Re: FTD/FMC - Question about PREFILTER and ACP

babalao · ‎01-25-2024

Hello!

I have this confusion about FTD regarding actions in ACP and PREFILTER...

Starting from the idea that:
In ACP action Trust= bypass any inspection/snort and is permited
In ACP action allow= permit but is passed to inspection/snort for further analysis

Questions:
1- If my FTD does not do any inspection (has only Base license) what would be the difference between actions trust and allow in ACP?
I mean for example when I want to permit some traffic is it better to always use Trust or Allow?

2-what would be the difference between Action Trust in ACP and action FastPath in PREFILTER ? I mean both bypass the inspection and permits traffic.

I mean, If I do not use any inspection/snort/firepower , only L4 FW rules because I have only Base license for example is it better to only use PREFILTER rules and not using ACP at all?

I understand that PREFILTER uses much less resources than ACP. Is this true even if I not use any inspection in ACP?

Thank you in advance!
Regards.

MHM Cisco World · ‎01-25-2024

both FastPath and ACP filter L3/L4 traffic but the key is

Cisco FTD Prefilter Policy is the first level of access control and gives the capability to allow or filter a specific traffic at L3/L4 without the need to be forwarded to CPU intensive access control policy. It is also known as “fastpath” because it quickly allows or denies traffic.

the fastpath is filter traffic no in CPU the ACP filter it in CPU
MHM

MHM Cisco World · ‎01-25-2024

ACP l3/l4 and fastpath is available in base license.

There is different between ACP and SI' SI netowrk need license but ACP is standard.

MHM

tvotna · ‎01-25-2024

Even if you only have base license on FTD you can still use few intelligent features, e.g. matching by application in ACP, which is very commonly used. If you don't want to use this feature, e.g. if you want to allow or block traffic by IP/ports only, you can configure either prefilter rules or regular ACP rules. This is your choice. In fact, it is never ever recommended to use application names when allowing or blocking traffic coming from the Internet to your DMZ or inside. The reason is: matching by application requires few packets to pass, until AppID is determined. This basically means that *all* of your TCP ports will appear open for the outside world and anyone on the Internet will be able to send you any number of SYN requests over all of 64K ports.

When it comes to performance/load, nobody actually knows the difference between prefilter and ACP rules, because there are to many factors to take into account: whether you use Snort2 or Snort3, the platform, traffic volume, etc. Both prefilter and ACP rules use CPU, but platform support varies. E.g. 4100/9300 dedicate few (many) CPU cores to Snort/AppID functions and the like, thus reducing the number of CPU cores used by Lina datapath and hence reducing overall throughput even if Snort/AppID functions are not used. On 2100 we have completely independent CPUs for Lina and Snort. This doesn't however mean that performance is not reduced when traffic is sent through the Lina-Snort queues for ACP processing: throughput can still be affected or those queues can get wedged or Snort process or thread can hang, etc.

So, while prefilter rules can be preferred if traffic/conn rate is high (e.g. for backups, bulk file transfers, etc.) many people don't bother and put everything into ACP as this simplifies rule management and logic.

Sorry, for not helping you )

tvotna · ‎01-25-2024

2-what would be the difference between Action Trust in ACP and action FastPath in PREFILTER ? I mean both bypass the inspection and permits traffic

Good question. I guess you may still need to disable Security Intelligence in the ACP, even if you only have Base license, to prevent packets from being sent to Snort for SI processing for ACP rules with "trust" action configured. But I'm not sure. Hopefully other members will comment.

Marius Gunnerud · ‎01-25-2024

The Trust action can be a little misleading. Though it does skip inspection and discovery, it is still subject to be sent to SNORT for QoS, Identity authentication, SSL decryption, etc. However, in prefilter Fastpath the packet skips all SNORT inspections and just L3-L4 are considered. If you are 100% sure you will not use any functions such as URL, QoS, User identity, etc. then putting everything in the prefilter would be an acceptable strategy.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/access-prefilter.html

Bypass capability

Fastpath rule action.

Fastpathing traffic in the prefilter stage bypasses all further inspection and handling, including:

Security Intelligence
authentication requirements imposed by an identity policy
SSL decryption
access control rules
deep inspection of packet payloads
discovery
rate limiting

Trust rule action.

Traffic trusted by access control rules is only exempt from deep inspection and discovery.

--
Please remember to select a correct answer and rate helpful posts

babalao · ‎01-26-2024

Hello,

for example if my FTD is having resource problems and I am sure I am not going to use inspection/snort in the future, would it be beneficial if I would do all the filtering in PREFILTER instead of ACP? I mean I would migrate all the rules in ACP to PREFILTER...

Another question, what king of traffic you would ALWAYS put in PREFILTER?

I have heard about , large backups,things you always want to block,and VoIP traffic.

Thank you all.

Regards.

MHM Cisco World · ‎01-26-2024

for example if my FTD is having resource problems and I am sure I am not going to use inspection/snort in the future, would it be beneficial if I would do all the filtering in PREFILTER instead of ACP? I mean I would migrate all the rules in ACP to PREFILTER...

both ACP and Prefilter is done in LINA not in Snort, you can use both if you dont want to use Snort

Another question, what king of traffic you would ALWAYS put in PREFILTER?

Elephant traffic, need fastpath (prefilter)

I have heard about , large backups,things you always want to block,and VoIP traffic.

correct backup is Elephant and VoIP is need low jitter delay so prefilter fastpath these traffic is recommend

MHM

tvotna · ‎01-27-2024

both ACP and Prefilter is done in LINA not in Snort, you can use both if you dont want to use Snort

This is absolutely not correct.

Marius Gunnerud · ‎01-27-2024

This is partially correct. If you use ACP the traffic can still be subject to being sent to SNORT even if you have the Trust action applied. It doesn't have to be an intrusion policy or file / malware policy. If you want to use URL filtering or QoS for example, this traffic will be sent to the SNORT process for further processing. The only way to truly not send traffic to SNORT is through prefilter.

However, if the ACP rule only references IPs and ports, and nothing else, and the Trust action is applied, traffic will bypass the SNORT process.

--
Please remember to select a correct answer and rate helpful posts

tvotna · ‎01-27-2024

Right. But I insist that "both ACP and Prefilter is done in LINA not in Snort, you can use both if you dont want to use Snort" is totally incorrect as it says that any ACP policy is evaluated by Lina and not by Snort. Think of other not so experienced engineers who might read this.

Marius Gunnerud · ‎01-27-2024

I understand what you are trying to say and that someone reading this discussion might be mislead when reading that. The fact of the matter is that @MHM Cisco World 's statement is not entirely incorrect. The trick is that you need to understand what is enabled on your firewall and how the firewall works in different situations, and if you do not know, then start reading and learning.

Here is a link to a document that explains a little on packet flow through the FTD when using the Trust action. Pay attention to scenario 2 under ACP Trust Action.

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212321-clarify-the-firepower-threat-defense-acc.html#anc19

--
Please remember to select a correct answer and rate helpful posts

tvotna · ‎01-27-2024

Yeah, @Marius Gunnerud, "not entirely incorrect" is more close to reality than "partially correct". I agree.

I know all this stuff, but thank you for the link anyway. What I don't know and this document doesn't explain is whether ACP "trust" action in L3/L4 ACP rule is still programmed as "permit" to Lina due to SI black list applied to ACP by default, resulting in SYN packets being sent to Snort for processing, provided that customer has base license only and didn't configure other policies or features, such as identity policy, etc. (of course such things as URLF, AMP, etc cannot be configured in case of base license by definition).

Note that "base license" was mentioned in the initial question, but nobody addressed this concern yet.

2-what would be the difference between Action Trust in ACP and action FastPath in PREFILTER ?
I mean both bypass the inspection and permits traffic

Good question. I guess you may still need to disable Security Intelligence in the ACP, even if you only have Base license,
to prevent packets from being sent to Snort for SI processing for ACP rules with "trust" action configured. But I'm not sure.
Hopefully other members will comment.

MHM Cisco World · ‎01-27-2024

@tvotna all your info is little go learn new info about new FW and then talk

Marius Gunnerud · ‎01-26-2024

Basically any traffic that you trust 100% can go into prefilter Fastpath. This type of traffic would include scheduled backups, periodic file transfer between servers, and vulnerability scans (such as Qualys) which can degrade the network performance.

--
Please remember to select a correct answer and rate helpful posts