you select Analyze in your pre-filter rule, then it will pass the packet onto the Access Control Policy for further inspection.

with new Cisco migration tool you can't migrate policy to the prefilter container, it has to be ACP.

you need to use FMC as a migration tool.

another issue, if you migrate them to ACP, you need to edit policies individually to apply IPS/IDS or AMP policies if you need to.

Also , logging should be enabled on all rules.


Unfortunately, the migration tool is not much helpful, you need to do bit of manual work as well.


I would recommend:


1- Migrate ASAs to Prefilter container

2-Select action as Analyze 

3-At ACP , configure a policy (permit any any) , enable logging and attach IPS/IDS and AMP policies



The new conversion tool only has option for Access Control Policy, so in order to do pre-filter I would either have to do it manual or use the older migration tool (both options are not attractive). It leaves me with only one option of Access Control Policy. 


Although I would have preferred to use the pre-filter and only Analyze the traffic that I needed to send for further treatment. 


On the other hand only ACP would give me User Control, Application Rules, SSL decryption, and Network discovery with the Base license. 


So I would go for Access Control Policy. Is it the right approach in this case?

Latest tool will convert ASA rules to prefilter rules. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers