Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
853
Views
1
Helpful
2
Replies

FTD pre-filter vs ACP

MuathA.
Level 1
Level 1

‎06-21-2023 12:39 PM

Hi everyone,

I have some questions regarding the FTD pre-filter policy and access control policy. I understand the theoretical difference between the two: the pre-filter policy inspects traffic up to layer 4 only (without deep packet inspection up to layer 7), using the Lina engine. On the other hand, the access control policy (ACP) inspects packets up to layer 7, utilizing the Snort engine.

While this distinction is clear in theory, I'm unsure how to decide whether traffic should go through Snort or if a pre-filter policy would suffice. In real-life scenarios, what factors should I consider when making this decision?

I'm specifically looking for examples and use cases to better comprehend this. For instance, if I want to allow incoming SSH connections from a known source, configuring a pre-filter to permit this seems sufficient, eliminating the need for the ACP.

Could you kindly provide some examples/use cases where traffic should be subject to the ACP?

Thank you!

0 Helpful
2 Replies 2

MHM Cisco World
VIP
VIP

‎06-21-2023 12:47 PM - edited ‎06-23-2023 04:39 AM

FTD OOO.PNG

0 Helpful

tvotna
Spotlight
Spotlight

‎06-23-2023 03:31 AM

In general, the main reason why prefilter policy needs to be used is performance. So, typically it can contain allow rules for high-performance flows you fully trust, like backups, and/or encrypted VPN tunnels passing through the device.

Below is from one of CiscoLive presentations:

- Use Prefilter Policy Fastpath rules for big fat flows and in order to decrease latency through the box
- Use Prefilter Block rules for traffic that must be blocked based on L3/L4 conditions
- Use ACP Trust rules if you want to bypass many of the Snort checks, but still take advantage of features like Identity Policy, QoS, SI, Application detection, URL filter

Place rules that affect less the firewall performance at the top of the Access Control Policy with the use of these guidelines:
- Block rules (layers 1-4) - Prefilter Block
- Allow rules (layers 1-4) - Prefilter Fastpath
- ACP Block rules (layers 1-4)
- Trust rules (layers 1-4)
- Block rules (layers 5-7 - application detection, URL filtering)
- Allow rules (layers 1-7 - application detection, URL filtering, Intrusion Policy/File Policy)
- Block rule (Default rule)

Avoid excessive logging (log at the start or at the end and avoid both at the same time). This is due to overcomplicated FTD->FMC eventing architecture

Take rule expansion into consideration (memory aspect)
- FMC/FTD 6.6 natively supports "object-group-search access-control" (OGS)
- FMC/FTD 6.7 supports interface OGS
- "service" objects are not supported by OGS and cause rule expansion

Needless to say, the product shouldn't have been designed this way as entire ruleset becomes overcomplicated and difficult to manage.

 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card