cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
929
Views
2
Helpful
4
Replies

FTD prefilter practices and recommendations regarding 4 tuples

lcaruso
Level 6
Level 6

In one or more of Cisco Press books, recall seeing the recommendation to not place any 4 tuple packet filtering rules in the main ACP but instead put them in the prefilter policy for performance improvements. 

In discussing with another FTD practitioner, it was recommend and noted that he places 4 tuple rules in the main ACP in order to see the logging and there has not been a performance hit that would implicate this practice. 

I am seeking input from other practitioners as to their experience with 4 tuple rules and FTD ACP:

If you place 4 tuples in the ACP, did you take a performance hit?

Is this recommendation still valid or has recent hardware (FPR 3000) and software processing improvements (FTD 7.x) rendered this to a legacy recommendation regarding prefilter practices?

Thanks in advance for sharing your comments and experience.

 

1 Accepted Solution

Accepted Solutions

Milos_Jovanovic
VIP Alumni
VIP Alumni

Hi @lcaruso,

When I do migration from ASA to FTD, I mostly do migration of almost everything to ACP. Very few items, I have to move to Prefilter policy.

I do believe that best practice state that everything that you don't really benefit from ACP and its capability for advanced inspection, should be managed in Prefilter policy as that is the earliest where decision can be made. E.g. you do not benefit from having possibility of doing IPS on VPN traffic, as you can't really "see" inside the packet, and this should be moved to Prefilter then, as in that case Lina engine can process it, without passing it to Snort.

However, real world experience showed to me that complexity of having things configured in multiple places exceeds performance benefits. New hardware is always more performant than one I'm migrating from away, and I never saw performance issue. If I did, It would fall down to analyzing what are the most traffic-intense rules, and migrate them from ACP to Prefilter, if doable.

I did have to migrate few things from ACP to Prefilter, regardless of performance, as they simply didn't worked from ACP (I assume they were normalized or inspected by some basic engines, even though I never used advanced inspection on this traffic).

Kind regards,

Milos

View solution in original post

4 Replies 4

Milos_Jovanovic
VIP Alumni
VIP Alumni

Hi @lcaruso,

When I do migration from ASA to FTD, I mostly do migration of almost everything to ACP. Very few items, I have to move to Prefilter policy.

I do believe that best practice state that everything that you don't really benefit from ACP and its capability for advanced inspection, should be managed in Prefilter policy as that is the earliest where decision can be made. E.g. you do not benefit from having possibility of doing IPS on VPN traffic, as you can't really "see" inside the packet, and this should be moved to Prefilter then, as in that case Lina engine can process it, without passing it to Snort.

However, real world experience showed to me that complexity of having things configured in multiple places exceeds performance benefits. New hardware is always more performant than one I'm migrating from away, and I never saw performance issue. If I did, It would fall down to analyzing what are the most traffic-intense rules, and migrate them from ACP to Prefilter, if doable.

I did have to migrate few things from ACP to Prefilter, regardless of performance, as they simply didn't worked from ACP (I assume they were normalized or inspected by some basic engines, even though I never used advanced inspection on this traffic).

Kind regards,

Milos

Hi @Milos_Jovanovic,

Thank you kindly for an excellent response and discussion!

Marvin Rhoads
Hall of Fame
Hall of Fame

100% agree with @Milos_Jovanovic - his experience and recommendation match mine exactly.

@Marvin Rhoads thank you kindly for taking the time to concur.

Review Cisco Networking for a $25 gift card