Solved: Re: FTD ACP and Prefilter

GRANT3779 · ‎06-26-2018

When moving ASA ACLs over to an FTD Device, where is the recommended placement of the ACL lines? This would be manual and not using any migration tool.

Is there any difference to using "pre-filter with fastpath / block / analyse" to using an ACP with the various options block/monitor/trust options?

My understanding is that the prefilter with Fastpath will allow the matching entry without any further action and send it to the outgoing interface. This would make sense for trusted traffic that you are comfortable with.

Prefilter with block will stop the matching entry dead in its tracks.

Prefilter with Analyze will then send it to the ACP for further inspection.

If I wanted to just drop / block traffic that matches by entry it seems to make sense to configure this within the prefilter and block.

Same goes for trusted traffic using fastpath. Just allow the traffic. No need for ACP.

The only traffic that I would probably want in the ACP is the "rest" traffic that is allowed but I want inspected. However, is this not just the same as using prefilter with analyse?

Trying to get my head around when you want to use one over the other..

Marvin Rhoads · ‎06-26-2018

Prefilter with analyze would normally be used for cleartext tunneled traffic (GRE, IP-in-IP, IPv6-in-IP and Teredo). When you do that, the ACP can then look at the inner traffic vs. the tunnel wrapper.

The fastpath and block options are as you noted already.

View solution in original post

Rahul Govindan · ‎06-26-2018

When you migrate from an ASA to FTD, its easier to move the ASA ACL rules over to Pre-filter rules since they only do networks and ports in the rules. I usually move them into Block and Pre-filter and only set the outbound allow to internet rules as Analyze. This way, I can then do AVC, IPS and other advanced features for that traffic alone and leave the rest with just a simple Allow or Block actions.

I prefer this over just using ACP rules because I do not have to all traffic go through the ACP rules to eventually get blocked by the default rules. If you just have a few rules to configure, using just the ACP might make sense for you.

View solution in original post

Marvin Rhoads · ‎06-26-2018

Prefilter with analyze would normally be used for cleartext tunneled traffic (GRE, IP-in-IP, IPv6-in-IP and Teredo). When you do that, the ACP can then look at the inner traffic vs. the tunnel wrapper.

The fastpath and block options are as you noted already.

GRANT3779 · ‎06-26-2018

Thanks Marvin,

So if I sent tunnel traffic as per you mentioned directly to the ACP, is
the way this is processed different from if I sent it via prefilter /
analyze.

Just trying to see why you would use one way over the other.

Rahul Govindan · ‎06-26-2018

When you migrate from an ASA to FTD, its easier to move the ASA ACL rules over to Pre-filter rules since they only do networks and ports in the rules. I usually move them into Block and Pre-filter and only set the outbound allow to internet rules as Analyze. This way, I can then do AVC, IPS and other advanced features for that traffic alone and leave the rest with just a simple Allow or Block actions.

I prefer this over just using ACP rules because I do not have to all traffic go through the ACP rules to eventually get blocked by the default rules. If you just have a few rules to configure, using just the ACP might make sense for you.