Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2749
Views
15
Helpful
6
Replies

FTD prefilter vs Access policy deny all rule

Go to solution
tato386
Level 6
Level 6

‎11-09-2021 07:52 PM - edited ‎11-09-2021 07:53 PM

I'm trying to mimic the implicit deny all rule found on ASA devices in an FTD environment. My setup includes servers that live on the inside LAN and have 1-to-1 NAT rules and which need to have certain services exposed to the Internet. I plan to use prefilter to allow traffic to these ports mostly because they are voice services that I would rather not subject to FTD inspection.

 

My question is should I add the "deny all" to the end of the prefilter rules or should I use the access control policy default rule for this? I am leaning towards doing it on the prefilter to more closely mimic a typical ASA environment but since this is FTD, maybe I should use the default action of ACP?

 

Thanks,
Diego

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to tato386

‎11-11-2021 01:19 AM

Correct - what you're proposing is a good use of prefilter policy.

View solution in original post

6 Replies 6

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-09-2021 10:10 PM

If your prefilter has a deny for just those hosts following the permit specific ports then that is fine. if it is truly "deny all" then nothing will ever get to your ACP (or Snort IPS). At that point you basically have a more expensive and complicated ASA.

We generally put a default rule of Deny All at the end of the ACP, especially for Internet edge firewalls.

Go to solution
tato386
Level 6
Level 6
In response to Marvin Rhoads

‎11-10-2021 06:48 AM - edited ‎11-10-2021 06:48 AM

Yes, of course the deny would not be a true "deny all" it would just be applied to inbound connections to the natted hosts.  (I should have been more specific about that).  The reasoning behind using prefilter is that we don't want to inspect traffic that we don't allow anyway. Which is one of the reasons why prefilter option exists, yes?  To be sure, I assume this rule would only block traffic initiated from the outside and would not apply to return traffic from connections initiated from the natted hosts.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to tato386

‎11-11-2021 01:19 AM

Correct - what you're proposing is a good use of prefilter policy.

Go to solution
tato386
Level 6
Level 6
In response to Marvin Rhoads

‎11-11-2021 05:34 AM

sounds good.  One last thing, is there any difference between having a full "deny all" at the end of the ACP ruleset vs having the default action of the policy set to "block all".  If I use the default action I would have one les rule in the policy which is good for keeping things simple and tidy but I wouldn't mind adding it if there is some added benefit.

  

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to tato386

‎11-11-2021 11:04 AM

Putting it as the default action ensures that someone doesn't come by and accidentally put a new rule below a "deny all" in the rule section. For a less careful admin, that latter scenario would result in the intended new rule never being hit.

Go to solution
tato386
Level 6
Level 6
In response to Marvin Rhoads

‎11-11-2021 12:13 PM

excellent.  thank you

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card