04-04-2019 02:55 AM - edited 02-21-2020 09:00 AM
I am converting ASA configuration to FTD. I have both 2100 and 4100 series platforms. My requirement is simple, converting all ACLs and NATs etc. I do not have any upper layer inspection enabled on ASA IPS etc. The FTD is on Base license. I have three questions:
1. Is there any benefit of configuring the rules in Acces Control Policy versus the Prefilter policy since I have only base license?
2. What additional fetaure other than layer 3/4 port blocking I can get out of the base license?
3. Is there any additional consideration I should keep in mind for future in case if I get additional licences for IPS and Malware etc while doing this configuraiton to make it easy for future license enabling?
Thanks,
04-08-2019 06:46 AM
Any comment on this?
04-08-2019 07:53 AM
1. Not a whole lot security wise. Mostly some application visibility and reporting / analysis capabilities. So you can filter based on application as determined by inspection vs. just by 5-tuple. I prefer ACP unless I know I want to fastpath the flow and never analyze it any further.
2. See #1.
3. By putting your rules in as ACP entries it is easier to add the IPS, URL and/or File (Malware) policy elements later.
04-09-2019 05:42 AM
I converted my ACL from ASA to FTD. Just know that all rules imported from ASA will be put into the pre-filter policy. My best explanation is that pre-filter is more like traditional ASA policy where as Access Control Policy allows you to apply layer 7 inspection for file, applications, URL, etc. Just remember to add your implicit drop to the bottom of the pre-filter policy should you use one.
One other note is that should you have any traffic you do not wish to inspect, then you can use pre-filter rules with the fast path option or drop option. If you select Analyze in your pre-filter rule, then it will pass the packet onto the Access Control Policy for further inspection.
04-10-2019 06:53 PM
with new Cisco migration tool you can't migrate policy to the prefilter container, it has to be ACP.
you need to use FMC as a migration tool.
another issue, if you migrate them to ACP, you need to edit policies individually to apply IPS/IDS or AMP policies if you need to.
Also , logging should be enabled on all rules.
Unfortunately, the migration tool is not much helpful, you need to do bit of manual work as well.
I would recommend:
1- Migrate ASAs to Prefilter container
2-Select action as Analyze
3-At ACP , configure a policy (permit any any) , enable logging and attach IPS/IDS and AMP policies
04-17-2019 04:41 AM
The new conversion tool only has option for Access Control Policy, so in order to do pre-filter I would either have to do it manual or use the older migration tool (both options are not attractive). It leaves me with only one option of Access Control Policy.
Although I would have preferred to use the pre-filter and only Analyze the traffic that I needed to send for further treatment.
On the other hand only ACP would give me User Control, Application Rules, SSL decryption, and Network discovery with the Base license.
So I would go for Access Control Policy. Is it the right approach in this case?
08-09-2021 02:23 PM
Latest tool will convert ASA rules to prefilter rules.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide